httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 48228] New: Renegocation requires multiple client authentication on mod_autoindex listings
Date Wed, 18 Nov 2009 17:27:16 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=48228

           Summary: Renegocation requires multiple client authentication
                    on mod_autoindex listings
           Product: Apache httpd-2
           Version: 2.2.13
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_ssl
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: jmdesp@gmail.com


Created an attachment (id=24558)
 --> (https://issues.apache.org/bugzilla/attachment.cgi?id=24558)
The error log with LogLevel debug

After connecting to an URL without client authentication, connection to an URL
that requires it and lists the content of a directory using mod_autoindex,
start a SSL renegociation several times instead of only once.

Reloading that page starts the SSL renegociation again.

The reproduction procedure is almost the same as for bug 48215.
I changed SSLVerifyDepth location, and to use NULL encryption to make analyzing
the SSL traffic easier (despite having the key, tshark sometimes fails to
decrypt).

- edit the default httpd.conf and add/replace the following in the default
configuration :
Listen *:443

LoadModule ssl_module modules/mod_ssl.so
LoadModule autoindex_module modules/mod_autoindex.so

SSLSessionCache        "shmcb:${path}/apache/logs/ssl_scache(512000)"
SSLSessionCacheTimeout  3000
SSLCipherSuite NULL+RSA+SHA1
# Use this instead if you don't need the clear text traffic 
# SSLCipherSuite AES+RSA+SHA1

NameVirtualHost *:443
<VirtualHost *:443>
   SSLEngine On 
   SSLCertificateFile "${path}/apache/conf/authentication.cer"
   SSLCertificateKeyFile "${path}/apache/conf/authentication.key"
   SSLVerifyDepth 0
   <Location /authentication/>
    SSLVerifyClient optional_no_ca
   </Location>
   DocumentRoot "${path}/www"
</VirtualHost>
- create a index.html file in /www
    <html><head><title> authentication test </title></head>
    <body>authentication test<hr>
    <a href="/authentication" >authentication link</a>
    </body></html>
- create /www/authentication
- create 10 files inside authentication 1.html through 10.html, the content of
the files is not important
- If you have the NULL cipher suite configured :
    Inside firefox, in about:config, set security.ssl3.rsa_null_sha to true
(you'll need to set this value to false again later for security)
- connect firefox to /
- follow the link on the page to /authentication
- You'll need a client certificate (a sample p12 is included in the repro
files)
- Have the "remember certificate" option unchecked
- Apache will immediately request authentication a second time
- Reload the page with the reload button 
- Apache will request authentication again two times in a row (in bug 48215,
reloading the page does not cause the same problem)

The big plus of NULL encryption is that with it (BIO dump follows) in error_log
shows all the HTTP traffic in the clear.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message