httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christoph Anton Mitterer <cales...@scientia.net>
Subject Re: [users@httpd] SSL+SNI+client-auth fakeBasicAuth "lost" after some time
Date Sun, 19 Feb 2012 17:28:32 GMT
On Sun, 2012-02-19 at 09:04 -0500, Eric Covener wrote:
> You should be able to confirm in a packet capture or by logging
> %{SSL_TLS_SNI}e.

(after the first ";" you see the SNI host)

02/19/12 17:57:35> 129.187.131.227:443 188.174.212.187; lcg-lrz-monitoring.grid.lrz.de
/C=DE/O=GermanGrid/OU=LMU/CN=Christoph Anton Mitterer SUCCESS 3 "/C=DE/O=GermanGrid/OU=LMU/CN=Christoph
Anton Mitterer" "/C=DE/O=GermanGrid/CN=GridKa-CA" 3EC4; "GET /icinga/classic/images/interface/menu_less.gif
HTTP/1.1" 200 200; 506 410 447; "lcg-lrz-monitoring.grid.lrz.de" "https://lcg-lrz-monitoring.grid.lrz.de/icinga/classic/menu.html"
"Mozilla/5.0 (X11; Linux x86_64; rv:10.0.2) Gecko/20100101 Firefox/10.0.2 Iceweasel/10.0.2"
02/19/12 17:59:05> 129.187.131.227:443 188.174.212.187; - - NONE - "-" "-" -; "GET /cgi-bin/icinga/tac.cgi?tac_header
HTTP/1.1" 403 403; 1174 3580 211; "lcg-lrz-monitoring.grid.lrz.de" "-" "Mozilla/5.0 (X11;
Linux x86_64; rv:10.0.2) Gecko/20100101 Firefox/10.0.2 Iceweasel/10.0.2"
02/19/12 17:59:05> 129.187.131.227:443 188.174.212.187; - - NONE - "-" "-" -; "GET /cgi-bin/icinga/tac.cgi
HTTP/1.1" 403 403; 1158 3580 161; "lcg-lrz-monitoring.grid.lrz.de" "-" "Mozilla/5.0 (X11;
Linux x86_64; rv:10.0.2) Gecko/20100101 Firefox/10.0.2 Iceweasel/10.0.2"


so it actually seems as if the browser would "forget" sending the SNI
host name,... and moreover, the client auth, too? I thought that this
would then really lead to a SSL error and not to a 403.


So what do you suggest,... reporting this against Firefox and Chrome?


Chris.

Mime
View raw message