httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 41911] - SSLRequire does not restrict access to subdirectory under dav
Date Mon, 26 Mar 2007 23:50:26 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41911>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=41911





------- Additional Comments From seth@psydpu.adsl.dk  2007-03-26 16:50 -------
Thank you for your detailed analysis.  

I am using Konqueror 3.5.6  (from KDE) as client, where it is possible
to use webdavs:// or https:// as a URL.

I was not able to reproduce the problem today. I suspect/believe the 
explanation is that the certificates were being cached by Konqueror.
I had suspected this problem, before submitting my report, and therefore
tried both to restart the server and open a "new" Konqueror.  However, I 
believe that I did not close ALL the open Konqueror clients, and that seems to
be the source of the problem I reported.  (I more or less repeated such an 
experiment today -- that is, I could reproduce the problem that I reported, but 
I now understand that the problem is with the client and not Apache).

While you have your test set up.  I would like to ask a related question.  In 
your first setup, if you (a) try to access /test/subdir  with (b)) a 'DE 
certificate), then (c) you will see that it is *impossible* because 

 [info] Access to /disk/apache/apache2/htdocs/test/subdir/ for 123.456.789.123
(requirement expression not fulfilled)
 [info] Failed expression: %{SSL_CLIENT_S_DN_C} eq "US"

That is, the SSLRequire from Directory cascades to test/subdir (as it is 
supposed to), but this makes it impossible then for a person with only a DE 
certificate to get access to the subdirectory.

I am able to reliably repeat that problem.

As best as I can tell, this cannot be overcome with a special Boolean 
combination to SSLRequire, and the way Apache is currently designed, there does 
not seem any possibility to override this behavior.  

Is there a good reason to maintain that behavior?  Maybe it should be an 
enhancement request to allow the possibility to turn off or override 
the "directory cascade" ?  


-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message