httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 12355] - SSLVerifyClient directive in location make post to PHP script impossible
Date Tue, 08 Apr 2003 17:10:40 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12355>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12355

SSLVerifyClient directive in location make post to PHP script impossible





------- Additional Comments From ekraar@banking.com  2003-04-08 17:10 -------
When configured for client certificate authentication, POST method fails after
KeepAlive timeout - if KeepAlive is disabled, POST method always fails. 
SSLOptions +OptRenegotiate does not fix the problem.

Server: Apache/2.0.45 (Unix) mod_ssl/2.0.45 OpenSSL/0.9.7a
AIX 4.3.3

I have tested IE 5.5, Netscape 4.8, Netscape 7, and Mozilla 1.3 - All browsers
seem to be affected.  Log files can be found below.

IE 5.5 generates a segfault of the child and a 302 error along with the general
symptoms - details of this can be found in the logs below.

--------------------------------------------------------------------------------------------------
Configuration excerpts:

KeepAlive On
KeepAliveTimeout 15

SSLSessionCache dbm:/var/adm/httpd.ssl.cache
SSLSessionCacheTimeout 300
SSLMutex file:/var/adm/httpd.ssl.mutex

<Directory /docs/clientcert>
	SSLOptions +StdEnvVars +ExportCertData +OptRenegotiate
	SSLVerifyClient require
	SSLVerifyDepth 2
	SSLRequire %{SSL_CLIENT_CERT} eq file("<certfile>") \
		or %{SSL_CLIENT_CERT} eq file("<certfile>")
	Order Deny,Allow
	Deny from all
	Allow from 1.1.1.1
</Directory>

--------------------------------------------------------------------------------------------------
HTML files used for testing:

$ cat index.html
<HTML>
<BODY>
Hello client cert

<FORM action=index2.html method=post>
<INPUT value="Post to index2.html" type=submit>
</FORM>

</BODY>
</HTML>

$ cat index2.html
<HTML>
<BODY>
Hello client cert - index2

<FORM action=index.html method=post>
<INPUT value="Post to index.html" type=submit>
</FORM>

</BODY>
</HTML>

--------------------------------------------------------------------------------------------------
VH access log:
2.2.2.2 - - [07/Apr/2003:14:23:57 -0700] "GET /clientcert/index.html HTTP/1.1"
200 140 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3)
Gecko/20030312" GET /clientcert/index.html - "HTTP/1.1" (-)
2.2.2.2 - - [07/Apr/2003:14:24:03 -0700] "POST /clientcert/index2.html HTTP/1.1"
200 144 "https://test.domain.com/clientcert/index.html" "Mozilla/5.0 (Windows;
U; Windows NT 5.0; en-US; rv:1.3) Gecko/20030312" POST /clientcert/index2.html -
"HTTP/1.1" (-)
2.2.2.2 - - [07/Apr/2003:14:24:03 -0700] "POST /clientcert/index.html HTTP/1.1"
200 140 "https://test.domain.com/clientcert/index2.html" "Mozilla/5.0 (Windows;
U; Windows NT 5.0; en-US; rv:1.3) Gecko/20030312" POST /clientcert/index.html -
"HTTP/1.1" (-)
2.2.2.2 - - [07/Apr/2003:14:24:04 -0700] "POST /clientcert/index2.html HTTP/1.1"
200 144 "https://test.domain.com/clientcert/index.html" "Mozilla/5.0 (Windows;
U; Windows NT 5.0; en-US; rv:1.3) Gecko/20030312" POST /clientcert/index2.html -
"HTTP/1.1" (-)
2.2.2.2 - - [07/Apr/2003:14:24:05 -0700] "POST /clientcert/index.html HTTP/1.1"
200 140 "https://test.domain.com/clientcert/index2.html" "Mozilla/5.0 (Windows;
U; Windows NT 5.0; en-US; rv:1.3) Gecko/20030312" POST /clientcert/index.html -
"HTTP/1.1" (-)
2.2.2.2 - - [07/Apr/2003:14:24:06 -0700] "POST /clientcert/index2.html HTTP/1.1"
200 144 "https://test.domain.com/clientcert/index.html" "Mozilla/5.0 (Windows;
U; Windows NT 5.0; en-US; rv:1.3) Gecko/20030312" POST /clientcert/index2.html -
"HTTP/1.1" (-)
2.2.2.2 - - [07/Apr/2003:14:24:07 -0700] "POST /clientcert/index.html HTTP/1.1"
200 140 "https://test.domain.com/clientcert/index2.html" "Mozilla/5.0 (Windows;
U; Windows NT 5.0; en-US; rv:1.3) Gecko/20030312" POST /clientcert/index.html -
"HTTP/1.1" (-)
2.2.2.2 - - [07/Apr/2003:14:25:12 -0700] "POST /clientcert/index2.html HTTP/1.1"
405 244 "https://test.domain.com/clientcert/index.html" "Mozilla/5.0 (Windows;
U; Windows NT 5.0; en-US; rv:1.3) Gecko/20030312" POST /clientcert/index2.html -
"HTTP/1.1" (-)

