You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2006/03/07 11:59:38 UTC

DO NOT REPLY [Bug 38876] New: - SSL_CLIENT_CERT header bad format

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38876>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=38876

           Summary: SSL_CLIENT_CERT header bad format
           Product: Apache httpd-2
           Version: 2.0.54
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: blocker
          Priority: P1
         Component: mod_ssl
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: mstern@csc.com


It seems that the PEM-encoded certificate coming out of OpenSSL (0.9.8a in my
case) contains new lines without leading space, which is interpreted as a new
HTTP header.
Even more important, the last empty line leads to 2 new lines without leading
space, which is interpreted as the end of all HTTP headers.

This could be fixed by removing all new lines in the PEM-encoded certificate, in
ssl_engine_vars.c:

static char *ssl_var_lookup_ssl_cert_PEM(apr_pool_t *p, X509 *xs)
{
    ...
    BIO_free(bio);

+ /* remove all new lines (CR & LF) */
+ {
+  char *source, *target;
+  for ( source = target = result; *source; source++ ) {
+   if ( (*source != 0x0A) && (*source != 0x0D) ) *target++ = *source;
+  }
+  *target = NUL;
+ }

    return result;
}


Remark: the test
   if ( (*source != 0x0A) && (*source != 0x0D) )
could also be replaced by a more general one:
   if ( *source <= ' ' )

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 38876] - SSL_CLIENT_CERT header bad format

Posted by bu...@apache.org.

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38876>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=38876


mstern@csc.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED




------- Additional Comments From mstern@csc.com  2006-03-22 14:48 -------
Solved in 2.2, in mod_headers

Backport available: http://people.apache.org/~jorton/mod_headers-2.0-ssl.diff

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org