You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2006/03/30 15:46:36 UTC

DO NOT REPLY [Bug 39154] New: - Problem with webdav over SSL with client certificate autentication

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=39154>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=39154

           Summary: Problem with webdav over SSL with client certificate
                    autentication
           Product: Apache httpd-2
           Version: 2.2.0
          Platform: All
        OS/Version: Linux
            Status: NEW
          Severity: major
          Priority: P2
         Component: mod_ssl
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: gmeinusch@yahoo.de


I have a problem with apache 2.2.0 + mod_ssl and mod_dav
If I try to upload a file over a Client-Certificate secured connection to
Webdav-folder on Apache-Server, I get a unspecified error on the Webdav-client
(MS Explorer) and a �request body exceeds maximum size for SSL buffer�-error on
the Apache-side. 
If I� take off the Client-Certificate-Authentication everything works fine.

I think that is a bug in the mod_ssl module.

Thank's
Gregory


----------------
Logfile:

Error.log
[Thu Mar 30 13:25:26 2006] [error] [client 217.228.63.33] request body exceeds
maximum size for SSL buffer
[Thu Mar 30 13:25:26 2006] [error] [client 217.228.63.33] could not buffer
message body to allow SSL renegotiation to proceed

access.log
217.228.63.33 - - [30/Mar/2006:13:25:15 +0200] "PROPFIND /freunde/upload/test
HTTP/1.1" 207 853 "-" "Microsoft Data Access Internet Publishing Provider DAV"
217.228.63.33 - - [30/Mar/2006:13:25:15 +0200] "PROPFIND /freunde/upload/test
HTTP/1.1" 207 963 "-" "Microsoft Data Access Internet Publishing Provider DAV"
217.228.63.33 - - [30/Mar/2006:13:25:20 +0200] "HEAD
/freunde/upload/test/test.jpg HTTP/1.1" 404 - "-" "Microsoft Data Access
Internet Publishing Provider DAV"
217.228.63.33 - - [30/Mar/2006:13:25:20 +0200] "PUT
/freunde/upload/test/test.jpg HTTP/1.1" 413 1090 "-" "Microsoft Data Access
Internet Publishing Provider DAV"

----------------
Configuration:
http.conf:

�
<VirtualHost 80.xx.xx.xx:443>
	ServerName   www.xxxxxxx.de

	DocumentRoot /home/xxxxxxx.de/httpsdocs
	CustomLog  /home/xxxxxxx.de/statistics/logs/access_ssl.log 
       CustomLog /home/xxxxxxx.de/statistics/logs/request_ssl.log \
                    "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
	ErrorLog     /home/xxxxxxx.de/statistics/logs/error_ssl.log

	SSLEngine on		
	SSLOptions +StrictRequire 	
. . . 
DavLockDB /home/xxxxxx.de/conf/webdav/lockdb

Alias /freunde/upload /home/xxxxxx.de/webdav/freunde
    	<Directory  /home/xxxxxx.de/webdav/freunde>
		SSLVerifyClient require
		SSLRequire (%{SSL_CIPHER} !~ m/^(EXP|NULL)/ and %{SSL_CLIENT_S_DN_O} eq
"Xxxxxx" &&  %{SSL_CLIENT_S_DN_CN} in {"Gregor Meinusch"} )
		     
  	       Dav On
		<LimitExcept GET HEAD OPTIONS>       
		</LimitExcept>	  			
		
		Options +SymLinksIfOwnerMatch -Includes -ExecCGI
	</Directory>

. . .
</virtualhost>



Ssl-global.conf
AddType application/x-x509-ca-cert .crt
	AddType application/x-pkcs7-crl    .crl
	SSLPassPhraseDialog  builtin

	
	#SSLSessionCache        nonenotnull
	#SSLSessionCache         dbm:/var/lib/apache2/ssl_cache 
	#SSLSessionCache          shmht:/var/lib/apache2/ssl_scache(512000)
	#SSLSessionCache 		shm:/var/lib/apache2/ssl_cache(512000)
	SSLSessionCache         shmcb:/var/lib/apache2/ssl_scache
	SSLSessionCacheTimeout  600

	SSLMutex  file:/var/lib/apache2/ssl_mutex
	SSLMutex  sem
	
	SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
        SSLProtocol all -SSLv2	

	SSLCertificateFile 	/home/xxxxxx.de/conf/certificates/www.xxx.de.cert
	SSLCertificateKeyFile 	/home/xxxxxx.de/conf/certificates/www.xxx.de.key
	SSLCACertificateFile 	/home/xxxxxx.de/conf/certificates/cacerts.pem
	SSLVerifyDepth  2

	SSLRandomSeed startup builtin
	SSLRandomSeed connect builtin

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 39154] - Problem with webdav over SSL with client certificate autentication

Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=39154>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=39154





------- Additional Comments From gmeinusch@yahoo.de  2006-03-31 07:12 -------
Thank you! Now it works perfectly! 

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 39154] - Problem with webdav over SSL with client certificate autentication

Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=39154>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=39154


rpluem@apache.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |DUPLICATE




------- Additional Comments From rpluem@apache.org  2006-03-30 21:16 -------
This does not work on directory level with large files, because we currently do
not buffer the request body on disk but only 128k at max in memory. Moving
SSLVerifyClient require to virtual host level will make it work (see also PR12355)

*** This bug has been marked as a duplicate of 12355 ***

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org