Forgotten mod_ssl pool?

2006-11-07 Thread Christiaan Lamprecht 

Apache 2 SSL question which is probably related to mod_ssl:

The Apache 2.2.3 SSL implementation has a pool in the ssl_expr_node
struct (in ssl_expr.h) whereas the latest mod_ssl implementation does
not. I know mod_ssl is only for Apache 3.1.* but the pool in Apache
2.2.3 doesn't seem to be used anyway!

Is this just a forgotten pool from older versions of mod_ssl or does
it have a purpose?

An extra pointer in the struct is not really a problem as such but I
want to make copy (in my own allocated memory, which is not tied to an
apache pool) and then execute it later using ssl_expr_exec() If a
copy of the contents of the pool is also necessary, well then it could
be a problem.


Many thanks to anyone who knows
Christiaan


Some more details below:

---
ssl_expr.h:

typedef struct {
  ssl_expr_node_op node_op;
  void *node_arg1;
  void *node_arg2;
  apr_pool_t *p;
} ssl_expr_node;

typedef ssl_expr_node ssl_expr;
---
The pool in ssl_expr_node doesn't seem to be used? Either when the
struct is created(ssl_expr.c):
ssl_expr *ssl_expr_comp(apr_pool_t *p, char *expr)

or when it is evaluated:
int ssl_expr_exec(request_rec *r, ssl_expr *expr)


Many thanks in advance
Christiaan Lamprecht
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

SSLRequire: core dump with long strings, sometimes unreliable expressions

2006-11-07 Thread Jan Klever 
Hi,

im trying to protect URLs with SSLRequire and i am running into trouble
with Apache segmentation faults und expressions that work sometimes, but
not always.

Setup ist Apache 1.3.37 on a Linux box with ModSSL built into Apache,
not as external .so. No RPMs, everything built from source.

I want to protect two URLS: /foo and /cgi-bin/foo. /foo redirects per
'http-equiv=refresh content=0' to /cgi-bin/foo. /cgi-bin/foo displays
a frameset of two frames, which are generated by perl-scripts.

So, i am using two Location blocks, one for /foo and one for
/cgi-bin/foo, each containing the same SSLRequire expression. The blocks
are contained in a external file, that ist included to Apache
configuration with Include. Everything is fine, when i am using
expressions like:

  SSLRequire ( %{SSL_CLIENT_I_DN_CN} eq Foo CA \
and %{SSL_CLIENT_S_DN_CN} in {Bar, Baz} )

Works great, but for some reason i want to check against the whole
certificate. This is where the trouble starts.

I tried:
  SSLRequire (%{SSL_CLIENT_CERT} == file (/path/to/bar.pem) \
or %{SSL_CLIENT_CERT} == file (/path/to/baz.pem)) \
and %{SSL_CLIENT_CERT_CHAIN_0} == file (/path/to/foo-ca.pem)

Browsing to /foo and being redirect to /cgi-bin/foo i sometimes get:
- One frame with content, the other with 403 forbidden.
- Both frames with 403 forbidden.
- Both frames with content
- One Page (no frames) with 403 forbidden

In case of 403 the error log states:  Failed expression.

Then i tried to in include the PEM encoded cert into SSLRequire:

SSLRequire (%{SSL_CLIENT_CERT} eq -BEGIN
CERTIFICATE-\nImage_completet_PEM_in_here\n-END CERTIFICATE-\n

Which results in segmentation faults when trying to start Apache! The
parser of ModSSL seems to be limited to a number of characters in
this place. Shorter expressions are ok, complete PEM certificate and my
Apache won't start, instead he throws a segmentation fault.

