Return-Path: Delivered-To: apmail-httpd-bugs-archive@httpd.apache.org Received: (qmail 81073 invoked by uid 500); 8 Apr 2003 17:08:47 -0000 Mailing-List: contact bugs-help@httpd.apache.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: Reply-To: "Apache HTTPD Bugs Notification List" Delivered-To: mailing list bugs@httpd.apache.org Received: (qmail 80989 invoked from network); 8 Apr 2003 17:08:46 -0000 Date: 8 Apr 2003 17:10:40 -0000 Message-ID: <20030408171040.28220.qmail@nagoya.betaversion.org> From: bugzilla@apache.org To: bugs@httpd.apache.org Cc: Subject: DO NOT REPLY [Bug 12355] - SSLVerifyClient directive in location make post to PHP script impossible X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT . ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12355 SSLVerifyClient directive in location make post to PHP script impossible ------- Additional Comments From ekraar@banking.com 2003-04-08 17:10 ------- When configured for client certificate authentication, POST method fails after KeepAlive timeout - if KeepAlive is disabled, POST method always fails. SSLOptions +OptRenegotiate does not fix the problem. Server: Apache/2.0.45 (Unix) mod_ssl/2.0.45 OpenSSL/0.9.7a AIX 4.3.3 I have tested IE 5.5, Netscape 4.8, Netscape 7, and Mozilla 1.3 - All browsers seem to be affected. Log files can be found below. IE 5.5 generates a segfault of the child and a 302 error along with the general symptoms - details of this can be found in the logs below. -------------------------------------------------------------------------------------------------- Configuration excerpts: KeepAlive On KeepAliveTimeout 15 SSLSessionCache dbm:/var/adm/httpd.ssl.cache SSLSessionCacheTimeout 300 SSLMutex file:/var/adm/httpd.ssl.mutex SSLOptions +StdEnvVars +ExportCertData +OptRenegotiate SSLVerifyClient require SSLVerifyDepth 2 SSLRequire %{SSL_CLIENT_CERT} eq file("") \ or %{SSL_CLIENT_CERT} eq file("") Order Deny,Allow Deny from all Allow from 1.1.1.1 -------------------------------------------------------------------------------------------------- HTML files used for testing: $ cat index.html Hello client cert $ cat index2.html Hello client cert - index2 -------------------------------------------------------------------------------------------------- VH access log: 2.2.2.2 - - [07/Apr/2003:14:23:57 -0700] "GET /clientcert/index.html HTTP/1.1" 200 140 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3) Gecko/20030312" GET /clientcert/index.html - "HTTP/1.1" (-) 2.2.2.2 - - [07/Apr/2003:14:24:03 -0700] "POST /clientcert/index2.html HTTP/1.1" 200 144 "https://test.domain.com/clientcert/index.html" "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3) Gecko/20030312" POST /clientcert/index2.html - "HTTP/1.1" (-) 2.2.2.2 - - [07/Apr/2003:14:24:03 -0700] "POST /clientcert/index.html HTTP/1.1" 200 140 "https://test.domain.com/clientcert/index2.html" "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3) Gecko/20030312" POST /clientcert/index.html - "HTTP/1.1" (-) 2.2.2.2 - - [07/Apr/2003:14:24:04 -0700] "POST /clientcert/index2.html HTTP/1.1" 200 144 "https://test.domain.com/clientcert/index.html" "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3) Gecko/20030312" POST /clientcert/index2.html - "HTTP/1.1" (-) 2.2.2.2 - - [07/Apr/2003:14:24:05 -0700] "POST /clientcert/index.html HTTP/1.1" 200 140 "https://test.domain.com/clientcert/index2.html" "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3) Gecko/20030312" POST /clientcert/index.html - "HTTP/1.1" (-) 2.2.2.2 - - [07/Apr/2003:14:24:06 -0700] "POST /clientcert/index2.html HTTP/1.1" 200 144 "https://test.domain.com/clientcert/index.html" "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3) Gecko/20030312" POST /clientcert/index2.html - "HTTP/1.1" (-) 2.2.2.2 - - [07/Apr/2003:14:24:07 -0700] "POST /clientcert/index.html HTTP/1.1" 200 140 "https://test.domain.com/clientcert/index2.html" "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3) Gecko/20030312" POST /clientcert/index.html - "HTTP/1.1" (-) 2.2.2.2 - - [07/Apr/2003:14:25:12 -0700] "POST /clientcert/index2.html HTTP/1.1" 405 244 "https://test.domain.com/clientcert/index.html" "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3) Gecko/20030312" POST /clientcert/index2.html - "HTTP/1.1" (-) VH error log: [Mon Apr 07 14:25:12 2003] [error] SSL Re-negotiation in conjunction with POST method not supported! hint: try SSLOptions +OptRenegotiate -------------------------------------------------------------------------------------------------- With Internet Explorer 5.5: VH access log: 2.2.2.2 - - [07/Apr/2003:15:46:15 -0700] "GET /clientcert/ HTTP/1.1" 302 227 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; T312461)" GET /clientcert/ - "HTTP/1.1" (-) 2.2.2.2 - - [07/Apr/2003:15:46:16 -0700] "GET /clientcert/ HTTP/1.1" 200 140 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; T312461)" GET /clientcert/index.html - "HTTP/1.1" (-) 2.2.2.2 - - [07/Apr/2003:15:46:24 -0700] "POST /clientcert/index2.html HTTP/1.1" 200 144 "https://test.domain.com/clientcert/" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; T312461)" POST /clientcert/index2.html - "HTTP/1.1" (-) 2.2.2.2 - - [07/Apr/2003:15:46:25 -0700] "POST /clientcert/index.html HTTP/1.1" 200 140 "https://test.domain.com/clientcert/index2.html" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; T312461)" POST /clientcert/index.html - "HTTP/1.1" (-) 2.2.2.2 - - [07/Apr/2003:15:46:26 -0700] "POST /clientcert/index2.html HTTP/1.1" 200 144 "https://test.domain.com/clientcert/index.html" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; T312461)" POST /clientcert/index2.html - "HTTP/1.1" (-) 2.2.2.2 - - [07/Apr/2003:15:46:27 -0700] "POST /clientcert/index.html HTTP/1.1" 200 140 "https://test.domain.com/clientcert/index2.html" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; T312461)" POST /clientcert/index.html - "HTTP/1.1" (-) 2.2.2.2 - - [07/Apr/2003:15:46:28 -0700] "POST /clientcert/index2.html HTTP/1.1" 200 144 "https://test.domain.com/clientcert/index.html" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; T312461)" POST /clientcert/index2.html - "HTTP/1.1" (-) 2.2.2.2 - - [07/Apr/2003:15:46:29 -0700] "POST /clientcert/index.html HTTP/1.1" 200 140 "https://test.domain.com/clientcert/index2.html" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; T312461)" POST /clientcert/index.html - "HTTP/1.1" (-) 2.2.2.2 - - [07/Apr/2003:15:46:58 -0700] "POST /clientcert/index2.html HTTP/1.1" 405 244 "https://test.domain.com/clientcert/index.html" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; T312461)" POST /clientcert/index2.html - "HTTP/1.1" (-) VH error log: [Mon Apr 07 15:46:15 2003] [error] Re-negotiation handshake failed: Not accepted by client!? [Mon Apr 07 15:46:58 2003] [error] SSL Re-negotiation in conjunction with POST method not supported! hint: try SSLOptions +OptRenegotiate Server error log: [Mon Apr 07 15:46:16 2003] [notice] child pid 28262 exit signal Segmentation fault (11) --------------------------------------------------------------------- To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org For additional commands, e-mail: bugs-help@httpd.apache.org