You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2012/05/04 13:56:04 UTC
[Bug 53193] New: SLVerifyClient optional_no_ca + SSLSessionCache =
wrong SSL_CLIENT_VERIFY
https://issues.apache.org/bugzilla/show_bug.cgi?id=53193
Priority: P2
Bug ID: 53193
Assignee: bugs@httpd.apache.org
Summary: SLVerifyClient optional_no_ca + SSLSessionCache =
wrong SSL_CLIENT_VERIFY
Severity: normal
Classification: Unclassified
OS: FreeBSD
Reporter: tomefrom@list.ru
Hardware: PC
Status: NEW
Version: 2.5-HEAD
Component: mod_ssl
Product: Apache httpd-2
If I use "SSLVerifyClient optional_no_ca" and SSLSessionCache (with any type of
cache, for example "dbm:/var/run/httpd/ssl_scache"), "SSLSessionCacheTimeout
300", from time to time in the CGI environment (I refresh web-page within 1-2
minutes ) I see SSL_CLIENT_VERIFY=SUCCESS, in spite of the client sertifacate
in web-browser signed not by the SSLCACertificateFile. It occurs when using
Opera browser, because opara provides a selection of client sertificate to
authentificate. At the same time possibly other clients works with another
virtualhost using valid sertificate (virtualhost works on different port). Even
all another ssl-virtualhost was removed and only I accessed the virtualhost
with wrong sertificate, the situation is repeated. When I set SSLSessionCache
to none, SSL_CLIENT_VERIFY=GENEROUS always.
At the same time in log ( when SSL_CLIENT_VERIFY=SUCCESS with wrong
sertificate):
10:10:52[debug] ssl_engine_kernel.c(1732): Inter-Process Session Cache:
request=GET status=FOUND
id=F1FF0E51D83D2BACDFBE4EEE8A348687D402C42BC2CA450E24608375CB82FFB8 (session
reuse)
10:10:52 [info] [client 172.16.70.220] SSL client authentication failed,
accepting certificate based on SSLVerifyClient optional_no_ca configuration
10:10:52 [debug] ssl_engine_io.c(1897): OpenSSL: read 5/5 bytes from
BIO#2bf45300 [mem: 2bfa9000] (BIO dump follows)
10:10:52 [info] Initial (No.1) HTTPS request received for child 71 (server
test:443)
10:10:57 [debug] ssl_engine_io.c(1908): OpenSSL: I/O error, 5 bytes expected to
read on BIO#2bf45300 [mem: 2bfa9000]
04 10:10:57 [info] [client 172.16.70.220] (70007)The timeout specified has
expired: SSL input filter read failed.
04 10:10:57 [debug] ssl_engine_kernel.c(1884): OpenSSL: Write: SSL negotiation
finished successfully
04 10:10:57 [info] [client 172.16.70.220] Connection closed to child 97 with
standard shutdown (server test:443)
04 10:10:57 [debug] ssl_engine_io.c(1908): OpenSSL: I/O error, 5 bytes expected
to read on BIO#2bf45300 [mem: 2bfa9000]
10:10:57 [info] [client 172.16.70.220] (70007)The timeout specified has
expired: SSL input filter read failed.
04 10:10:57 [debug] ssl_engine_kernel.c(1884): OpenSSL: Write: SSL negotiation
finished successfully
04 10:10:57 [info] [client 172.16.70.220] Connection closed to child 71 with
standard shutdown (server test:443)
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 53193] SLVerifyClient optional_no_ca + SSLSessionCache = wrong
SSL_CLIENT_VERIFY
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=53193
AlexSav <to...@list.ru> changed:
What |Removed |Added
----------------------------------------------------------------------------
Version|2.5-HEAD |2.2.22
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 53193] SLVerifyClient optional_no_ca + SSLSessionCache = wrong
SSL_CLIENT_VERIFY
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=53193
jkaluza@redhat.com changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jkaluza@redhat.com
--- Comment #2 from jkaluza@redhat.com ---
I've been able to reproduce it and verified the patch fixes the issue without
indroducing any regression when using perl test suite. Committed in r1633085.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 53193] SLVerifyClient optional_no_ca + SSLSessionCache = wrong
SSL_CLIENT_VERIFY
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=53193
Arnis Ut <ar...@ut.ee> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |arnis@ut.ee
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 53193] SLVerifyClient optional_no_ca + SSLSessionCache = wrong
SSL_CLIENT_VERIFY
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=53193
AlexSav <to...@list.ru> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |tomefrom@list.ru
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 53193] SLVerifyClient optional_no_ca + SSLSessionCache = wrong
SSL_CLIENT_VERIFY
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=53193
Christophe JAILLET <ch...@wanadoo.fr> changed:
What |Removed |Added
----------------------------------------------------------------------------
Keywords| |PatchAvailable
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 53193] SLVerifyClient optional_no_ca + SSLSessionCache = wrong
SSL_CLIENT_VERIFY
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=53193
--- Comment #1 from Arnis Ut <ar...@ut.ee> ---
Created attachment 29622
--> https://issues.apache.org/bugzilla/attachment.cgi?id=29622&action=edit
patch
Confirmed.
When client certificate is requested in server context and GENEROUS'ly verified
session is resumed, the SSL_CLIENT_VERIFY will be set to SUCCESS.
This is security bug for these who rely on SSL_CLIENT_VERIFY to test whether
certificate verification was successful.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org