DO NOT REPLY [Bug 39658] New: - mod_proxy_ajp SSL Key Size Bug

Thu, 25 May 2006 04:37:25 -0700 

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=39658>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=39658

           Summary: mod_proxy_ajp SSL Key Size Bug
           Product: Apache httpd-2
           Version: 2.2.2
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_proxy
        AssignedTo: [email protected]
        ReportedBy: [EMAIL PROTECTED]


mod_proxy_ajp appears to not comply to the AJP 1.3 spec when sending over the
SSL key size as an attribute in the AJP 1.3 Request.  Instead of sending the key
size as a string, it sends it as an integer.  Both the tomcat and mod_proxy_ajp
documentation implies that it is a string:

http://httpd.apache.org/docs/2.2/mod/mod_proxy_ajp.html#rpacetstruct
http://tomcat.apache.org/connectors-doc-archive/jk2/common/AJPv13.html#Request%20Packet%20Structure

This bug ends up manifesting itself in Jetty 5.1.11 (latest stable) when a
connection comes in over SSL to Apache HTTP 2.2.2 and is tunneled to Jetty. 
Unlike Tomcat, their AJP implementation is not resilient against non-compliant
behavior.  It completely rejects the request.  


The 2.2.2 following patch includes my fix.  I have tested this against Tomcat
5.0.24, Tomcat 5.5.9, and Jetty 5.1.11 over SSL.  All work for proxying the
request, but I have not verified that the key size is available and present in
the respective servlet containers.

diff httpd-2.2.2/modules/proxy/ajp_header.c
httpd-2.2.2-css/modules/proxy/ajp_header.c
392c392
<                 || ajp_msg_append_uint16(msg, (unsigned short) atoi(envvar))) 
{
---
>                 || ajp_msg_append_string(msg, envvar)) {

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to