You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2006/04/07 18:31:58 UTC
DO NOT REPLY [Bug 39243] New: - Can't post files larger than 128k onto ssl client cert secured site
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=39243>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=39243
Summary: Can't post files larger than 128k onto ssl client cert
secured site
Product: Apache httpd-2
Version: 2.0.55
Platform: PC
OS/Version: Linux
Status: NEW
Severity: regression
Priority: P2
Component: mod_ssl
AssignedTo: bugs@httpd.apache.org
ReportedBy: mbertheau@gmail.com
CC: schwarz@bab24.de
I can't post files to an ssl site that are larger than 128k (120k works, 140k
doesn't work. The error message I get in ssl_error_log is
request body exceeds maximum size for SSL buffer
could not buffer message body to allow SSL renegotiation to proceed
and the client gets 413. This doesn't occur every time; apparently only when ssl
renegotiation is needed.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 39243] - Can't post files larger than 128k onto ssl client cert secured site
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=39243>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=39243
------- Additional Comments From p.c.c.wagemans@kpn.com 2006-07-24 11:37 -------
Will Rowe wrote:
> The obvious answer for an 'upload' style operation is to ensure they
> never hit your upload page without going through a simpler front
> page which first enforces the renegotation. This can be your upload
> form page.
> Once the session is SSLClientVerify'ed it won't renegotate -again-
> so this problem won't occur.
This can work for interactive applications, but there are common
situations without upload page: an application that wants to submit
data to the web server in a SOAP POST request.
Note: the above proposal for using an upload page request to
renegotiate for the client certificate appears to work only with
"SSLVerifyClient none" but not with "SSLVerifyClient optional" at top
level. In the last case a renegotiation is performed on the subsequent
form POST even when a client certificate is already present. Thus you
again run into the 128K limit. This is probably explained by the
following code in ssl_engine_kernel.c, which only treats "none" as a
special case:
/* optimization */
if ((dc->nOptions & SSL_OPT_OPTRENEGOTIATE) &&
(verify_old == SSL_VERIFY_NONE) &&
((peercert = SSL_get_peer_certificate(ssl)) != NULL))
{
renegotiate_quick = TRUE;
X509_free(peercert);
}
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 39243] - Can't post files larger than 128k onto ssl client cert secured site
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=39243>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=39243
------- Additional Comments From rpluem@apache.org 2006-07-07 15:50 -------
(In reply to comment #5)
> I really need at least 200K limit. If I understand correctly, I can 'patch'
> the code and increase this buffer from 128K to say 256K, recompile apache and
> it will work, right?
Correct. You can do this.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 39243] - Can't post files larger than 128k onto ssl client cert secured site
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=39243>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=39243
------- Additional Comments From wrowe@apache.org 2006-07-23 20:04 -------
We can allow to to configure this to be larger at a serious cost to how
many requests you can process.
The obvious answer for an 'upload' style operation is to ensure they never
hit your upload page without going through a simpler front page which first
enforces the renegotation. This can be your upload form page.
Once the session is SSLClientVerify'ed it won't renegotate -again- so this
problem won't occur.
No matter what -we- do, if you design your huge-post page such that it won't
cause renegotiation on large posts, your server will always have less stress.
And that's a good thing IMHO. 2GB set asides are absurd, but pushing up a
2GB iso image isn't inconcievable.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 39243] - Can't post files larger than 128k onto ssl client cert secured site
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=39243>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=39243
------- Additional Comments From p.c.c.wagemans@kpn.com 2006-07-14 07:33 -------
> But you should really design your site to ensure that the first
> request to a client-cert-protected area is not a POST request with a
> large body; make it a GET or something.
Not really an option with SOAP.
> I have to believe the "one size limit fits all" approach will not
> work for all the existing applications in the world.
Agreed.
> However, shouldn't we add a SSLMaxIOBuffer directive instead of
> hardcoding the value at build time?
