Bug report for Apache httpd-1.3 [2008/11/23]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=Critical REG=Regression MAJ=Major | | | | MIN=Minor NOR=NormalENH=Enhancement TRV=Trivial | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | |10744|New|Nor|2002-07-12|suexec might fail to open log file| |10747|New|Maj|2002-07-12|ftp SIZE command and 'smart' ftp servers results i| |10760|New|Maj|2002-07-12|empty ftp directory listings from cached ftp direc| |14518|Opn|Nor|2002-11-13|QUERY_STRING parts not incorporated by mod_rewrite| |16013|Opn|Nor|2003-01-13|Fooling mod_autoindex + IndexIgnore | |16631|Inf|Min|2003-01-31|.htaccess errors logged outside the virtual host l| |17318|Inf|Cri|2003-02-23|Abend on deleting a temporary cache file if proxy | |19279|Inf|Min|2003-04-24|Invalid chmod options in solaris build| |21637|Inf|Nor|2003-07-16|Timeout causes a status code of 200 to be logged | |21777|Inf|Min|2003-07-21|mod_mime_magic doesn't handle little gif files| |22618|New|Maj|2003-08-21|MultiViews invalidates PATH_TRANSLATED if cgi-wrap| |25057|Inf|Maj|2003-11-27|Empty PUT access control in .htaccess overrides co| |26126|New|Nor|2004-01-14|mod_include hangs with request body | |26152|Ass|Nor|2004-01-15|Apache 1.3.29 and below directory traversal vulner| |26790|New|Maj|2004-02-09|error deleting old cache file | |29257|Opn|Nor|2004-05-27|Problem with apache-1.3.31 and mod_frontpage (dso,| |29498|New|Maj|2004-06-10|non-anonymous ftp broken in mod_proxy | |29538|Ass|Enh|2004-06-12|No facility used in ErrorLog to syslog| |30207|New|Nor|2004-07-20|Piped logs don't close read end of pipe | |30877|New|Nor|2004-08-26|htpasswd clears passwd file on Sun when /var/tmp i| |30909|New|Cri|2004-08-28|sporadic segfault resulting in broken connections | |31975|New|Nor|2004-10-29|httpd-1.3.33: buffer overflow in htpasswd if calle| |32078|New|Enh|2004-11-05|clean up some compiler warnings | |32539|New|Trv|2004-12-06|[PATCH] configure --enable-shared= brocken on SuSE| |32974|Inf|Maj|2005-01-06|Client IP not set | |33086|New|Nor|2005-01-13|unconsistency betwen 404 displayed path and server| |33495|Inf|Cri|2005-02-10|Apache crashes with "WSADuplicateSocket failed for| |33772|New|Nor|2005-02-28|inconsistency in manual and error reporting by sue| |33875|New|Enh|2005-03-07|Apache processes consuming CPU| |34108|New|Nor|2005-03-21|mod_negotiation changes mtime to mtime of Document| |34114|New|Nor|2005-03-21|Apache could interleave log entries when writing t| |34404|Inf|Blk|2005-04-11|RewriteMap prg can not handle fpout | |34571|Inf|Maj|2005-04-22|Apache 1.3.33 stops logging vhost| |34573|Inf|Maj|2005-04-22|.htaccess not working / mod_auth_mysql| |35424|New|Nor|2005-06-20|httpd disconnect in Timeout on CGI| |35439|New|Nor|2005-06-21|Problem with remove "/../" in util.c and mod_rewri| |35547|Inf|Maj|2005-06-29|Problems with libapreq 1.2 and Apache::Cookie | |3|New|Nor|2005-06-30|Can't find DBM on Debian Sarge| |36375|Opn|Nor|2005-08-26|Cannot include http_config.h from C++ file| |37166|New|Nor|2005-10-19|Under certain conditions, mod_cgi delivers an empt| |37185|New|Enh|2005-10-20|AddIcon, AddIconByType for OpenDocument format| |37252|New|Reg|2005-10-26|gen_test_char reject NLS string | |38989|New|Nor|2006-03-15|restart + piped logs stalls httpd for 24 minutes (| |39104|New|Enh|2006-03-25|[FR] fix build with -Wl,--as-needed | |39287|New|Nor|2006-04-12|Incorrect If-Modified-Since validation (due to syn| |39937|New|Nor|2006-06-30|Garbage output if README.html is gzipped or compre| |40176|New|Nor|2006-08-03|magic and mime| |40224|Ver|Nor|2006-08-10|System time crashes Apache @year 2038 (win32 only?| |41279|New|Nor|2007-01-02|Apache 1.3.37 htpasswd is vulnerable to buffer ove| |42355|New|Maj|2007-05-08|Apache 1.3 permits non-rfc HTTP error code >= 600 | |43626|New|Maj|2007-10-15|r->path_info returning invalid value | |44768|
Re: Name based virtual host ssl clever solution
I'm not sure if any browser available currently support this, but I suppose none. Maybe if it became RFC, you might get Mozilla folks interested with this :) As far as I know, Mozilla guys are hanging out for TLS/SNI, as is the rest of the world. They and the other browsers have been ready for ages. There was a big push around 2005-2006 to get over to full TLS because of SSLv2 bug and the emergence of phishing as an MITM. TLS/SNI is the "real fix" for the bug, whereas other tricks (and there are quite a few of them) are all suspect for one reason or another; when you try them you discover what goes wrong. There's a list of possibilities here: http://wiki.cacert.org/wiki/VhostTaskForce http://en.wikipedia.org/wiki/Server_Name_Indication TLS/SNI is working in Apache httpd, and has been for a while, but is unreleased. I don't know or understand the reason for that. iang
Re: Name based virtual host ssl clever solution
On Sat, Nov 15, 2008 at 03:21, Jeff Sadowski <[EMAIL PROTECTED]> wrote: > > I think I just came up with a clever solution. However web browsers > will have to support srv records > the problem with virtual hosts is that you can have only one ssl > certificate per port (443) > because ssl requires it encrypted before it sends any other information. > A solution is to run a different key on different ports thus it could > distinguish via port what key to encrypt with > https://onedomain.com:443 > https://twodomain.com:444 > > by default a web browser goes to port 443 for https > Now if a web browser followed the rules of svr records you could tell > the web browser to go to a different port using srv records > > _https._tcp.onedomain.com SRV 443 > _https._tcp.twodomain.com SRV 444 > > then again if the web browser follows SRV records it should > automatically go to the right port for ssl and you can have an ssl > connection to a virtual host each host with its own certificate. Yes, idea is good... I've found several Internet Drafts about this topic, but none of them got released as RFC so far: http://tools.ietf.org/html/draft-andrews-http-srv-01 http://tools.ietf.org/html/draft-jennings-http-srv-00 I'm not sure if any browser available currently support this, but I suppose none. Maybe if it became RFC, you might get Mozilla folks interested with this :) -- Patryk Szczygłowski [EMAIL PROTECTED] JID/mail: [EMAIL PROTECTED] P. J. O'Rourke - "Never wear anything that panics the cat."