Return-Path: X-Original-To: apmail-httpd-docs-archive@www.apache.org Delivered-To: apmail-httpd-docs-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id E3E61987C for ; Sun, 12 Feb 2012 03:40:18 +0000 (UTC) Received: (qmail 53953 invoked by uid 500); 12 Feb 2012 03:40:17 -0000 Delivered-To: apmail-httpd-docs-archive@httpd.apache.org Received: (qmail 53838 invoked by uid 500); 12 Feb 2012 03:40:01 -0000 Mailing-List: contact docs-help@httpd.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: Reply-To: docs@httpd.apache.org List-Id: Delivered-To: mailing list docs@httpd.apache.org Received: (qmail 53823 invoked by uid 99); 12 Feb 2012 03:39:57 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 12 Feb 2012 03:39:57 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.115] (HELO eir.zones.apache.org) (140.211.11.115) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 12 Feb 2012 03:39:55 +0000 Received: by eir.zones.apache.org (Postfix, from userid 80) id 718BC4F0A7; Sun, 12 Feb 2012 03:39:32 +0000 (UTC) From: bugzilla@apache.org To: docs@httpd.apache.org Subject: DO NOT REPLY [Bug 52644] New: document how SSL FakeBasicAuth works with strange characters in DNs and with groupfiles Date: Sun, 12 Feb 2012 03:39:27 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Apache httpd-2 X-Bugzilla-Component: Documentation X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: calestyo@scientia.net X-Bugzilla-Status: NEW X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: docs@httpd.apache.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Changed-Fields: Message-ID: X-Bugzilla-URL: https://issues.apache.org/bugzilla/ Auto-Submitted: auto-generated Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 https://issues.apache.org/bugzilla/show_bug.cgi?id=3D52644 Bug #: 52644 Summary: document how SSL FakeBasicAuth works with strange characters in DNs and with groupfiles Product: Apache httpd-2 Version: 2.2.20 Platform: PC OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: Documentation AssignedTo: docs@httpd.apache.org ReportedBy: calestyo@scientia.net Classification: Unclassified Hi. Could you please share some light (and add to the documentation at https://httpd.apache.org/docs/current/mod/mod_ssl.html#ssloptions if and how mod_ssl's FakeBasicAuth feature works with the following: a) Special characters A certificates DN can contain basically _ANY_ character, including =E2=80= =9C:=E2=80=9D, =E2=80=9C/=E2=80=9D, =E2=80=9C =E2=80=9D, =E2=80=9C"=E2=80=9D or any weird Unicode character from any scri= pt. As far as I can see this could affect us at least in the following places: - user file There at least the colon seems to have the special meaning of separating the username from the password, e.g.: /C=3DDE/O=3DGermanGrid/OU=3DLMU/CN=3DChristoph Anton Mitterer:$apr1$7DksooGS$Mz9EkgYft12dREFb1gk8b. Maybe =E2=80=9C$=E2=80=9D, =E2=80=9C.=E2=80=9D or the other characters ment= ioned above have also special meanigns?! Given that this is really security relevant, could you please document whet= her all this is _always_ safe for any characters in the DN or not?! Guess this would mean that the parsing has to work like this regexp ^(.*):(= .*)$ and the matching must be "greedy" (i.e. the _last_ =E2=80=9C:=E2=80=9D) mus= t be matched. b) DNs in group files Here things seem to be even more weird. DNs typically contain =E2=80=9C =E2=80=9D characters (spaces). The space however is the separation characters in the group files. I found out that quoting the DN with =E2=80=9C"=E2=80=9D seems to work. This is however not (yet) documented. Further,.. is this safe? I mean, DNs could be made up tricky, containing = =E2=80=9C"=E2=80=9D or =E2=80=9C:=E2=80=9D to confuse the parsing of the group files. This could even be a security problem. Cheers, Chris. --=20 Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=3De= mail ------- You are receiving this mail because: ------- You are the assignee for the bug.= --------------------------------------------------------------------- To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org For additional commands, e-mail: docs-help@httpd.apache.org