"SSLRequire false" has no effect and allows access to directories 9.3 & 10.0
============================================
"SSLRequire false" has no effect and allows access to directories.
SSLRequire ALWAYS allows access regardless of expression in the back.
============================================
SuSE Linux 10.0 and 9.3 *binary* packages only!
SuSE 10.0 broken module:
f712b436b294d1f6088f458c266a691a /usr/lib/apache2-prefork/mod_ssl.so
1. Loading the module /usr/lib/apache2-prefork/mod_ssl.so into a fresh-built
2.0.54 breaks SSLRequire
2. Loading a fresh built httpd-2.0.54/modules/ssl/.libs/mod_ssl.so into
SuSE's httpd2 of the same version fails: undefined symbol: X509_free
3. Compiled sources from SuSE 9.3 apache2-2.0.53-9.src.rpm do NOT show this
symptom (even with tls-upgrade patch)!!
4. Compiled sources from apache.org (2.0.54, 2.0.55) do not show this
symptom: they correctly reject access with a user certificate and log the
reject.
(My tests used a user certificate.)
linux:~ # httpd2 -v
Server version: Apache/2.0.54
Server built: Feb 1 2006 18:13:06
linux:~ # httpd2 -f /etc/apache2/test2.conf
Syntax error on line 23 of /etc/apache2/test2.conf:
Cannot load /root/gnu/httpd-2.0.54/modules/ssl/.libs/mod_ssl.so into server:
/root/gnu/httpd-2.0.54/modules/ssl/.libs/mod_ssl.so: undefined symbol:
X509_free
httpd2 -V
-D APACHE_MPM_DIR="server/mpm/prefork"
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
-D APR_USE_SYSVSEM_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D HTTPD_ROOT="/srv/www"
-D SUEXEC_BIN="/usr/sbin/suexec2"
-D DEFAULT_PIDLOG="/var/run/httpd2.pid"
-D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
-D DEFAULT_LOCKFILE="/var/run/accept.lock"
-D DEFAULT_ERRORLOG="/var/log/apache2/error_log"
-D AP_TYPES_CONFIG_FILE="/etc/apache2/mime.types"
-D SERVER_CONFIG_FILE="/etc/apache2/httpd.conf"
## APACHE TEST CONF:
# jEdit:mode=apacheconf:
# Template for a VirtualHost with SSL
#This file loads the default modules from SuSE 10.0 (Apache 2.0.54) into
Apache 2.0.55
#SSLRequire fails to work the error seems to be within
/usr/lib/apache2-prefork/mod_ssl.so
#req for http2 SuSE
#LoadModule setenvif_module
/usr/lib/apache2-prefork/mod_setenvif.so
#LoadModule log_config_module
/usr/lib/apache2-prefork/mod_log_config.so
#LoadModule alias_module
/usr/lib/apache2-prefork/mod_alias.so
#LoadModule access_module
/usr/lib/apache2-prefork/mod_access.so
#LoadModule dir_module
/usr/lib/apache2-prefork/mod_dir.so
#BAAAAAAD guy:
#LoadModule ssl_module
/usr/lib/apache2-prefork/mod_ssl.so
#Original module from src.rpm package SuSE 9.3 (correct reject of SSLRequire
false)
#Patched with /usr/src/packages/SOURCES/httpd-2.0.53-tls-upgrade.patch
(correct reject)
#LoadModule ssl_module
/root/gnu/httpd-2.0.53/modules/ssl/.libs/mod_ssl.so
#GOOD:
#LoadModule ssl_module
/root/gnu/httpd-2.0.55/modules/ssl/.libs/mod_ssl.so
LoadModule ssl_module
/root/gnu/httpd-2.0.54/modules/ssl/.libs/mod_ssl.so
LoadModule dav_module
/usr/lib/apache2-prefork/mod_dav.so
LoadModule dav_fs_module
/usr/lib/apache2-prefork/mod_dav_fs.so
LoadModule php4_module
/usr/lib/apache2-prefork/libphp4.so
User wwwrun
Listen 443
<VirtualHost _default_:443>
DocumentRoot "/srv/www/htdocs"
ServerName localhost:443
ServerAdmin "bla"
ErrorLog /tmp/err
# /var/log/apache2/error_log
#TransferLog /tmp/acc
#/var/log/apache2/access_log
# A normal format + SSL extension
CustomLog /tmp/acc "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\"
\"%{User-Agent}i\" %{SSL_PROTOCOL}x %{SSL_CIPHER}x %{CLIENTCERT}x
\"%{ERRSTR}x\" %v"
SSLEngine on
LogLevel info
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite
ALL:!NULL:!aNULL:!eNULL:!ADH:!EXPORT56:!LOW:!SSLv2:!EXP:+HIGH:+MEDIUM
SSLCertificateFile /etc/apache2/ssl.crt/server.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/server.key
SSLCertificateChainFile /etc/apache2/ssl.crt/ca.crt
SSLCACertificatePath /etc/apache2/ssl.crt
#SSLCARevocationPath /etc/apache2/ssl.crl
SSLVerifyClient require
SSLVerifyDepth 1
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
###########################################
########## START DIRECTORY CONFIG #########
###########################################
SSLUserName SSL_CLIENT_S_DN_Email
#SSLOptions +FakeBasicAuth
participants (1)
-
Thomas K