httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christoph Anton Mitterer <cales...@scientia.net>
Subject Re: [users@httpd] SSL+SNI+client-auth fakeBasicAuth "lost" after some time
Date Sun, 19 Feb 2012 03:17:18 GMT
Hi Eric.

Am 19.02.2012 01:21, schrieb Eric Covener:
> What about LogLevel debug
Attached are fresh error logs with LogLevel debug.
 From the default and non-default vhost (the later is where the actual 
site, as you can see Icinga, runs).
For both cases split up in the 1st access (after I freshly started the 
browser) which worked and after the 2nd (some 10 minutes later) that 
failed then.

I stripped out all crypto material, if you'd need that please tell me, 
then I'll have to set up a fake-CA and certs.


> or the access log?
That one is small and particularly boring so I paste it here:
The LogFormat is:
"%{%x %X}t> %A:%p %h; %u %{SSL_CLIENT_VERIFY}x %{SSL_CLIENT_M_VERSION}x 
\"%{SSL_CLIENT_S_DN}x\" \"%{SSL_CLIENT_I_DN}x\" %{SSL_CLIENT_M_SERIAL}x; 
\"%r\" %s
%>s; %I %O %D; \"%{Host}i\" \"%{Referer}i\" \"%{User-Agent}i\""

This is all from the non-default name based vhost... the default one's 
is empty.

1st access with success:
02/19/12 03:30:35> 129.187.131.227:443 91.8.45.224; 
/C=DE/O=GermanGrid/OU=LMU/CN=Christoph Anton Mitterer SUCCESS 3 
"/C=DE/O=GermanGrid/OU=LMU/CN=Christoph Anton Mitterer" 
"/C=DE/O=GermanGrid/CN=GridKa-CA" 3EC4; "GET 
/icinga/classic/images/interface/menu_blank.gif HTTP/1.1" 200 200; 538 
426 459; "lcg-lrz-monitoring.grid.lrz.de" 
"https://lcg-lrz-monitoring.grid.lrz.de/icinga/classic/stylesheets/interface/menu.css" 
"Mozilla/5.0 (X11; Linux x86_64; rv:10.0.2) Gecko/20100101 
Firefox/10.0.2 Iceweasel/10.0.2"
02/19/12 03:30:35> 129.187.131.227:443 91.8.45.224; 
/C=DE/O=GermanGrid/OU=LMU/CN=Christoph Anton Mitterer SUCCESS 3 
"/C=DE/O=GermanGrid/OU=LMU/CN=Christoph Anton Mitterer" 
"/C=DE/O=GermanGrid/CN=GridKa-CA" 3EC4; "GET 
/icinga/classic/images/interface/menu_less.gif HTTP/1.1" 200 200; 506 
410 442; "lcg-lrz-monitoring.grid.lrz.de" 
"https://lcg-lrz-monitoring.grid.lrz.de/icinga/classic/menu.html" 
"Mozilla/5.0 (X11; Linux x86_64; rv:10.0.2) Gecko/20100101 
Firefox/10.0.2 Iceweasel/10.0.2"

2nd access (after 10 minutes) with failure:
02/19/12 03:40:50> 129.187.131.227:443 91.8.45.224; - NONE - "-" "-" -; 
"GET /icinga/classic/ HTTP/1.1" 403 403; 1158 3564 548; 
"lcg-lrz-monitoring.grid.lrz.de" "-" "Mozilla/5.0 (X11; Linux x86_64; 
rv:10.0.2) Gecko/20100101 Firefox/10.0.2 Iceweasel/10.0.2"


So it seems a bit like this:

On the 1st access everything works.
Then something bad happens somewhere either in the browsers, or Apache, 
or perhaps there are even some OpenSSL contexts kept open?!

2nd access:
I get an error, that no SNI hostname would have been provided, but 
still, the ouput appears in the log file of the non-default name based 
vhost, strange isn't it?

And I have:
SSLStrictSNIVHostCheck on
so I'd expect to fail any access if no SNI hostname would have been 
provided.

The access log (still that one of the non-default name based vhost) 
shows the failed access...
SSL client out seems to be lost ("NONE") which is also the reason why 
the fakeBasicAuth doesn't work anymore.

But why all this? (Again, happens with Firefox and Chromium)




> What's in a decrypted packet trace?
What exactly do you mean and how can I get this?


Thanks,
Chris.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message