https://bugzilla.novell.com/show_bug.cgi?id=803584 https://bugzilla.novell.com/show_bug.cgi?id=803584#c0 Summary: ssl_error_rx_record_too_long when server (SSL/HTTPS) asks client for X.509 certificate Classification: openSUSE Product: openSUSE 12.2 Version: Final Platform: i586 OS/Version: openSUSE 12.2 Status: NEW Severity: Normal Priority: P5 - None Component: Apache AssignedTo: bnc-team-apache@forge.provo.novell.com ReportedBy: jimc@math.ucla.edu QAContact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1362.0 Safari/537.22 SUSE/25.0.1362.0 Versions: apache2-2.2.22-4.10.1.i586 ca-certificates-mozilla-1.85-8.8.1.noarch (on Jacinth, affected) ca-certificates-mozilla-1.85-8.4.1.noarch (on Simba, not affected) When I access a directory (HTTPS) for which a client cert is required, both Google's Chromium and Firefox fail to establish the SSL connection. The directory has PHP (SquirrelMail) interpreted by mod_php, plus these statements: # Require the luser to present one of OUR user certificates. SSLVerifyClient require SSLVerifyDepth 10 SSLRequire %{SSL_CLIENT_I_DN_CN} eq "CFT Root Certificate" </Location> Reproducible: Always Steps to Reproduce: 1. Navigate to a directory with SSLVerifyClient require. 2. 3. Actual Results: Web browser reports "SSL Connection Error" or variations on that theme. Firefox's error message is the most useful: Secure Connection Failed An error occurred during a connection to jacinth.jfcarter.net:1445. SSL received a record that exceeded the maximum permissible length. (Error code: ssl_error_rx_record_too_long) Expected Results: Before the most recent update (see versions above), it would connect with no hassle. Suspected reason: ca-certificates-mozilla-1.85-8.8.1.noarch adds a few more CA certs, which pushed the list of known certs over a buffer size limit. How to fix: The idiot webmaster should have configured SSLCADNRequestPath or SSLCADNRequestFile, so only the root cert(s) that will actually be accepted are sent over. The default is to send the DN's from all CA certs in SSLCACertificatePath. When I create a separate directory (with hash links) for the local CA certs, with appropriate links to them in SSLCACertificatePath (/etc/ssl/certs), and specify this directory in SSLCADNRequestPath, the browsers can make the connection and show the content. This "bug" doesn't actually require any action by the developers, but it would probably be a good idea to make a note in SuSE's Apache configuration docs that the CA bundle is now so packed with certs that the default fallback behavior for SSLCADNRequestPath cannot be relied on any more. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.