When I use an Action directive in a directory secured by client certificate authentication, the CGI output does not display.
My server is Apache 1.3.33 with mod_ssl-2.8.22. My config.status looks like this:
CFLAGS="-g -DSSL_EXPERIMENTAL -DSSL_EXPERIMENTAL_PROXY_IGNORE -DSSL_EXPERIMENTAL_ENGINE_IGNORE" \ ./configure \ "--with-layout=Apache" \ "--prefix=/usr/local/apache" \ "--enable-module=ssl" \ "$@"
I have a directory htdocs/secure, which contains this .htaccess file:
AddType application/test .test Action application/test /cgi-bin/test.pl SSLRequireSSL SSLVerifyClient require SSLCACertificateFile /usr/local/etc/ca.crt
My Apache configuration contains:
SSLPassPhraseDialog builtin SSLSessionCache dbm:/usr/local/apache/logs/ssl_scache SSLSessionCacheTimeout 300 SSLMutex file:/usr/local/apache/logs/ssl_mutex SSLRandomSeed startup builtin SSLRandomSeed connect builtin SSLLog /usr/local/apache/logs/ssl_engine_log SSLLogLevel trace SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /usr/local/apache/conf/server.crt SSLCertificateKeyFile /usr/local/apache/conf/server.key SSLCertificateChainFile /usr/local/apache/conf/equifax.crt SSLCACertificateFile /usr/local/apache/conf/ca.crt SSLVerifyDepth 10
The SSLCACertificateFile (ca.crt) is a self-signed CA which I created. I have added the CA to my browser, along with a client cert signed by that CA. The same CA is copied to /usr/local/etc/ca.crt, which is referenced by the SSLCACertificateFile directive in my .htaccess file. This CA is different from the one securing the web server itself.
Within the htdocs/secure directory are files index.html and x.test. When I browse with HTTPS to /secure/index.html or to /cgi-bin/test.pl, the results are displayed just as they should be.
However, when I access /secure/x.test, the CGI output does not appear at all. Instead, the following messages appear in ssl_engine_log:
[06/Jan/2005 17:27:23 55592] [error] SSL error on reading data (OpenSSL library error follows)
[06/Jan/2005 17:27:23 55592] [error] OpenSSL: error:0B07C065:x509 certificate routines:X509_STORE_add_cert:cert already in hash table
[06/Jan/2005 17:27:23 55592] [error] OpenSSL: error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac
Is this a bug in mod_ssl, or is there something I need do to differently to get my CGI output?
Thanks -- Omar W. Hannet Allez-Oop Net http://www.allez-oop.net/ ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager [EMAIL PROTECTED]