You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2012/05/04 13:56:04 UTC

[Bug 53193] New: SLVerifyClient optional_no_ca + SSLSessionCache = wrong SSL_CLIENT_VERIFY

https://issues.apache.org/bugzilla/show_bug.cgi?id=53193

          Priority: P2
            Bug ID: 53193
          Assignee: bugs@httpd.apache.org
           Summary: SLVerifyClient optional_no_ca + SSLSessionCache =
                    wrong SSL_CLIENT_VERIFY
          Severity: normal
    Classification: Unclassified
                OS: FreeBSD
          Reporter: tomefrom@list.ru
          Hardware: PC
            Status: NEW
           Version: 2.5-HEAD
         Component: mod_ssl
           Product: Apache httpd-2

If I use "SSLVerifyClient optional_no_ca" and SSLSessionCache (with any type of
cache, for example "dbm:/var/run/httpd/ssl_scache"), "SSLSessionCacheTimeout
300", from time to time in the CGI environment (I refresh web-page within 1-2
minutes ) I see SSL_CLIENT_VERIFY=SUCCESS, in spite of the client sertifacate
in web-browser signed not by the SSLCACertificateFile. It occurs when using
Opera browser, because opara provides a selection of client sertificate to
authentificate. At the same time possibly other clients works with another
virtualhost using valid sertificate (virtualhost works on different port). Even
all another ssl-virtualhost was removed and only I accessed the virtualhost
with wrong sertificate, the situation is repeated. When I set SSLSessionCache
to none, SSL_CLIENT_VERIFY=GENEROUS always. 


 At the same time in log ( when SSL_CLIENT_VERIFY=SUCCESS with wrong
sertificate):
10:10:52[debug] ssl_engine_kernel.c(1732): Inter-Process Session Cache:
request=GET status=FOUND
id=F1FF0E51D83D2BACDFBE4EEE8A348687D402C42BC2CA450E24608375CB82FFB8 (session
reuse)
10:10:52 [info] [client 172.16.70.220] SSL client authentication failed,
accepting certificate based on SSLVerifyClient optional_no_ca configuration
10:10:52 [debug] ssl_engine_io.c(1897): OpenSSL: read 5/5 bytes from
BIO#2bf45300 [mem: 2bfa9000] (BIO dump follows)
10:10:52 [info] Initial (No.1) HTTPS request received for child 71 (server
test:443)

10:10:57 [debug] ssl_engine_io.c(1908): OpenSSL: I/O error, 5 bytes expected to
read on BIO#2bf45300 [mem: 2bfa9000]
04 10:10:57 [info] [client 172.16.70.220] (70007)The timeout specified has
expired: SSL input filter read failed.
04 10:10:57 [debug] ssl_engine_kernel.c(1884): OpenSSL: Write: SSL negotiation
finished successfully
04 10:10:57 [info] [client 172.16.70.220] Connection closed to child 97 with
standard shutdown (server test:443)
04 10:10:57 [debug] ssl_engine_io.c(1908): OpenSSL: I/O error, 5 bytes expected
to read on BIO#2bf45300 [mem: 2bfa9000]
10:10:57 [info] [client 172.16.70.220] (70007)The timeout specified has
expired: SSL input filter read failed.
04 10:10:57 [debug] ssl_engine_kernel.c(1884): OpenSSL: Write: SSL negotiation
finished successfully
04 10:10:57 [info] [client 172.16.70.220] Connection closed to child 71 with
standard shutdown (server test:443)

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 53193] SLVerifyClient optional_no_ca + SSLSessionCache = wrong SSL_CLIENT_VERIFY

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=53193

AlexSav <to...@list.ru> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Version|2.5-HEAD                    |2.2.22

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 53193] SLVerifyClient optional_no_ca + SSLSessionCache = wrong SSL_CLIENT_VERIFY

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=53193

jkaluza@redhat.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jkaluza@redhat.com

--- Comment #2 from jkaluza@redhat.com ---
I've been able to reproduce it and verified the patch fixes the issue without
indroducing any regression when using perl test suite. Committed in r1633085.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 53193] SLVerifyClient optional_no_ca + SSLSessionCache = wrong SSL_CLIENT_VERIFY

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=53193

Arnis Ut <ar...@ut.ee> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |arnis@ut.ee

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 53193] SLVerifyClient optional_no_ca + SSLSessionCache = wrong SSL_CLIENT_VERIFY

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=53193

AlexSav <to...@list.ru> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |tomefrom@list.ru

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 53193] SLVerifyClient optional_no_ca + SSLSessionCache = wrong SSL_CLIENT_VERIFY

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=53193

Christophe JAILLET <ch...@wanadoo.fr> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |PatchAvailable

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 53193] SLVerifyClient optional_no_ca + SSLSessionCache = wrong SSL_CLIENT_VERIFY

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=53193

--- Comment #1 from Arnis Ut <ar...@ut.ee> ---
Created attachment 29622
  --> https://issues.apache.org/bugzilla/attachment.cgi?id=29622&action=edit
patch

Confirmed.
When client certificate is requested in server context and GENEROUS'ly verified
session is resumed, the SSL_CLIENT_VERIFY will be set to SUCCESS.

This is security bug for these who rely on SSL_CLIENT_VERIFY to test whether
certificate verification was successful.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org