Mailinglist Archive: opensuse-security (109 mails)

< Previous Next >
"SSLRequire false" has no effect and allows access to directories 9.3 & 10.0
  • From: "Thomas K" <katzlbtjunk@xxxxxxxxxxx>
  • Date: Mon, 13 Mar 2006 17:33:22 +0000
  • Message-id: <BAY13-F603C8A0555E622470C98CABE00@xxxxxxx>
============================================
"SSLRequire false" has no effect and allows access to directories.
SSLRequire ALWAYS allows access regardless of expression in the back.
============================================

SuSE Linux 10.0 and 9.3 *binary* packages only!

SuSE 10.0 broken module:
f712b436b294d1f6088f458c266a691a /usr/lib/apache2-prefork/mod_ssl.so

1. Loading the module /usr/lib/apache2-prefork/mod_ssl.so into a fresh-built 2.0.54 breaks SSLRequire
2. Loading a fresh built httpd-2.0.54/modules/ssl/.libs/mod_ssl.so into SuSE's httpd2 of the same version fails: undefined symbol: X509_free
3. Compiled sources from SuSE 9.3 apache2-2.0.53-9.src.rpm do NOT show this symptom (even with tls-upgrade patch)!!
4. Compiled sources from apache.org (2.0.54, 2.0.55) do not show this symptom: they correctly reject access with a user certificate and log the reject.

(My tests used a user certificate.)

linux:~ # httpd2 -v
Server version: Apache/2.0.54
Server built: Feb 1 2006 18:13:06
linux:~ # httpd2 -f /etc/apache2/test2.conf
Syntax error on line 23 of /etc/apache2/test2.conf:
Cannot load /root/gnu/httpd-2.0.54/modules/ssl/.libs/mod_ssl.so into server: /root/gnu/httpd-2.0.54/modules/ssl/.libs/mod_ssl.so: undefined symbol: X509_free

httpd2 -V
-D APACHE_MPM_DIR="server/mpm/prefork"
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
-D APR_USE_SYSVSEM_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D HTTPD_ROOT="/srv/www"
-D SUEXEC_BIN="/usr/sbin/suexec2"
-D DEFAULT_PIDLOG="/var/run/httpd2.pid"
-D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
-D DEFAULT_LOCKFILE="/var/run/accept.lock"
-D DEFAULT_ERRORLOG="/var/log/apache2/error_log"
-D AP_TYPES_CONFIG_FILE="/etc/apache2/mime.types"
-D SERVER_CONFIG_FILE="/etc/apache2/httpd.conf"

## APACHE TEST CONF:
# jEdit:mode=apacheconf:
# Template for a VirtualHost with SSL

#This file loads the default modules from SuSE 10.0 (Apache 2.0.54) into Apache 2.0.55
#SSLRequire fails to work the error seems to be within /usr/lib/apache2-prefork/mod_ssl.so

#req for http2 SuSE
#LoadModule setenvif_module /usr/lib/apache2-prefork/mod_setenvif.so
#LoadModule log_config_module /usr/lib/apache2-prefork/mod_log_config.so
#LoadModule alias_module /usr/lib/apache2-prefork/mod_alias.so
#LoadModule access_module /usr/lib/apache2-prefork/mod_access.so
#LoadModule dir_module /usr/lib/apache2-prefork/mod_dir.so

#BAAAAAAD guy:
#LoadModule ssl_module /usr/lib/apache2-prefork/mod_ssl.so

#Original module from src.rpm package SuSE 9.3 (correct reject of SSLRequire false)
#Patched with /usr/src/packages/SOURCES/httpd-2.0.53-tls-upgrade.patch (correct reject)
#LoadModule ssl_module /root/gnu/httpd-2.0.53/modules/ssl/.libs/mod_ssl.so

#GOOD:
#LoadModule ssl_module /root/gnu/httpd-2.0.55/modules/ssl/.libs/mod_ssl.so
LoadModule ssl_module /root/gnu/httpd-2.0.54/modules/ssl/.libs/mod_ssl.so
LoadModule dav_module /usr/lib/apache2-prefork/mod_dav.so
LoadModule dav_fs_module /usr/lib/apache2-prefork/mod_dav_fs.so
LoadModule php4_module /usr/lib/apache2-prefork/libphp4.so

User wwwrun
Listen 443

<VirtualHost _default_:443>

DocumentRoot "/srv/www/htdocs"
ServerName localhost:443
ServerAdmin "bla"

ErrorLog /tmp/err
# /var/log/apache2/error_log
#TransferLog /tmp/acc
#/var/log/apache2/access_log

# A normal format + SSL extension
CustomLog /tmp/acc "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %{SSL_PROTOCOL}x %{SSL_CIPHER}x %{CLIENTCERT}x \"%{ERRSTR}x\" %v"

SSLEngine on

LogLevel info

SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!NULL:!aNULL:!eNULL:!ADH:!EXPORT56:!LOW:!SSLv2:!EXP:+HIGH:+MEDIUM

SSLCertificateFile /etc/apache2/ssl.crt/server.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/server.key
SSLCertificateChainFile /etc/apache2/ssl.crt/ca.crt
SSLCACertificatePath /etc/apache2/ssl.crt
#SSLCARevocationPath /etc/apache2/ssl.crl

SSLVerifyClient require
SSLVerifyDepth 1

SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

###########################################
########## START DIRECTORY CONFIG #########
###########################################

SSLUserName SSL_CLIENT_S_DN_Email
#SSLOptions +FakeBasicAuth

<Directory "/srv/www/htdocs">
Options Indexes
SSLOptions +StrictRequire
SSLRequireSSL
SSLRequire false
</Directory>

Alias /gallery "/srv/www/gallery"

<Directory "/srv/www/gallery">
Options Indexes
AllowOverride AuthConfig Limit
Order allow,deny
Allow from all

DAV On
SSLOptions +StrictRequire
SSLRequire false
# AuthType Basic
# AuthName swarco
# AuthUserFile /srv/www/.htpasswd
# AuthGroupFile /srv/www/.htgroups
# <LimitExcept GET>
# Require valid-user
# </LimitExcept>
php_admin_value open_basedir /srv/www/gallery
</Directory>

</VirtualHost>

_________________________________________________________________
Don’t just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/


< Previous Next >
This Thread
  • No further messages