You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2012/01/27 11:27:22 UTC
DO NOT REPLY [Bug 52542] New: Mod_rewrite can't access to SSL
variables on initial request
https://issues.apache.org/bugzilla/show_bug.cgi?id=52542
Bug #: 52542
Summary: Mod_rewrite can't access to SSL variables on initial
request
Product: Apache httpd-2
Version: 2.2.21
Platform: PC
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_rewrite
AssignedTo: bugs@httpd.apache.org
ReportedBy: aansel@denyall.com
Classification: Unclassified
I have to use a data in the peer certificate on my RewriteConds like this :
RewriteCond %{LA-U:SSL_Client_I_DN_CN} my_domain [OR]
RewriteCond %{SSL:SSL_Client_I_DN_CN} my_domain
...
but those data can't be accessed on an initial request ( [Thu Jan 26 17:39:20
2012] [info] Initial (No.1) HTTPS request received for child 28 ) so my
RewriteCond doesn't match even if the peer certificate is correctly send (
error 404 ), the values are always empty string in initial request, but they
are always correctly retrieved by subsequent requests (Subsequent (No.14) HTTPS
request received for child 26 ... )
So i have my RewriteRule are not applied at each first access to a resource and
sometimes after that when the initial request thread (process ?!?) handle the
request again.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 52542] Mod_rewrite can't access to SSL variables
on initial request
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=52542
Ruediger Pluem <rp...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEEDINFO |RESOLVED
Resolution| |INVALID
--- Comment #6 from Ruediger Pluem <rp...@apache.org> 2012-02-07 12:37:34 UTC ---
(In reply to comment #5)
> The Apache is used in ReverseProxy mode ( but i have commented ProxyPass and
> ProxyPassReverse directives because they didn't work with the RewriteRules )
>
> Some stuff of the configurations
>
> <VirtualHost *:*>
> SSLEngine On
> RewriteEngine On
> </VirtualHost>
>
> <Location/>
> SSLVerifyClient require
> SSLVerifyDepth 1
This causes a renegotiation later on and is bogus since you require the client
cert for the whole virtual server. Move the above two directives on virtual
host level and everything works fine. So in fact it is not a bug, but a wrong
configuration.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 52542] Mod_rewrite can't access to SSL variables
on initial request
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=52542
--- Comment #1 from Eric Covener <co...@gmail.com> 2012-01-27 12:09:13 UTC ---
It makes sense that the SSL var is not available timing wise, and the lookahead
feature only gets env vars not SSL vars.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 52542] Mod_rewrite can't access to SSL variables
on initial request
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=52542
--- Comment #5 from Aurélien Ansel <aa...@denyall.com> 2012-02-06 13:32:28 UTC ---
The Apache is used in ReverseProxy mode ( but i have commented ProxyPass and
ProxyPassReverse directives because they didn't work with the RewriteRules )
Some stuff of the configurations
<VirtualHost *:*>
SSLEngine On
RewriteEngine On
</VirtualHost>
<Location/>
SSLVerifyClient require
SSLVerifyDepth 1
SSLOptions +StdEnvVars +ExportCertData
RequestHeader set Remote-Name "%{SSL_CLIENT_S_DN}s"
RequestHeader set Remote-Name-Client "%{SSL_CLIENT_S_DN_CN}s"
RequestHeader set Remote-CA "%{SSL_CLIENT_I_DN_CN}s"
</Location>
I can't make tests with CustomLog for now, but later i will and i will post the
results here.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 52542] Mod_rewrite can't access to SSL variables
on initial request
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=52542
--- Comment #3 from Eric Covener <co...@gmail.com> 2012-01-27 15:10:01 UTC ---
> Why shouldn't it be available at this point of time?
sorry, was confused re: envvars vs ssl vars and how they're spilled over in
fixups.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 52542] Mod_rewrite can't access to SSL variables
on initial request
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=52542
Kaspar Brand <as...@velox.ch> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |NEEDINFO
--- Comment #4 from Kaspar Brand <as...@velox.ch> 2012-02-04 07:51:10 UTC ---
(In reply to comment #2)
> So I guess we need to see the whole configuration and not just the RewriteCond snippet.
I agree. In particular, we should know in what context these RewriteConds
appear, and what SSLVerifyClient is set to at that point.
If you log %{SSL_CLIENT_I_DN_CN}x with a CustomLog, does it also appear as "-"
for the initial request?
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 52542] Mod_rewrite can't access to SSL variables
on initial request
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=52542
--- Comment #2 from Ruediger Pluem <rp...@apache.org> 2012-01-27 15:00:48 UTC ---
(In reply to comment #1)
> It makes sense that the SSL var is not available timing wise, and the lookahead
> feature only gets env vars not SSL vars.
Why shouldn't it be available at this point of time? The handshake has already
happened, provided there is no directory based SSLRequire in combination with a
global rewrite rule. So I guess we need to see the whole configuration and not
just the RewriteCond snippet.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org