That is a good way to remove the hard-coded limit. But is there a
reason why one could not use the existing directive LimitRequestBody,
as suggested above? It can be set for the client cert protected area
and then defines the size of requests that should be handled, thus the
amount that should be allowed to be buffered.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 39243] - Can't post files larger than 128k onto ssl client cert secured site
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=39243>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=39243
------- Additional Comments From gunchev@gmail.com 2006-07-07 09:25 -------
I really need at least 200K limit. If I understand correctly, I can 'patch'
the code and increase this buffer from 128K to say 256K, recompile apache and
it will work, right?
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 39243] - Can't post files larger than 128k onto ssl client cert secured site
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=39243>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=39243
------- Additional Comments From powell.hazzard@hp.com 2006-07-13 17:51 -------
While I do believe the previous unlimited approach could be a DoS. Nice catch.
I have to believe the "one size limit fits all" approach will not work for all
the existing applications in the world. However, shouldn't we add a
SSLMaxIOBuffer directive instead of hardcoding the value at build time? This
way any pre-built server or existing applications have a way to raise/lower
this value as needed for any given virtual host or directory?
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 39243] - Can't post files larger than 128k onto ssl client cert secured site
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=39243>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=39243
------- Additional Comments From gunchev@gmail.com 2006-07-24 08:22 -------
While 256K suits our needs for now (I did recompile and it worked), tomorrow
we'll have to post larger scanned documents (say 512K), some time later even
larger. My apache is just a reverse proxy with SSL client authentication, so
an option would be better or I'll have to recompile every change/update...
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 39243] - Can't post files larger than 128k onto ssl client cert secured site
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=39243>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=39243
------- Additional Comments From smitha.jasti@gmail.com 2006-11-19 22:51 -------
Hi,
I am too am facing problem due to the fixed buffer size. I saw the suggestion
about adding a directive to modify the buffer size as needed. Has there been
any work done on this regard? Any other suggestion about how this problem
could be fixed?
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 39243] - Can't post files larger than 128k onto ssl client cert secured site
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=39243>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=39243
------- Additional Comments From p.c.c.wagemans@kpn.com 2006-07-14 14:18 -------
> what is your input on changing the limit to 256K? Would that be
> sufficient or not?
No. We're looking at megabyte SOAP POSTs.
> Overloading LimitRequestBody for such a purpose is not acceptable,
> no - the default is unlimited.
With that overload idea, the default value of zero (unlimited) would
be translated to the hard-coded value to protect against DOS attempts.
Defining a positive size for LimitRequestBody would allow that size to
be buffered for POSTs in mod_ssl (because it seems sensible to keep
functioning up to the specified limit). I had something along these
lines in mind:
--- httpd-2.0.46/modules/ssl/ssl_engine_io.c.old ...
+++ httpd-2.0.46/modules/ssl/ssl_engine_io.c.new ...
@@ -1395,8 +1395,17 @@
struct modssl_buffer_ctx *ctx;
apr_bucket_brigade *tempb;
apr_off_t total = 0; /* total length buffered */
+ apr_off_t max_ssl_buffered = 0; /* Maximum allowed memory buffering of ssl
data. */
int eos = 0; /* non-zero once EOS is seen */
+ max_ssl_buffered = ap_get_limit_req_body( r );
+
+ if (max_ssl_buffered == 0) {
+ /* If undefined/unlimited, use default limit to defend against
+ * DOS attempts. */
+ max_ssl_buffered = SSL_MAX_IO_BUFFER;
+ }
+
/* Create the context which will be passed to the input filter. */
ctx = apr_palloc(r->pool, sizeof *ctx);
ctx->bb = apr_brigade_create(r->pool, c->bucket_alloc);
@@ -1460,7 +1469,7 @@
total, eos);
/* Fail if this exceeds the maximum buffer size. */
- if (total > SSL_MAX_IO_BUFFER) {
+ if (total > max_ssl_buffered) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"request body exceeds maximum size for SSL buffer");
return HTTP_REQUEST_ENTITY_TOO_LARGE;
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 39243] - Can't post files larger than 128k onto ssl client cert secured site
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=39243>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=39243
nelchael@gentoo.org changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |nelchael@gentoo.org
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 39243] - Can't post files larger than 128k onto ssl client cert secured site
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=39243>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=39243
------- Additional Comments From powell.hazzard@hp.com 2006-07-14 14:00 -------
> I'm fairly reluctant to add a config directive for this.
