Bug#496841: libapache2-mod-auth-kerb: double WWW-Authenticate headers with https

Alexandra N. Kossovsky Wed, 27 Aug 2008 15:12:41 -0700

Package: libapache2-mod-auth-kerb
Version: 5.3-5
Severity: normal
Tags: patch


When using kerberos authentication for https, the kerberos module adds
WWW-Authenticate lines 2 times (the same configuration without https is
OK). I.e., in the response to simple request (without any auth info),
server replies with:
    HTTP/1.1 401 Authorization Required
    Date: Wed, 27 Aug 2008 21:43:44 GMT
    Server: Apache/2.2.9 (Debian) mod_auth_kerb/5.3 DAV/2 SVN/1.5.1 
PHP/5.2.0-8+etch11 mod_ruby/1.2.6 Ruby/1.8.5(2006-08-25) mod_ssl/2.2.9 
OpenSSL/0.9.8c
    WWW-Authenticate: Negotiate
    WWW-Authenticate: Basic realm="OKTET Labs private webspace"
    WWW-Authenticate: Negotiate
    WWW-Authenticate: Basic realm="OKTET Labs private webspace"
    Content-Length: 731
    Content-Type: text/html; charset=iso-8859-1
As you see, WWW-Authenticate headers are repeated twice. It is easy to
see this effect in any browser which can show http headers.

Such behaviour makes curl crazy (I have patched curl to print more
details):
bash$ curl -vvv --max-redirs 2 --negotiate -u : https://oktetlabs.ru
* About to connect() to oktetlabs.ru port 443 (#0)
*   Trying 192.168.38.1... connected
* Connected to oktetlabs.ru (192.168.38.1) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using DHE-RSA-AES256-SHA
* Server certificate:
*        subject: /C=RU/ST=Saint Petersburg/O=OKTET Labs/CN=oktetlabs.ru/[EMAIL 
PROTECTED]
*        start date: 2008-05-13 19:12:13 GMT
*        expire date: 2011-02-07 19:12:13 GMT
*        subjectAltName: oktetlabs.ru matched
*        issuer: /C=RU/ST=Saint Petersburg/L=St.Petergof/O=OKTET Labs/CN=OKTET 
Labs Root CA/[EMAIL PROTECTED]
* SSL certificate verify ok.
> GET / HTTP/1.1
> User-Agent: curl/7.18.2 (x86_64-pc-linux-gnu) libcurl/7.18.2 OpenSSL/0.9.8g 
> zlib/1.2.3.3 libidn/1.8 libssh2/0.18
> Host: oktetlabs.ru
> Accept: */*
> 
< HTTP/1.1 401 Authorization Required
< Date: Wed, 27 Aug 2008 21:43:44 GMT
< Server: Apache/2.2.9 (Debian) mod_auth_kerb/5.3 DAV/2 SVN/1.5.1 
PHP/5.2.0-8+etch11 mod_ruby/1.2.6 Ruby/1.8.5(2006-08-25) mod_ssl/2.2.9 
OpenSSL/0.9.8c
* Curl_input_negotiate()
< WWW-Authenticate: Negotiate
< WWW-Authenticate: Basic realm="OKTET Labs private webspace"
* Curl_input_negotiate()
* gss complete
* GSS Authentication problem. Ignoring this.
< WWW-Authenticate: Negotiate
< WWW-Authenticate: Basic realm="OKTET Labs private webspace"
< Content-Length: 731
< Content-Type: text/html; charset=iso-8859-1
< 
* Ignoring the response-body
* Connection #0 to host oktetlabs.ru left intact
* Issue another request to this URL: 'https://oktetlabs.ru'
* Re-using existing connection! (#0) with host oktetlabs.ru
* Connected to oktetlabs.ru (192.168.38.1) port 443 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.18.2 (x86_64-pc-linux-gnu) libcurl/7.18.2 OpenSSL/0.9.8g 
> zlib/1.2.3.3 libidn/1.8 libssh2/0.18
> Host: oktetlabs.ru
> Accept: */*
> 
< HTTP/1.1 401 Authorization Required


Possibly, it is curl bug, but it is not easy (at least for me) to fix
it.  However, I have 3-lines patch for mod_kerb apache module
(attached).

Thank you for your work on the package,
    Alexandra.

-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (900, 'testing'), (50, 'experimental'), (50, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.25-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=, LC_CTYPE=ru_RU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libapache2-mod-auth-kerb depends on:
ii  apache2.2-common      2.2.9-7            Apache HTTP Server common files
ii  krb5-config           1.21               Configuration files for Kerberos V
ii  libc6                 2.7-13             GNU C Library: Shared libraries
ii  libcomerr2            1.41.0-3           common error description library
ii  libkrb53              1.6.dfsg.4~beta1-3 MIT Kerberos runtime libraries

libapache2-mod-auth-kerb recommends no packages.

libapache2-mod-auth-kerb suggests no packages.

-- no debconf information

-- 
Alexandra N. Kossovsky
OKTET Labs (http://www.oktetlabs.ru/)
Phones: +7(921)956-42-86(mobile) +7(812)783-21-91(office)
e-mail: [EMAIL PROTECTED]

--- libapache-mod-auth-kerb-5.3.orig/src/mod_auth_kerb.c	2008-08-28 01:13:29.000000000 +0400
+++ libapache-mod-auth-kerb-5.3.orig/src/mod_auth_kerb.c	2008-08-28 01:54:04.000000000 +0400
@@ -1533,6 +1533,10 @@
    const char *header_name = 
       (r->proxyreq == PROXYREQ_PROXY) ? "Proxy-Authenticate" : "WWW-Authenticate";
 
+   /* No need to put headers twice */
+   if (!ap_is_initial_req(r))
+       return;
+
    /* get the user realm specified in .htaccess */
    auth_name = ap_auth_name(r);

Bug#496841: libapache2-mod-auth-kerb: double WWW-Authenticate headers with https

Reply via email to