You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2009/11/18 18:27:16 UTC
DO NOT REPLY [Bug 48228] New: Renegocation requires multiple client
authentication on mod_autoindex listings
https://issues.apache.org/bugzilla/show_bug.cgi?id=48228
Summary: Renegocation requires multiple client authentication
on mod_autoindex listings
Product: Apache httpd-2
Version: 2.2.13
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: mod_ssl
AssignedTo: bugs@httpd.apache.org
ReportedBy: jmdesp@gmail.com
Created an attachment (id=24558)
--> (https://issues.apache.org/bugzilla/attachment.cgi?id=24558)
The error log with LogLevel debug
After connecting to an URL without client authentication, connection to an URL
that requires it and lists the content of a directory using mod_autoindex,
start a SSL renegociation several times instead of only once.
Reloading that page starts the SSL renegociation again.
The reproduction procedure is almost the same as for bug 48215.
I changed SSLVerifyDepth location, and to use NULL encryption to make analyzing
the SSL traffic easier (despite having the key, tshark sometimes fails to
decrypt).
- edit the default httpd.conf and add/replace the following in the default
configuration :
Listen *:443
LoadModule ssl_module modules/mod_ssl.so
LoadModule autoindex_module modules/mod_autoindex.so
SSLSessionCache "shmcb:${path}/apache/logs/ssl_scache(512000)"
SSLSessionCacheTimeout 3000
SSLCipherSuite NULL+RSA+SHA1
# Use this instead if you don't need the clear text traffic
# SSLCipherSuite AES+RSA+SHA1
NameVirtualHost *:443
<VirtualHost *:443>
SSLEngine On
SSLCertificateFile "${path}/apache/conf/authentication.cer"
SSLCertificateKeyFile "${path}/apache/conf/authentication.key"
SSLVerifyDepth 0
<Location /authentication/>
SSLVerifyClient optional_no_ca
</Location>
DocumentRoot "${path}/www"
</VirtualHost>
- create a index.html file in /www
<html><head><title> authentication test </title></head>
<body>authentication test<hr>
<a href="/authentication" >authentication link</a>
</body></html>
- create /www/authentication
- create 10 files inside authentication 1.html through 10.html, the content of
the files is not important
- If you have the NULL cipher suite configured :
Inside firefox, in about:config, set security.ssl3.rsa_null_sha to true
(you'll need to set this value to false again later for security)
- connect firefox to /
- follow the link on the page to /authentication
- You'll need a client certificate (a sample p12 is included in the repro
files)
- Have the "remember certificate" option unchecked
- Apache will immediately request authentication a second time
- Reload the page with the reload button
- Apache will request authentication again two times in a row (in bug 48215,
reloading the page does not cause the same problem)
The big plus of NULL encryption is that with it (BIO dump follows) in error_log
shows all the HTTP traffic in the clear.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 48228] Renegocation requires multiple client
authentication on mod_autoindex listings
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=48228
jmdesp@gmail.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Depends on| |48215
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 48228] Renegocation requires multiple client
authentication on mod_autoindex listings
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=48228
Joe Orton <jo...@redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #24563|application/octet-stream |text/plain
mime type| |
Attachment #24563|0 |1
is patch| |
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 48228] Renegocation requires multiple client
authentication on mod_autoindex listings
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=48228
Bug 48228 depends on bug 48215, which changed state.
Bug 48215 Summary: Renegotiation with SSLVerifyDepth 0 requires multiple client authentication
https://issues.apache.org/bugzilla/show_bug.cgi?id=48215
What |Old Value |New Value
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 48228] Renegocation requires multiple client
authentication on mod_autoindex listings
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=48228
--- Comment #1 from jmdesp@gmail.com 2009-11-18 09:35:44 UTC ---
(From update of attachment 24558)
As NULL encryption is used, all the request from the client can be seen
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 48228] Renegocation requires multiple client
authentication on mod_autoindex listings
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=48228
Joe Orton <jo...@redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #24558|application/octet-stream |text/plain
mime type| |
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 48228] Renegocation requires multiple client
authentication on mod_autoindex listings
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=48228
--- Comment #2 from Joe Orton <jo...@redhat.com> 2009-11-19 00:23:35 UTC ---
Created an attachment (id=24563)
--> (https://issues.apache.org/bugzilla/attachment.cgi?id=24563)
debugging patch
Part of this is probably bug 47055.
I'm not sure why the initial renegotiation is forced, though - it's for a
subrequest but it isn't obvious why.
Can you rebuild with this patch applied to mod_ssl, and attach the new
error_log produced?
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org