On Thu, Sep 15, 2005 at 04:30:50PM +0100, Joe Orton wrote:
>
> Can we just back out the mod_setenvif stuff from the trunk or is someone
> going to make it work BTW?
Uhm. Strange. Back at the 'Con, I tested my committed changes with a
configuration like:
SetEnvIf OID("2.16.840.1.113730.1.13") "(TinyCA) Generated (Certificate)"
Yes_this_certificate_is_from_TinyCA=$1_$2
SetEnvIf OID("1.16.840.1.113730.1.13") "TinyCA Generated Certificate"
FooBarFalse=$1
and the SSL check:
SSLRequire "TinyCA Generated Certificate" in OID("2.16.840.1.113730.1.13") \
|| "committers" in OID("1.3.6.1.4.1.18060.1")
and had a .shtml file which contained:
--snip-- htdocs/ssi.shtml:
<pre>
<!--#exec cmd="echo $Yes_this_certificate_is_from_TinyCA|figlet -funivers"
--><!--#printenv -->
--snip--
After the various changes made in the meantime, I now changed it to
SetEnvIf SSL_PeerExtList("2.16.840.1.113730.1.13") "(TinyCA) Generated
(Certificate)" Yes_this_certificate_is_from_TinyCA=$1_$2
SetEnvIf SSL_PeerExtList("1.16.840.1.113730.1.13") "TinyCA Generated
Certificate" FooBarFalse=$1
SSLRequire "TinyCA Generated Certificate" in
PeerExtList("2.16.840.1.113730.1.13") \
|| "committers" in PeerExtList("1.3.6.1.4.1.18060.1")
The SSLRequire works still: if I (supply a client cert and) access the
server with a client cert that has a NSComment
"TinyCA Generated Certificate"
then I get access, but if I change the string or the OID to something
different, I get a [403] page.
But the mod_setenvif code -as it is in svn- does not work any
longer. The variable ${Yes_this_certificate_is_from_TinyCA}
is no longer set in the server environment (but used to be
in july).
So, I changed it to my old patch plus recent updates (attached)
and retested it with:
--snip-- httpd.conf:
<Directory "/usr/local/apache2/cgi-bin">
Options None
Order allow,deny
Deny from all
</Directory>
--snip--
--snip-- httpd-ssl.conf:
<VirtualHost _default_:8443>
LogLevel info
...
SSLVerifyClient require
SSLVerifyDepth 10
<Location />
SSLRequire "TinyCA Generated Certificate" in
PeerExtList("2.16.840.1.113730.1.13") \
|| "committers" in PeerExtList("1.3.6.1.4.1.18060.1")
</Location>
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/usr/local/apache2/cgi-bin">
SSLOptions +StdEnvVars
# Do not do this on your production server:
AllowOverride All
Deny from all
</Directory>
--snip--
--snip-- /usr/local/apache2/cgi-bin/.htaccess
order deny,allow
deny from all
allow from env=Yes_this_certificate_is_from_TinyCA
--snip--
With this setup, I have no problems denying access when I change
the allow from env= variable name to something different.
But as you say, this should not work, and ATM I am at a loss to
explain why it works here. Do you see a reason why?
Martin
PS: Also, but that is already under discussion elsewhere (Marc Stern
did very good work in that area), the connection is simply torn down
if the client does NOT provide a client cert or if the certificate
purpose is wrong. I get "The document contains no data" or
"server.dom.ain has received an incorrect or unexpected message. Error
Code: -12227" in the browser (or just as cryptic
"30602:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:226:" in "openssl s_client", and in the best case
[Tue Sep 20 15:08:48 2005] [error] Certificate Verification: Error (26):
unsupported certificate purpose
in the logs. If the client does not present any cert, nothing at all
is logged in the default log level. When set to "info" level, I see
[Tue Sep 20 15:12:28 2005] [info] SSL Library Error: 336105671
error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a
certificate No CAs known to server for verification?
).
So, all in all, I fully agree that handling SSL errors gracefully is a
very important goal for acceptance (of Apache as SSL server, for Svn
as well as for all the SSL user community out there).
