'DO NOT REPLY [Bug 47055] New: SSLVerifyClient + Directory doesn't'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       apache-httpd-bugs
Subject:    DO NOT REPLY [Bug 47055] New: SSLVerifyClient + Directory doesn't
From:       bugzilla () apache ! org
Date:       2009-04-20 12:10:24
Message-ID: bug-47055-7868 () https ! issues ! apache ! org/bugzilla/
[Download RAW message or body]

https://issues.apache.org/bugzilla/show_bug.cgi?id=47055

           Summary: SSLVerifyClient + Directory doesn't use cache sessions
           Product: Apache httpd-2
           Version: 2.2.11
          Platform: HP
        OS/Version: Linux
            Status: NEW
          Severity: critical
          Priority: P2
         Component: mod_ssl
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: mike.pechkin@gmail.com


1. Simple httpd.conf:

LoadModule ssl_module modules/mod_ssl.so
<skip>
SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect file:/dev/urandom 512
SSLSessionCache shmcb:log/ssl_scache(512000)
SSLMutex default 
<skip>
<VirtualHost 172.25.16.86:8443>
    ServerAdmin kuku@parks.lv
    ServerName redhat1-mp.parks.lv
    DocumentRoot "/mihailp1/www-secure"

    SSLEngine on
    SSLCertificateKeyFile "/root/redhat1-mp-ca/redhat1-mp.key"
    SSLCertificateFile  "/root/redhat1-mp-ca/redhat1-mp.crt"
    SSLCACertificateFile "/root/redhat1-mp-ca/redhat1-mp-ca.crt"

    <Directory /mihailp1/www-secure/s>
    SSLVerifyDepth 3
    SSLVerifyClient require
    SSLOptions +OptRenegotiate
    </Directory>

    ErrorLog  "logs/secure-error_log"
    CustomLog "logs/secure-access_log" common
</VirtualHost>

2. Simple user's auth, cert imported to browser.
3. If i access url: https://redhat1-mp.parks.lv:8443/s/test.txt
browser opens pop-window to select which cert to use.

The problem is browser opens pop-windows for every request, it doesn't use
cache. So, i see only SET requests:
[Mon Apr 20 14:59:36 2009] [debug] ssl_engine_kernel.c(1598): Inter-Process
Session Cache: request=SET status=OK
id=DA696786BAFAD9ED6DF78942C7B98C3771A4614DF693ED9DF7EB10B619419ABC
timeout=299s (session caching)

The problem appear from openssl.0.9.8f, there is the CHANGELOG:
  *) In the SSL/TLS server implementation, be strict about session ID
     context matching (which matters if an application uses a single
     external cache for different purposes).  Previously,
     out-of-context reuse was forbidden only if SSL_VERIFY_PEER was
     set.  This did ensure strict client verification, but meant that,
     with applications using a single external cache for quite
     different requirements, clients could circumvent ciphersuite
     restrictions for a given session ID context by starting a session
     in a different context.
     [Bodo Moeller]

4. Check the diff between 0.9.8e and 0.9.8f for
ssl_sess.c:ssl_get_prev_session(). If i copy this function from 0.9.8e version
apache works as before.

5. It doesn't use SSL_CTX_set_session_id_context() in
ssl_engine_init.c:ssl_init_ctx_session_cache(), but it didn't help.

6. I have setuped test environment and can easily test and patch set.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic