httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 52630] Firefox can't access SSL websites with client authentication and when using a symlink to a directory of CA certs
Date Sat, 18 Feb 2012 01:18:40 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=52630

Christoph Anton Mitterer <calestyo@scientia.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
         Resolution|INVALID                     |

--- Comment #9 from Christoph Anton Mitterer <calestyo@scientia.net> 2012-02-18 01:18:40
UTC ---
Reopening as the issue is still there as described in previous posts.

Analogous to #52631:
First, please don't blindly close my bugs, just YOU cannot reproduce them
immediately.
If I'd abandon a bug report and wouldn't answer on it for a  longer time (>
weeks) than it's ok to do this without being impolite.


The same here, I can offer you my config.

Furhter, I'm not 100% sure this is a apache bug,... it's just the logical
starting point in the search.


I did an strace now as you suggested,... actually it seem to try opening the
files but now the big suprise:
open("/etc/apache2/pki/virtual-hosts/lcg-lrz-monitoring.grid.lrz.de/client.acceptable-CA-DNs.crt.d/1149214e.r0",
O_RDONLY) = 19
open("/etc/apache2/pki/virtual-hosts/lcg-lrz-monitoring.grid.lrz.de/client.acceptable-CA-DNs.crt.d/dd4b34ea.r0",
O_RDONLY) = 19
open("/etc/apache2/pki/virtual-hosts/lcg-lrz-monitoring.grid.lrz.de/client.acceptable-CA-DNs.crt.d/7ecb2657.namespaces",
O_RDONLY) = 19
open("/etc/apache2/pki/virtual-hosts/lcg-lrz-monitoring.grid.lrz.de/client.acceptable-CA-DNs.crt.d/30ffc224.r0",
O_RDONLY) = 19
open("/etc/apache2/pki/virtual-hosts/lcg-lrz-monitoring.grid.lrz.de/client.acceptable-CA-DNs.crt.d/DFN-GridGermany-Root.namespaces",
O_RDONLY) = 19
open("/etc/apache2/pki/virtual-hosts/lcg-lrz-monitoring.grid.lrz.de/client.acceptable-CA-DNs.crt.d/DFN-GridGermany-Root.pem",
O_RDONLY) = 19
open("/etc/apache2/pki/virtual-hosts/lcg-lrz-monitoring.grid.lrz.de/client.acceptable-CA-DNs.crt.d/1149214e.signing_policy",
O_RDONLY) = 19
open("/etc/apache2/pki/virtual-hosts/lcg-lrz-monitoring.grid.lrz.de/client.acceptable-CA-DNs.crt.d/7ecb2657.signing_policy",
O_RDONLY) = 19
open("/etc/apache2/pki/virtual-hosts/lcg-lrz-monitoring.grid.lrz.de/client.acceptable-CA-DNs.crt.d/30ffc224.0",
O_RDONLY) = 19
open("/etc/apache2/pki/virtual-hosts/lcg-lrz-monitoring.grid.lrz.de/client.acceptable-CA-DNs.crt.d/7ecb2657.0",
O_RDONLY) = 19
open("/etc/apache2/pki/virtual-hosts/lcg-lrz-monitoring.grid.lrz.de/client.acceptable-CA-DNs.crt.d/GermanGrid.signing_policy",
O_RDONLY) = 19
open("/etc/apache2/pki/virtual-hosts/lcg-lrz-monitoring.grid.lrz.de/client.acceptable-CA-DNs.crt.d/DFN-GridGermany-Root.info",
O_RDONLY) = 19
open("/etc/apache2/pki/virtual-hosts/lcg-lrz-monitoring.grid.lrz.de/client.acceptable-CA-DNs.crt.d/7ecb2657.r0",
O_RDONLY) = 19
open("/etc/apache2/pki/virtual-hosts/lcg-lrz-monitoring.grid.lrz.de/client.acceptable-CA-DNs.crt.d/GermanGrid.pem",
O_RDONLY) = 19
open("/etc/apache2/pki/virtual-hosts/lcg-lrz-monitoring.grid.lrz.de/client.acceptable-CA-DNs.crt.d/1149214e.0",
O_RDONLY) = 19
open("/etc/apache2/pki/virtual-hosts/lcg-lrz-monitoring.grid.lrz.de/client.acceptable-CA-DNs.crt.d/GermanGrid.namespaces",
O_RDONLY) = 19
open("/etc/apache2/pki/virtual-hosts/lcg-lrz-monitoring.grid.lrz.de/client.acceptable-CA-DNs.crt.d/dd4b34ea.namespaces",
O_RDONLY) = 19
open("/etc/apache2/pki/virtual-hosts/lcg-lrz-monitoring.grid.lrz.de/client.acceptable-CA-DNs.crt.d/GermanGrid.info",
O_RDONLY) = 19
open("/etc/apache2/pki/virtual-hosts/lcg-lrz-monitoring.grid.lrz.de/client.acceptable-CA-DNs.crt.d/30ffc224.signing_policy",
O_RDONLY) = 19
open("/etc/apache2/pki/virtual-hosts/lcg-lrz-monitoring.grid.lrz.de/client.acceptable-CA-DNs.crt.d/GermanGrid.crl_url",
O_RDONLY) = 19
open("/etc/apache2/pki/virtual-hosts/lcg-lrz-monitoring.grid.lrz.de/client.acceptable-CA-DNs.crt.d/dd4b34ea.signing_policy",
O_RDONLY) = 19
open("/etc/apache2/pki/virtual-hosts/lcg-lrz-monitoring.grid.lrz.de/client.acceptable-CA-DNs.crt.d/dd4b34ea.0",
O_RDONLY) = 19
open("/etc/apache2/pki/virtual-hosts/lcg-lrz-monitoring.grid.lrz.de/client.acceptable-CA-DNs.crt.d/30ffc224.namespaces",
O_RDONLY) = 19
open("/etc/apache2/pki/virtual-hosts/lcg-lrz-monitoring.grid.lrz.de/client.acceptable-CA-DNs.crt.d/DFN-GridGermany-Root.crl_url",
O_RDONLY) = 19
open("/etc/apache2/pki/virtual-hosts/lcg-lrz-monitoring.grid.lrz.de/client.acceptable-CA-DNs.crt.d/DFN-GridGermany-Root.signing_policy",
O_RDONLY) = 19
open("/etc/apache2/pki/virtual-hosts/lcg-lrz-monitoring.grid.lrz.de/client.acceptable-CA-DNs.crt.d/1149214e.namespaces",
O_RDONLY) = 19


Picked out two CAs here, DFN-GridGermany-Root and GermanGrid, as well as their
respective openssl hash filenames, in both, old and new hash format.

Content _is_ acatully read, e.g.:

open("/etc/apache2/pki/virtual-hosts/lcg-lrz-monitoring.grid.lrz.de/client.acceptable-CA-DNs.crt.d/GermanGrid.pem",
O_RDONLY) = 19
fstat(19, {st_mode=S_IFREG|0644, st_size=1631, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7fec67cc9000
read(19, "-----BEGIN CERTIFICATE-----\nMIIE"..., 4096) = 1631
read(19, "", 4096)                      = 0
close(19)                               = 0
munmap(0x7fec67cc9000, 4096)            = 0

or

open("/etc/apache2/pki/virtual-hosts/lcg-lrz-monitoring.grid.lrz.de/client.acceptable-CA-DNs.crt.d/dfb080e4.r0",
O_RDONLY) = 19
fstat(19, {st_mode=S_IFREG|0644, st_size=5325, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7fec67cc9000
read(19, "-----BEGIN X509 CRL-----\nMIIPNTC"..., 4096) = 4096
read(19, "TE5MTRaMBMCAgb/Fw0wODA1\nMTYxNTE5"..., 4096) = 1229
read(19, "", 4096)                      = 0
read(19, "", 4096)                      = 0
close(19)                               = 0


What's weird is, that ALL FILEs are read...
Not only the .0 and .r0 files (and their symlink targets) but also .info,
.crl_url, .namespaces, etc.)
Also it seems that files in both openssl hash formats are opened, old and new.

For some files I compared the number of read bytes (from strace) with their
size... it seems all are full read.


I also did the same strace, when specifying the absolute path
(/etc/grid-security/certificates/ ...
Basically the same seems to happen there,... same files read,.. same sizes...
just that the SSL handshake works.

Any further ideas?

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message