I can understand your point of view.
> I would be happy with a "one size fits most" hard-coded limit if we could
arrive at such a value; what is your input on changing the limit to 256K?
IMHO
Since I work in support/engineering I can honestly say we have customers
that are using soap messages anywhere from 1k to 40mb in size (or higher).
So, if you are asking for my input regarding any hard coded value I would have
to vote for the 40mb-50mb range. While I agree those values seem absurd for
most small web site, but large SOAP web sites will need this type of limit out
of the box. Without a large hard-coded value customers are going to request
vendors like RedHat to give them a supported version of the Apache web Server
with a higher hard coded value because their existing applications that have
been deployed all over the world just stopped working when they installed
http://www.linuxsecurity.com/content/view/120313. (I�ve already had three
customers)
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 39243] - Can't post files larger than 128k onto ssl client cert secured site
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=39243>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=39243
rpluem@apache.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|REOPENED |RESOLVED
Resolution| |WONTFIX
------- Additional Comments From rpluem@apache.org 2006-04-08 11:00 -------
Ok, technically you are right and your report is not exactly a duplicate of
12355, but it is currently not planned to change this behaviour in the case that
you have POST requests + SSL + Directory or Location based client certificates
which require a SSL renegotiation. It would require to introduce disk buffering
of the POST request body. If you are using client certificates for the whole
virtual host everything works fine. So I mark it a WONTFIX.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 39243] - Can't post files larger than 128k onto ssl client cert secured site
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=39243>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=39243
------- Additional Comments From nelchael@gentoo.org 2008-02-05 13:08 -------
Created an attachment (id=21473)
--> (http://issues.apache.org/bugzilla/attachment.cgi?id=21473&action=view)
httpd-2.2.8-ssl-io-buffer.patch
This patch adds SSLMaximumBufferSize tunable - it's global for whole module.
Defaults to 0, which means to use the default 128k limit.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 39243] - Can't post files larger than 128k onto ssl client cert secured site
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=39243>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=39243
rpluem@apache.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Severity|regression |enhancement
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 39243] - Can't post files larger than 128k onto ssl client cert secured site
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=39243>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=39243
bugzilla@ronald.vankuijk.net changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |bugzilla@ronald.vankuijk.net
------- Additional Comments From bugzilla@ronald.vankuijk.net 2007-01-20 07:38 -------
We are currently in the process of getting this 'fixed' via Red Hat commercial
support (which we have). The fix of Peter Wagemans will probably be extended a
little and hopefully checked in.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 39243] - Can't post files larger than 128k onto ssl client cert secured site
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=39243>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=39243
------- Additional Comments From rocketraman@fastmail.fm 2007-07-15 10:25 -------
(In reply to comment #22)
> Perhaps the client-certificate SSL session times out or something, which
> forces httpd to renegotiate again? If so, this is yet another use case that
> supports adding a configurable per-location buffer directive.
I confirmed that the SSLSessionCacheTimeout affects renegotiation. Therefore, at
least for interactive applications where the upload form uses a GET request, I
believe this issue can be worked around by setting SSLSessionCacheTimeout to a
value at least as large as the application session timeout. The default of 300
on CentOS 5 was easily exceeded by a user who is uploading an attachment, while
also filling in associated description and other form fields before clicking Submit.
> As stated in the docs, "SSLVerifyClient optional" doesn't work for all
> clients (e.g. WebDAV on win2k for one).
Correction: I'm not sure about WebDAV on win2k working with optional or not --
the test I did earlier was incorrect. However, the point stands since I do not
want clients to be prompted for certificates anyway.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 39243] - Can't post files larger than 128k onto ssl client cert secured site
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=39243>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=39243
mbertheau@gmail.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|DUPLICATE |
------- Additional Comments From mbertheau@gmail.com 2006-04-08 10:28 -------
The fix to bug 12355 specificially lead to this bug. This is not a duplicate.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 39243] - Can't post files larger than 128k onto ssl client cert secured site
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=39243>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=39243
rpluem@apache.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |DUPLICATE
------- Additional Comments From rpluem@apache.org 2006-04-07 23:12 -------
*** This bug has been marked as a duplicate of 12355 ***
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 39243] - Can't post files larger than 128k onto ssl client cert secured site
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=39243>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=39243
------- Additional Comments From asfbugzilla@gnosys.biz 2007-03-03 09:01 -------
I'm hitting this limit too, using apache 2.2.3, built from a standard
Gentoo-based ebuild.
I'm using Apache here in this context as a front-end to Zope/Plone, and plone
offers the user the option of uploading content. This content has no inherent
plone-based size limits. So in my case, if I use SSL to secure my sites (which
I do), and I use Apache as a front-end, as described in several places in plone
documentation, two of which are here:
http://plone.org/documentation/tutorial/plone-apache
http://plone.org/documentation/how-to/apache-ssl
...and I upload large files, then I get nailed by this limit. Has any further
work been done with this in 2.2?
What info is still needed to resolve this bug?
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 39243] - Can't post files larger than 128k onto ssl client cert secured site
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=39243>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=39243
------- Additional Comments From asfbugzilla@gnosys.biz 2007-03-03 16:50 -------
Sorry. I should have added above that there are no client certificates involved
in these uploads. I'm not savvy enough about the internals of either apache or
plone to know, but I suppose that means it's possible that what I'm seeing is
not actually this bug, but the behavior of my systems match the symptoms in
every way except for the involvement of client certificates, so to me that means
that if they are not the same, then they are at least, very probably strongly
associated with each other.
When I upload files 128kb and smaller, it works as expected. When I attempt to
upload files 129kb and larger, I get this:
Error message in browser:
Title: 413 Request Entity Too Large
Page: Request Entity Too Large
The requested resource
/Members/admin/portal_factory/Image/image.2007-03-03.9545920618/atct_edit
does not allow request data with POST requests, or the amount of data provided
in the request exceeds the capacity limit.
Error message in logs:
[Sat Mar 03 19:26:35 2007] [error] [client xxx.yyy.zzz.ttt] request body exceeds
maximum size for SSL buffer, referer:
https://www.example.com/Members/admin/portal_factory/Image/image.2007-03-03.9545920618/edit
[Sat Mar 03 19:26:35 2007] [error] [client xxx.yyy.zzz.ttt] could not buffer
message body to allow SSL renegotiation to proceed, referer:
https://www.example.com/Members/admin/portal_factory/Image/image.2007-03-03.9545920618/edit
I've spoken with someone on the plone list who's using RHEL and apache/ssl/plone
in the same manner that I am, and he reports not suffering from this problem.
I'm not sure if he has any upper limit at all, or if the upper limit is simply
larger than 128kb. I'm still talking with him.
I guess redhat has applied some sort of patch. Does anyone know about that? Is
it the same one mentioned in this bug report? I'd like to have the limit (if it
must exist) be up in the 40-50 MB range myself. If there's another patch,
perhaps someone could refer me to it?
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 39243] - Can't post files larger than 128k onto ssl client cert secured site
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=39243>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=39243
gunchev@gmail.com changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |gunchev@gmail.com
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 39243] - Can't post files larger than 128k onto ssl client cert secured site
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=39243>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=39243
------- Additional Comments From asfbugzilla@gnosys.biz 2007-03-04 06:38 -------
[somewhat sheepishly]: After all the discussion, and rereading documentation and
config files and the bug report several times over, I noticed that my apache
server config file used the SSLVerifyClient Directive at level "optional" and
that the documentation states, "In practice only levels 'none' and 'require' are
really interesting, because level 'optional' doesn't work with all browsers". I
was also using the SSLVerifyDepth Directive at a depth number of 1.
