You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2009/06/25 17:27:22 UTC

DO NOT REPLY [Bug 47427] New: browser doesn't get Error 403 if user's auth failed

https://issues.apache.org/bugzilla/show_bug.cgi?id=47427

           Summary: browser doesn't get Error 403 if user's auth failed
           Product: Apache httpd-2
           Version: 2.2.11
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: major
          Priority: P2
         Component: mod_ssl
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: mike.pechkin@gmail.com


non-detailed description:

1. you setuped the SSL host. Everything is *OK* if you have user's cert.

<VirtualHost 10.0.0.86:8443>  
    ServerAdmin kuku@parks.lv
    ServerName mihailp1.parks.lv
    DocumentRoot "/mihailp1/www-secure"

    SSLEngine on
    SSLCertificateKeyFile "/root/mihailp1-ca/mihailp1.key"
    SSLCertificateFile  "/root/mihailp1-ca/mihailp1.crt"
    SSLCACertificateFile "/root/mihailp1-ca/mihailp1-ca.crt"

    SSLVerifyClient require
    SSLVerifyDepth 3
    SSLOptions +OptRenegotiate

    ErrorLog  "logs/secure-error_log"
    CustomLog "logs/secure-access_log" common
</VirtualHost>

2. open the browser and *don't* install user's cert
3. try to open the site by any major browsers, you will get error
4. as you can see in the log (and the code) ssl module returns error 403, but
browser *doesn't* get it at all
5. if you try repeat the same scenarion in nginx, you would get simple error 
page, because nginx can handle (and finalize) requests without user's cert.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 47427] browser doesn't get Error 403 if user's auth failed

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=47427





--- Comment #5 from Ruediger Pluem <rp...@apache.org>  2009-06-25 11:52:17 PST ---
What about

<VirtualHost 10.0.0.86:8443>  
    ServerAdmin kuku@parks.lv
    ServerName mihailp1.parks.lv
    DocumentRoot "/mihailp1/www-secure"

    SSLEngine on
    SSLCertificateKeyFile "/root/mihailp1-ca/mihailp1.key"
    SSLCertificateFile  "/root/mihailp1-ca/mihailp1.crt"
    SSLCACertificateFile "/root/mihailp1-ca/mihailp1-ca.crt"

    <Directory /mihailp1/www-secure
    SSLVerifyClient optional
    SSLVerifyDepth 3
    SSLOptions +OptRenegotiate
    SSLRequire %{SSL_CLIENT_VERIFY} eq "SUCCESS"
    </Directory>

    ErrorLog  "logs/secure-error_log"
    CustomLog "logs/secure-access_log" common
</VirtualHost>

and an error page located in an directory outside the document root mapped in
with an alias?

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 47427] browser doesn't get Error 403 if user's auth failed

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=47427


Mike <mi...@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |INVALID




--- Comment #6 from Mike <mi...@gmail.com>  2009-06-26 02:29:53 PST ---
Thank you for your workaround, it nice.
But at the same time I always see "Select certificate" window in FF.
See bug 47055, even with patch the window popups.
I will do more research, because I *need* error 403 handler *and* silent FF.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 47427] browser doesn't get Error 403 if user's auth failed

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=47427





--- Comment #4 from Mike <mi...@gmail.com>  2009-06-25 11:40:59 PST ---
Yes, using <Directory> tag helps much, but I *want* use beatiful error page
here, this is public site.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 47427] browser doesn't get Error 403 if user's auth failed

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=47427





--- Comment #1 from Mike <mi...@gmail.com>  2009-06-25 08:38:32 PST ---
1. you see error 403 in the log
2. browser doesn't get 403 error and ErrorDocument 403 ... doesn't work at all!

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 47427] browser doesn't get Error 403 if user's auth failed

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=47427





--- Comment #2 from Mike <mi...@gmail.com>  2009-06-25 08:46:14 PST ---
1. setup apache, try openssl s_client

# openssl s_client -host 10.0.0.86 -port 8443
CONNECTED(00000003)
depth=1 /C=LV/ST=Riga/L=Riga/O=Parks AS CA/OU=IT/CN=Parks AS
CA/emailAddress=kuku@parks.lv
verify error:num=19:self signed certificate in certificate chain
verify return:0
12358:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
failure:s3_pkt.c:1053:SSL alert number 40
12358:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:188:

you will see the same error in Opera too.

2. if you use s_client under nginx, you would see prompt which fails later
because you didn't provide required key files.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 47427] browser doesn't get Error 403 if user's auth failed

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=47427





--- Comment #3 from Ruediger Pluem <rp...@apache.org>  2009-06-25 10:24:36 PST ---
IMHO this is not a bug but a feature. httpd immediately cancels the SSL
connection if not provided with a client cert. If you don't like that please
try the following configuration: 

<VirtualHost 10.0.0.86:8443>  
    ServerAdmin kuku@parks.lv
    ServerName mihailp1.parks.lv
    DocumentRoot "/mihailp1/www-secure"

    SSLEngine on
    SSLCertificateKeyFile "/root/mihailp1-ca/mihailp1.key"
    SSLCertificateFile  "/root/mihailp1-ca/mihailp1.crt"
    SSLCACertificateFile "/root/mihailp1-ca/mihailp1-ca.crt"

    <Directory /mihailp1/www-secure
    SSLVerifyClient require
    SSLVerifyDepth 3
    SSLOptions +OptRenegotiate
    </Directory>

    ErrorLog  "logs/secure-error_log"
    CustomLog "logs/secure-access_log" common
</VirtualHost>

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 47427] browser doesn't get Error 403 if user's auth failed

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=47427


Mike <mi...@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |mike.pechkin@gmail.com




-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org