VH error log:
[Mon Apr 07 14:25:12 2003] [error] SSL Re-negotiation in conjunction with POST
method not supported!
hint: try SSLOptions +OptRenegotiate

--------------------------------------------------------------------------------------------------
With Internet Explorer 5.5:

VH access log:
2.2.2.2 - - [07/Apr/2003:15:46:15 -0700] "GET /clientcert/ HTTP/1.1" 302 227 "-"
"Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; T312461)" GET /clientcert/ -
"HTTP/1.1" (-)
2.2.2.2 - - [07/Apr/2003:15:46:16 -0700] "GET /clientcert/ HTTP/1.1" 200 140 "-"
"Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; T312461)" GET
/clientcert/index.html - "HTTP/1.1" (-)
2.2.2.2 - - [07/Apr/2003:15:46:24 -0700] "POST /clientcert/index2.html HTTP/1.1"
200 144 "https://test.domain.com/clientcert/" "Mozilla/4.0 (compatible; MSIE
5.5; Windows NT 5.0; T312461)" POST /clientcert/index2.html - "HTTP/1.1" (-)
2.2.2.2 - - [07/Apr/2003:15:46:25 -0700] "POST /clientcert/index.html HTTP/1.1"
200 140 "https://test.domain.com/clientcert/index2.html" "Mozilla/4.0
(compatible; MSIE 5.5; Windows NT 5.0; T312461)" POST /clientcert/index.html -
"HTTP/1.1" (-)
2.2.2.2 - - [07/Apr/2003:15:46:26 -0700] "POST /clientcert/index2.html HTTP/1.1"
200 144 "https://test.domain.com/clientcert/index.html" "Mozilla/4.0
(compatible; MSIE 5.5; Windows NT 5.0; T312461)" POST /clientcert/index2.html -
"HTTP/1.1" (-)
2.2.2.2 - - [07/Apr/2003:15:46:27 -0700] "POST /clientcert/index.html HTTP/1.1"
200 140 "https://test.domain.com/clientcert/index2.html" "Mozilla/4.0
(compatible; MSIE 5.5; Windows NT 5.0; T312461)" POST /clientcert/index.html -
"HTTP/1.1" (-)
2.2.2.2 - - [07/Apr/2003:15:46:28 -0700] "POST /clientcert/index2.html HTTP/1.1"
200 144 "https://test.domain.com/clientcert/index.html" "Mozilla/4.0
(compatible; MSIE 5.5; Windows NT 5.0; T312461)" POST /clientcert/index2.html -
"HTTP/1.1" (-)
2.2.2.2 - - [07/Apr/2003:15:46:29 -0700] "POST /clientcert/index.html HTTP/1.1"
200 140 "https://test.domain.com/clientcert/index2.html" "Mozilla/4.0
(compatible; MSIE 5.5; Windows NT 5.0; T312461)" POST /clientcert/index.html -
"HTTP/1.1" (-)
2.2.2.2 - - [07/Apr/2003:15:46:58 -0700] "POST /clientcert/index2.html HTTP/1.1"
405 244 "https://test.domain.com/clientcert/index.html" "Mozilla/4.0
(compatible; MSIE 5.5; Windows NT 5.0; T312461)" POST /clientcert/index2.html -
"HTTP/1.1" (-)

VH error log:
[Mon Apr 07 15:46:15 2003] [error] Re-negotiation handshake failed: Not accepted
by client!?
[Mon Apr 07 15:46:58 2003] [error] SSL Re-negotiation in conjunction with POST
method not supported!
hint: try SSLOptions +OptRenegotiate

Server error log:
[Mon Apr 07 15:46:16 2003] [notice] child pid 28262 exit signal Segmentation
fault (11)

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message