By commenting out these two directives, I solved the problem.
When I remarked earlier that client certificates were not involved at all, I
mistakenly considered only what was going on with the client, failing to
consider client certificate directives on the server. Apologies if I should have
thought of that sooner, and if I generated a lot of commotion over nothing.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 39243] - Can't post files larger than 128k onto ssl client cert secured site
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=39243>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=39243
p.c.c.wagemans@kpn.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|WONTFIX |
------- Additional Comments From p.c.c.wagemans@kpn.com 2006-06-28 15:15 -------
There may be good functional reasons for POSTs larger than 128k and to
require client certificates only for access to certain URLs. And
asking for an optional client certificate at SSL connect bothers users
of other URLs with unnecessary prompts for client certificates that
they may not have and don't need (depending on the browser that they
use).
For us the hard-coded limit is still a problem.
> It would require to introduce disk buffering of the POST request
> body.
This is not clear to me. Where is the hard-coded limit of 128k coming
from?
Could the code not look at the value of the directive LimitRequestBody
and if it is set allow SSL request bodies of that size?
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 39243] - Can't post files larger than 128k onto ssl client cert secured site
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=39243>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=39243
------- Additional Comments From jorton@redhat.com 2006-07-14 09:22 -------
I'm fairly reluctant to add a config directive for this. I would be happy with
a "one size fits most" hard-coded limit if we could arrive at such a value; what
is your input on changing the limit to 256K? Would that be sufficient or not?
Overloading LimitRequestBody for such a purpose is not acceptable, no - the
default is unlimited.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 39243] - Can't post files larger than 128k onto ssl client cert secured site
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=39243>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=39243
rocketraman@fastmail.fm changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |rocketraman@fastmail.fm
------- Additional Comments From rocketraman@fastmail.fm 2007-07-15 09:47 -------
I am running httpd 2.2.3 on CentOS 5.
This problem also affects SugarCRM attachment uploads. The login page for
SugarCRM uses a GET request, so the renegotiation should be fine, but users
report that sometimes the attachment upload still fails with this error. Perhaps
the client-certificate SSL session times out or something, which forces httpd to
renegotiate again? If so, this is yet another use case that supports adding a
configurable per-location buffer directive.
I can find no work-around for this other than setting "SSLVerifyClient require"
at the virtual host level. However, we have good reasons to *not* set
"SSLVerifyClient require" at the virtual host level, since many of our SSL
services do not require client certs. As stated in the docs, "SSLVerifyClient
optional" doesn't work for all clients (e.g. WebDAV on win2k for one).
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 39243] - Can't post files larger than 128k onto ssl client cert secured site
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=39243>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=39243
jorton@redhat.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|REOPENED |NEEDINFO
------- Additional Comments From jorton@redhat.com 2006-07-11 14:42 -------
Well, the default could be bumped to 256K, that wouldn't be unreasonable.
But you should really design your site to ensure that the first request to a
client-cert-protected area is not a POST request with a large body; make it a
GET or something. Any request body has to be buffered into RAM to handle this
case, so represents an opportunity to DoS the server.
To bump the limit you can build like:
./configure CPPFLAGS=-DSSL_MAX_IO_BUFFER=256000
Anybody for whom 128K is too small but 256K would be sufficient, please add a
comment here, to gauge interest in making that change.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 39243] - Can't post files larger than 128k onto ssl client cert secured site
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=39243>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=39243
------- Additional Comments From p.c.c.wagemans@kpn.com 2006-07-17 09:25 -------
Here's an afterthought to the above patch to allow LimitRequestBody to
control the size of the SSL buffer. When doing this, it may be a good
idea to refer to the controlling directive in the error message and
change
"request body exceeds maximum size for SSL buffer"
into, for instance,
"request body exceeds maximum size for SSL buffer; try LimitRequestBody > 0"
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org