You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Jeff Blaine <jb...@kickflop.net> on 2010/11/01 21:42:41 UTC

[users@httpd] SSLRequire "SUCCESS" but actually failure (2 possible bugs)

Hi folks,

I'm using Apache 2.2.3 with mod_ssl on a RHELv5.5 box.  I have
been stumped for 3 weeks now by a problem with SSLRequire
and certificates.

FWIW, I also built the latest Apache with SSL from source,
ran it on a separate port, and got equally odd results.

I have posed this same question/situation on the mod_ssl mailing
list, but did not get anywhere.

[root@rtdev1 conf.d]# rpm -qa | grep httpd
httpd-2.2.3-43.el5_5.3
[root@rtdev1 conf.d]# rpm -qa | grep mod_ssl
mod_ssl-2.2.3-43.el5_5.3
[root@rtdev1 conf.d]#

Section from ssl.conf:

     ...
     SSLRequire %{SSL_CLIENT_S_DN} in { \
     "/O=our.org/OU=people/UID=jblaine/CN=Blaine Charles J.", \
     "/O=our.org/OU=people/UID=mlaveless/CN=Laveless Marc W.", \
     "/O=our.org/OU=people/UID=mbs/CN=Simpson Mary B", \
     "/O=our.org/OU=people/UID=bcietta/CN=Cietta Barbara A." \
     }
     ...

The 403 error as it manifests itself in the ssl_error.log:

     [Mon Nov 01 14:50:14 2010] [info] Access to 
/apps/rtsrv1dev/share/html/ denied for xxx.xx.160.29 (requirement 
expression not fulfilled)

     [Mon Nov 01 14:50:14 2010] [info] Failed expression: 
%{SSL_CLIENT_S_DN} in { "/O=our.org/OU=people/UID=jblaine/CN=Blaine 
Charles J.", "/O=our.org/OU=people/UID=mlaveless/CN=Laveless Mark W.", 
"/O=our.org/OU=people/UID=mbs/CN=Simpson Mary B", 
"/O=our.org/OU=people/UID=bcietta/CN=Cietta Barbara A." }

     [Mon Nov 01 14:50:14 2010] [error] [client xxx.xx.160.29] access to 
/apps/rtsrv1dev/share/html/ failed, reason: SSL requirement expression 
not fulfilled (see SSL logfile for more details)

However, note the "SUCCESS" (bogus?) via CustomLog of
%{SSL_CLIENT_VERIFY}x

     [01/Nov/2010:14:50:14 -0400] xxx.xx.160.29 on TLSv1 RC4-MD5 
/O=our.org/OU=People/UID=bcian/CN=Ciancetta Barbara J. SUCCESS

And here's another failure from Barbara, with IE8 instead of
Firefox:

     [01/Nov/2010:14:49:07 -0400] xxx.xx.160.29 on TLSv1 AES256-SHA 
/O=our.org/OU=People/UID=bcietta/CN=Cietta Barbara J. SUCCESS

Note, however, this was a session that worked (SUCCESS actually
meant success...).  IE8 on my machine:

     [01/Nov/2010:15:02:46 -0400] xxx.xx.0.150 on TLSv1 AES128-SHA 
/O=our.org/OU=people/UID=jblaine/CN=Blaine Charles J. SUCCESS

Here's what *DOES WORK* for all parties with certificates, but
is not really what we want, and as I understand the docs, the
other (full DN) should work.

     SSLRequire %{SSL_CLIENT_S_DN_CN} in { \
         "Blaine Charles J.",
         "Laveless Marc W.",
         "Simpson Mary B",
         "Cietta Barbara A." }

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] SSLRequire "SUCCESS" but actually failure (2 possible bugs)

Posted by Joe Orton <jo...@redhat.com>.

On Mon, Nov 01, 2010 at 04:42:41PM -0400, Jeff Blaine wrote:
...
>     [Mon Nov 01 14:50:14 2010] [error] [client xxx.xx.160.29] access
> to /apps/rtsrv1dev/share/html/ failed, reason: SSL requirement
> expression not fulfilled (see SSL logfile for more details)
> 
> However, note the "SUCCESS" (bogus?) via CustomLog of
> %{SSL_CLIENT_VERIFY}x

The "SUCCESS" doesn't sound bogus in this context - it merely indicates 
whether or not the client cert itself verified OK, which is orthogonal 
to SSLRequire.

You're not using the worker MPM here are you?

> Here's what *DOES WORK* for all parties with certificates, but
> is not really what we want, and as I understand the docs, the
> other (full DN) should work.
> 
>     SSLRequire %{SSL_CLIENT_S_DN_CN} in { \

Yes, the full DN comparison should work; I wouldn't necessarily 
recommend it though.

It could be an SSLRequire bug you are hitting here, can't say without 
debugging it; if you can verify with vanilla upstream 2.2.17 you could 
file a bug at issues.apache.org, or else open a support ticket with Red 
Hat for the RHEL5 package.

Regards, Joe

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org