"SSLRequire false" has no effect and allows access to directories 9.3 & 10.0

13 Mar 2006

      ============================================
"SSLRequire false" has no effect and allows access to directories.
SSLRequire ALWAYS allows access regardless of expression in the back.
============================================

SuSE Linux 10.0 and 9.3 *binary* packages only!

SuSE 10.0 broken module:
f712b436b294d1f6088f458c266a691a  /usr/lib/apache2-prefork/mod_ssl.so

1. Loading the module /usr/lib/apache2-prefork/mod_ssl.so into a fresh-built 
2.0.54 breaks SSLRequire
2. Loading a fresh built httpd-2.0.54/modules/ssl/.libs/mod_ssl.so into 
SuSE's httpd2 of the same version fails: undefined symbol: X509_free
3. Compiled sources from SuSE 9.3 apache2-2.0.53-9.src.rpm do NOT show this 
symptom (even with tls-upgrade patch)!!
4. Compiled sources from apache.org (2.0.54, 2.0.55) do not show this 
symptom: they correctly reject access with a user certificate and log the 
reject.

(My tests used a user certificate.)

linux:~ # httpd2 -v
Server version: Apache/2.0.54
Server built:   Feb  1 2006 18:13:06
linux:~ # httpd2 -f /etc/apache2/test2.conf
Syntax error on line 23 of /etc/apache2/test2.conf:
Cannot load /root/gnu/httpd-2.0.54/modules/ssl/.libs/mod_ssl.so into server: 
/root/gnu/httpd-2.0.54/modules/ssl/.libs/mod_ssl.so: undefined symbol: 
X509_free

httpd2 -V
-D APACHE_MPM_DIR="server/mpm/prefork"
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
-D APR_USE_SYSVSEM_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D HTTPD_ROOT="/srv/www"
-D SUEXEC_BIN="/usr/sbin/suexec2"
-D DEFAULT_PIDLOG="/var/run/httpd2.pid"
-D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
-D DEFAULT_LOCKFILE="/var/run/accept.lock"
-D DEFAULT_ERRORLOG="/var/log/apache2/error_log"
-D AP_TYPES_CONFIG_FILE="/etc/apache2/mime.types"
-D SERVER_CONFIG_FILE="/etc/apache2/httpd.conf"

## APACHE TEST CONF:
# jEdit:mode=apacheconf:
# Template for a VirtualHost with SSL

#This file loads the default modules from SuSE 10.0 (Apache 2.0.54) into 
Apache 2.0.55
#SSLRequire fails to work the error seems to be within 
/usr/lib/apache2-prefork/mod_ssl.so

#req for http2 SuSE
#LoadModule setenvif_module                
/usr/lib/apache2-prefork/mod_setenvif.so
#LoadModule log_config_module              
/usr/lib/apache2-prefork/mod_log_config.so
#LoadModule alias_module                   
/usr/lib/apache2-prefork/mod_alias.so
#LoadModule access_module                  
/usr/lib/apache2-prefork/mod_access.so
#LoadModule dir_module                     
/usr/lib/apache2-prefork/mod_dir.so

#BAAAAAAD guy:
#LoadModule ssl_module                     
/usr/lib/apache2-prefork/mod_ssl.so

#Original module from src.rpm package SuSE 9.3 (correct reject of SSLRequire 
false)
#Patched with /usr/src/packages/SOURCES/httpd-2.0.53-tls-upgrade.patch 
(correct reject)
#LoadModule ssl_module                     
/root/gnu/httpd-2.0.53/modules/ssl/.libs/mod_ssl.so

#GOOD:
#LoadModule ssl_module                     
/root/gnu/httpd-2.0.55/modules/ssl/.libs/mod_ssl.so
LoadModule ssl_module                     
/root/gnu/httpd-2.0.54/modules/ssl/.libs/mod_ssl.so
LoadModule dav_module                     
/usr/lib/apache2-prefork/mod_dav.so
LoadModule dav_fs_module                  
/usr/lib/apache2-prefork/mod_dav_fs.so
LoadModule php4_module                    
/usr/lib/apache2-prefork/libphp4.so

User wwwrun
Listen 443

<VirtualHost _default_:443>

DocumentRoot "/srv/www/htdocs"
ServerName localhost:443
ServerAdmin "bla"

ErrorLog /tmp/err
# /var/log/apache2/error_log
#TransferLog /tmp/acc
#/var/log/apache2/access_log

# A normal format + SSL extension
       CustomLog /tmp/acc  "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" 
\"%{User-Agent}i\" %{SSL_PROTOCOL}x %{SSL_CIPHER}x %{CLIENTCERT}x 
\"%{ERRSTR}x\" %v"

SSLEngine on

LogLevel info

       SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite 
ALL:!NULL:!aNULL:!eNULL:!ADH:!EXPORT56:!LOW:!SSLv2:!EXP:+HIGH:+MEDIUM

SSLCertificateFile /etc/apache2/ssl.crt/server.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/server.key
SSLCertificateChainFile /etc/apache2/ssl.crt/ca.crt
SSLCACertificatePath /etc/apache2/ssl.crt
#SSLCARevocationPath /etc/apache2/ssl.crl

SSLVerifyClient require
SSLVerifyDepth  1

SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

###########################################
########## START DIRECTORY CONFIG #########
###########################################

SSLUserName SSL_CLIENT_S_DN_Email
#SSLOptions +FakeBasicAuth

       Options Indexes
SSLOptions +StrictRequire
SSLRequireSSL
       SSLRequire false
</Directory>

Alias /gallery "/srv/www/gallery"

       Options Indexes
       AllowOverride AuthConfig Limit
       Order allow,deny
       Allow from all

       DAV On
SSLOptions +StrictRequire
SSLRequire false
#        AuthType Basic
#        AuthName swarco
#        AuthUserFile /srv/www/.htpasswd
#        AuthGroupFile /srv/www/.htgroups
#        <LimitExcept GET>
#                Require valid-user
#        </LimitExcept>
php_admin_value open_basedir /srv/www/gallery
</Directory>

</VirtualHost>

_________________________________________________________________
Dont just search. Find. Check out the new MSN Search! 
http://search.msn.click-url.com/go/onm00200636ave/direct/01/

Thomas K

tags

participants (1)