Finally i came up with matching against the last 128 or 256 bytes of the
certificate where the signature is located. I match with m## so slashes
inside PEM don't matter, '+' are quoted, \n is replace by .?:

  SSLRequire %{SSL_CLIENT_CERT} =~
m#ZlL5lB6BhQqB9Cwa3OCetBxuqT5Rx6eQB0UJQQF\+v5
R80H6XPjeURnbD8UvNflZG.?2noIZ4UxkVoKxFAlTeept5EylxVclQ4NTsLyrsQnxjrrAUUy3eP3I\+C
kreLRuv0F.?f08ISFtKaHttoQ==.?-END CERTIFICATE-# \
and %{SSL_CLIENT_CERT_CHAIN_0} =~
m#w3qcUn85WX5Vmi/QI\+UCG6kuNtKk\+CAWYkN\+n
t4vwa11SzCQLCYYccMrr\+5CMCpG.?PeXsmiMCpYUitWk9AryzyMPiDBc9acZebdY44EbQHE4DaNNrrW
N1rcdagQ\+RMWZt.?8cv\+nUG4NUQCPeUffrKVLHw56jvWsR6GJaode2GDh79yRKdj5w==.?-END
 CERTIFICATE-#

And what do i get? Same result as with file():

Browsing to /foo and being redirect to /cgi-bin/foo i sometimes get:
- One frame with content, the other with 403 forbidden.
- Both frames with 403 forbidden.
- Both frames with content
- One Page (no frames) with 403 forbidden

Is this behaviour known? Any Solution?

Cheers
Jan
-- 
Jan Klever (PKI Team), DFN-CERT Services GmbH
https://www.dfn-cert.de, +49 40 808077-619 / +49 40 808077-555 (Hotline)
PGP RSA/2048, 501B8FB1, 37 DD 41 9A E9 3B CB 2B 94 E5 F8 6A 76 CA 16 C1
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Mod_SSL

2006-11-07 Thread kbajwa 








Hello List:



My first posting! I am installing Apache-2.2.3 and would like
to install mod_ssl. I notice that current/latest version of mos_ssl is for
Apache-1.x.x version. Is there any way (with a patch) to install the latest
version of mod_ssl on Apache-2.x.x?

Thanks.



Kirt

RE: Mod_SSL

2006-11-07 Thread Kong, Yi - HPL 



You add ssl arguement when you configure the 
apache


From: kbajwa [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, November 07, 2006 10:22 AMTo: 
modssl-users@modssl.orgSubject: Mod_SSL


Hello List:

My first posting! I am 
installing Apache-2.2.3 and would like to install mod_ssl. I notice that 
current/latest version of mos_ssl is for Apache-1.x.x version. Is there any way 
(with a patch) to install the latest version of mod_ssl on 
Apache-2.x.x?
Thanks.

Kirt





  
 ella for Spam Control  has removed 
  4905 Spam messages and set aside 10689 Newsletters for 
  meYou can use it too - and it's FREE!www.ellaforspam.com

Re: Mod_SSL

2006-11-07 Thread Cliff Woolley 
What this person is getting at is that the reason you can't find a mod_ssl patch for Apache 2.x is that mod_ssl comes pre-bundled with Apache 2.x. Just enable it when you run configure on the apache build.--Cliff
On 11/7/06, Kong, Yi - HPL [EMAIL PROTECTED] wrote:









You add ssl arguement when you configure the 
apache


From: kbajwa [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, November 07, 2006 10:22 AMTo: 
modssl-users@modssl.orgSubject: Mod_SSL
My first posting! I am 
installing Apache-2.2.3 and would like to install mod_ssl. I notice that 
current/latest version of mos_ssl is for Apache-1.x.x version. Is there any way 
(with a patch) to install the latest version of mod_ssl on 
Apache-2.x.x?

Re: Howto unload the mod_ssl from memory?

2006-11-07 Thread Louise Hoffman 

Hi Louise,


Hi Patrick =)


Include conf.d/*.conf



   So this includes *.conf files listed in the conf.d directory (in
mine, this is on the same directory level as the conf directory
below /etc/httpd). My ssl.conf file is in this second directory and
has as one of its commands:


This was just it =)

I backed up the original and called it _ssl.conf


From now on will I learn learn how to use SVN, and check /etc in as

the first thing, so I don't try something similar another time =)


   I do not know if this will apply to your situation but it sounds like
it might be something to check. It took me a couple of hours of digging
around in the filesystem to find that one. I'm a noobie or I guess I
would have found it quicker.  :-)


I think I spend about 4-5 hours on the debugging and tracing without
solving this problem, so I am very glad for Michael's and yours reply
=) I would very have solved it without.

With love,
Louise
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]