httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 45801] SSLRequireSSL with strictrequire and satisfy any does not behave as expected
Date Fri, 03 Feb 2012 09:55:53 GMT

Stefan Fritsch <> changed:

           What    |Removed                     |Added
           Severity|enhancement                 |normal

--- Comment #5 from Stefan Fritsch <> 2012-02-03 09:55:53 UTC ---
I think the bug here is that ssl_hook_Access runs as APR_HOOK_MIDDLE while it
should run at APR_HOOK_FIRST (or even REALLYFIRST). ssl_hook_Access provides
information (in the ssl-access-forbidden request note) that is used later by
other hooks if StrictRequire is set. Therefore it is important that
ssl_hook_Access is always run.

Another example: With this test config:

SSLOptions +StrictRequire
<Directory /opt/apache22/htdocs/test/strictrequire>
    AuthBasicProvider       file
    AuthName                "strict require test"
    AuthType                basic
    AuthUserFile            conf/users
    Require user admin
    Satisfy any
    Deny from all
    allow from
    SSLRequire %{HTTP_REFERER} == "foo"

If I make a request where neither SSLRequire nor the ip restriction is
fulfilled, it depends on the load order of mod_ssl and mod_authz_host if I get
a "Forbidden" or a "Authorization Required". Different behavior depending on
the load order is always a bug, IMHO.

SSLRequire and SSLRequireSSL are equivalent with respect to this bug because
they are both checked in ssl_hook_Access.

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message