============================================ "SSLRequire false" has no effect and allows access to directories. SSLRequire ALWAYS allows access regardless of expression in the back. ============================================ SuSE Linux 10.0 and 9.3 *binary* packages only! SuSE 10.0 broken module: f712b436b294d1f6088f458c266a691a /usr/lib/apache2-prefork/mod_ssl.so 1. Loading the module /usr/lib/apache2-prefork/mod_ssl.so into a fresh-built 2.0.54 breaks SSLRequire 2. Loading a fresh built httpd-2.0.54/modules/ssl/.libs/mod_ssl.so into SuSE's httpd2 of the same version fails: undefined symbol: X509_free 3. Compiled sources from SuSE 9.3 apache2-2.0.53-9.src.rpm do NOT show this symptom (even with tls-upgrade patch)!! 4. Compiled sources from apache.org (2.0.54, 2.0.55) do not show this symptom: they correctly reject access with a user certificate and log the reject. (My tests used a user certificate.) linux:~ # httpd2 -v Server version: Apache/2.0.54 Server built: Feb 1 2006 18:13:06 linux:~ # httpd2 -f /etc/apache2/test2.conf Syntax error on line 23 of /etc/apache2/test2.conf: Cannot load /root/gnu/httpd-2.0.54/modules/ssl/.libs/mod_ssl.so into server: /root/gnu/httpd-2.0.54/modules/ssl/.libs/mod_ssl.so: undefined symbol: X509_free httpd2 -V -D APACHE_MPM_DIR="server/mpm/prefork" -D APR_HAS_SENDFILE -D APR_HAS_MMAP -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) -D APR_USE_SYSVSEM_SERIALIZE -D APR_USE_PTHREAD_SERIALIZE -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT -D APR_HAS_OTHER_CHILD -D AP_HAVE_RELIABLE_PIPED_LOGS -D HTTPD_ROOT="/srv/www" -D SUEXEC_BIN="/usr/sbin/suexec2" -D DEFAULT_PIDLOG="/var/run/httpd2.pid" -D DEFAULT_SCOREBOARD="logs/apache_runtime_status" -D DEFAULT_LOCKFILE="/var/run/accept.lock" -D DEFAULT_ERRORLOG="/var/log/apache2/error_log" -D AP_TYPES_CONFIG_FILE="/etc/apache2/mime.types" -D SERVER_CONFIG_FILE="/etc/apache2/httpd.conf" ## APACHE TEST CONF: # jEdit:mode=apacheconf: # Template for a VirtualHost with SSL #This file loads the default modules from SuSE 10.0 (Apache 2.0.54) into Apache 2.0.55 #SSLRequire fails to work the error seems to be within /usr/lib/apache2-prefork/mod_ssl.so #req for http2 SuSE #LoadModule setenvif_module /usr/lib/apache2-prefork/mod_setenvif.so #LoadModule log_config_module /usr/lib/apache2-prefork/mod_log_config.so #LoadModule alias_module /usr/lib/apache2-prefork/mod_alias.so #LoadModule access_module /usr/lib/apache2-prefork/mod_access.so #LoadModule dir_module /usr/lib/apache2-prefork/mod_dir.so #BAAAAAAD guy: #LoadModule ssl_module /usr/lib/apache2-prefork/mod_ssl.so #Original module from src.rpm package SuSE 9.3 (correct reject of SSLRequire false) #Patched with /usr/src/packages/SOURCES/httpd-2.0.53-tls-upgrade.patch (correct reject) #LoadModule ssl_module /root/gnu/httpd-2.0.53/modules/ssl/.libs/mod_ssl.so #GOOD: #LoadModule ssl_module /root/gnu/httpd-2.0.55/modules/ssl/.libs/mod_ssl.so LoadModule ssl_module /root/gnu/httpd-2.0.54/modules/ssl/.libs/mod_ssl.so LoadModule dav_module /usr/lib/apache2-prefork/mod_dav.so LoadModule dav_fs_module /usr/lib/apache2-prefork/mod_dav_fs.so LoadModule php4_module /usr/lib/apache2-prefork/libphp4.so User wwwrun Listen 443 <VirtualHost _default_:443> DocumentRoot "/srv/www/htdocs" ServerName localhost:443 ServerAdmin "bla" ErrorLog /tmp/err # /var/log/apache2/error_log #TransferLog /tmp/acc #/var/log/apache2/access_log # A normal format + SSL extension CustomLog /tmp/acc "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %{SSL_PROTOCOL}x %{SSL_CIPHER}x %{CLIENTCERT}x \"%{ERRSTR}x\" %v" SSLEngine on LogLevel info SSLProtocol -ALL +SSLv3 +TLSv1 SSLCipherSuite ALL:!NULL:!aNULL:!eNULL:!ADH:!EXPORT56:!LOW:!SSLv2:!EXP:+HIGH:+MEDIUM SSLCertificateFile /etc/apache2/ssl.crt/server.crt SSLCertificateKeyFile /etc/apache2/ssl.key/server.key SSLCertificateChainFile /etc/apache2/ssl.crt/ca.crt SSLCACertificatePath /etc/apache2/ssl.crt #SSLCARevocationPath /etc/apache2/ssl.crl SSLVerifyClient require SSLVerifyDepth 1 SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 ########################################### ########## START DIRECTORY CONFIG ######### ########################################### SSLUserName SSL_CLIENT_S_DN_Email #SSLOptions +FakeBasicAuth <Directory "/srv/www/htdocs"> Options Indexes SSLOptions +StrictRequire SSLRequireSSL SSLRequire false </Directory> Alias /gallery "/srv/www/gallery" <Directory "/srv/www/gallery"> Options Indexes AllowOverride AuthConfig Limit Order allow,deny Allow from all DAV On SSLOptions +StrictRequire SSLRequire false # AuthType Basic # AuthName swarco # AuthUserFile /srv/www/.htpasswd # AuthGroupFile /srv/www/.htgroups # <LimitExcept GET> # Require valid-user # </LimitExcept> php_admin_value open_basedir /srv/www/gallery </Directory> </VirtualHost> _________________________________________________________________ Don’t just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/