--
<[EMAIL PROTECTED]> | Fujitsu Siemens
Fon: +49-89-636-46021, FAX: +49-89-636-48332 | 81730 Munich, Germany
Index: modules/metadata/mod_setenvif.c
===================================================================
--- modules/metadata/mod_setenvif.c (Revision 290414)
+++ modules/metadata/mod_setenvif.c (Arbeitskopie)
@@ -104,7 +104,7 @@
SPECIAL_REQUEST_METHOD,
SPECIAL_REQUEST_PROTOCOL,
SPECIAL_SERVER_ADDR,
- SPECIAL_OID_VALUE
+ SPECIAL_SSLPEEREXT_VALUE
};
typedef struct {
char *name; /* header name */
@@ -349,30 +349,29 @@
else if (!strcasecmp(fname, "server_addr")) {
new->special_type = SPECIAL_SERVER_ADDR;
}
- else if (!strncasecmp(fname, "oid(",4)) {
+ else if (!strncasecmp(fname, "SSL_PeerExtList(",16)) {
ap_regmatch_t match[AP_MAX_REG_MATCH];
- new->special_type = SPECIAL_OID_VALUE;
+ new->special_type = SPECIAL_SSLPEEREXT_VALUE;
- /* Syntax check and extraction of the OID as a regex: */
+ /* Syntax check and extraction of the SSL_PeerExtList as a regex:
*/
new->pnamereg = ap_pregcomp(cmd->pool,
- "^oid\\(\"?([0-9.]+)\"?\\)$",
+
"^SSL_PeerExtList\\(\"?([0-9][0-9.]+[0-9])\"?\\)$",
(AP_REG_EXTENDED // | AP_REG_NOSUB
| AP_REG_ICASE));
/* this can never happen, as long as pcre works:
if (new->pnamereg == NULL)
return apr_pstrcat(cmd->pool, cmd->cmd->name,
- "OID regex could not be compiled.",
NULL);
+ "SSL_PeerExtList regex could not be
compiled.", NULL);
*/
if (ap_regexec(new->pnamereg, fname, AP_MAX_REG_MATCH, match, 0)
== AP_REG_NOMATCH) {
return apr_pstrcat(cmd->pool, cmd->cmd->name,
- "OID syntax is: oid(\"1.2.3.4.5\");
error in: ",
+ "SSL_PeerExtList syntax is:
SSL_PeerExtList(\"1.2.3.4.5\"); error in: ",
fname, NULL);
}
new->pnamereg = NULL;
- /* The name field is used for the stripped oid string */
- new->name = fname = apr_pstrdup(cmd->pool, fname+match[1].rm_so);
- fname[match[1].rm_eo - match[1].rm_so] = '\0';
+ /* The name field is used for the stripped PeerExt string */
+ new->name = fname = apr_pstrndup(cmd->pool, fname+match[1].rm_so,
match[1].rm_eo - match[1].rm_so);
}
else {
new->special_type = SPECIAL_NOT;
@@ -504,7 +503,7 @@
* same header. Remember we don't need to strcmp the two header
* names because we made sure the pointers were equal during
* configuration.
- * In the case of SPECIAL_OID_VALUE values, each oid string is
+ * In the case of SPECIAL_SSLPEEREXT_VALUE values, each PeerExt string
is
* dynamically allocated, thus there are no duplicates.
*/
if (b->name != last_name) {
@@ -529,33 +528,17 @@
case SPECIAL_REQUEST_PROTOCOL:
val = r->protocol;
break;
- case SPECIAL_OID_VALUE:
+ case SPECIAL_SSLPEEREXT_VALUE:
/* If mod_ssl is not loaded, the accessor function is NULL */
if (ssl_ext_list_func != NULL)
{
- apr_array_header_t *oid_array;
- char **oid_value;
- int j, len = 0;
- char *retval = NULL;
+ apr_array_header_t *peerext_array;
- /* The given oid can occur multiple times. Concatenate the
values */
- if ((oid_array = ssl_ext_list_func(r->pool, r->connection,
1,
+ /* The given Peer Extension can occur multiple times.
Concatenate the values */
+ if ((peerext_array = ssl_ext_list_func(r->pool,
r->connection, 1,
b->name)) != NULL) {
- oid_value = (char **) oid_array->elts;
- /* pass 1: determine the size of the string */
- for (len=j=0; j < oid_array->nelts; j++) {
- len += strlen(oid_value[j]) + 1; /* +1 for ',' or
terminating NIL */
- }
- retval = apr_palloc(r->pool, len);
- /* pass 2: fill the string */
- for (j=0; j < oid_array->nelts; j++) {
- if (j > 0) {
- strcat(retval, ",");
- }
- strcat(retval, oid_value[j]);
- }
+ val = apr_array_pstrcat(r->pool, peerext_array, ',');
}
- val = retval;
}
break;
case SPECIAL_NOT:
