https://bz.apache.org/bugzilla/show_bug.cgi?id=47055
William A. Rowe Jr. changed:
What|Removed |Added
Keywords||MassUpdate
https://bz.apache.org/bugzilla/show_bug.cgi?id=47055
stingerto...@gmx.com changed:
What|Removed |Added
CC||stingerto...@gmx.com
--
You
https://bz.apache.org/bugzilla/show_bug.cgi?id=47055
--- Comment #53 from Techiq ---
Comment on attachment 24237
--> https://bz.apache.org/bugzilla/attachment.cgi?id=24237
Light Patch
>--- modules/ssl/ssl_engine_kernel.c.orig
>+++ modules/ssl/ssl_engine_kernel.c
https://bz.apache.org/bugzilla/show_bug.cgi?id=47055
Techiq changed:
What|Removed |Added
CC|
https://bz.apache.org/bugzilla/show_bug.cgi?id=47055
Szőgyényi Gábor changed:
What|Removed |Added
CC|
https://bz.apache.org/bugzilla/show_bug.cgi?id=47055
Gang Kessy changed:
What|Removed |Added
CC|
https://bz.apache.org/bugzilla/show_bug.cgi?id=47055
--- Comment #52 from Gang Kessy ---
Comment on attachment 24237
--> https://bz.apache.org/bugzilla/attachment.cgi?id=24237
Light Patch
>--- modules/ssl/ssl_engine_kernel.c.orig
>+++ modules/ssl/ssl_engine_kernel.c
>@@
https://bz.apache.org/bugzilla/show_bug.cgi?id=47055
Chris Stevens changed:
What|Removed |Added
CC||chste...@cisco.com
https://issues.apache.org/bugzilla/show_bug.cgi?id=47055
kersus ker...@smtp.ru changed:
What|Removed |Added
CC||ker...@smtp.ru
--
https://issues.apache.org/bugzilla/show_bug.cgi?id=47055
Juan Manuel Perez Delgado juan...@gmail.com changed:
What|Removed |Added
CC|
https://issues.apache.org/bugzilla/show_bug.cgi?id=47055
Joe Orton jor...@redhat.com changed:
What|Removed |Added
CC|
https://issues.apache.org/bugzilla/show_bug.cgi?id=47055
--- Comment #50 from Nikhil Kohli ce.kohli.nik...@gmail.com 2010-02-14
11:56:32 UTC ---
I think the problem here is introduced due the OpenSSL changes from 0.9.8e to
0.9.8f. Also, the below link describes the same problem in some more
https://issues.apache.org/bugzilla/show_bug.cgi?id=47055
--- Comment #49 from Ruediger Pluem rpl...@apache.org 2009-12-17 01:45:48 CET
---
(In reply to comment #48)
BTW: Chasing this behaviour of getting a new SSL session ID revealed that
Apache up to and including 2.2.11 did not have this
https://issues.apache.org/bugzilla/show_bug.cgi?id=47055
--- Comment #47 from Joe Orton jor...@redhat.com 2009-12-16 12:36:07 UTC ---
Nothing has changed in mod_ssl on this front. It may be that the following
change in OpenSSL 0.9.8f is shaking problems out of the woodwork here:
*) In the
https://issues.apache.org/bugzilla/show_bug.cgi?id=47055
--- Comment #48 from Roger Waldner r.wald...@phion.com 2009-12-16 23:02:09
UTC ---
Well, yes this could be the source of the problem.
OTH, my impression was that Apache (sorry I can't be more specific but I
guess it is mod_ssl) defines
https://issues.apache.org/bugzilla/show_bug.cgi?id=47055
--- Comment #46 from Roger Waldner r.wald...@phion.com 2009-12-15 02:10:25
UTC ---
Hi,
we just ran into exactly the same problem. More analysis revealed that the
impacts from this change (be strict about session ID context matching) are
https://issues.apache.org/bugzilla/show_bug.cgi?id=47055
--- Comment #41 from Mike mike.pech...@gmail.com 2009-11-09 08:00:48 UTC ---
Joe, does config from first comment is vulnerabile to CVE-2009-3555?
Any comments?
p.s. Just started reading related links.
--
Configure bugmail:
https://issues.apache.org/bugzilla/show_bug.cgi?id=47055
--- Comment #42 from Ruediger Pluem rpl...@apache.org 2009-11-09 09:28:23 CET
---
(In reply to comment #41)
Joe, does config from first comment is vulnerabile to CVE-2009-3555?
Yes it is. Even with the patch applied. You can only fix it
https://issues.apache.org/bugzilla/show_bug.cgi?id=47055
--- Comment #43 from Mike mike.pech...@gmail.com 2009-11-09 08:56:47 UTC ---
Ruediger,
1. does the config still vulnerable if user redirects to
/mihailp1/www-secure/s only after double authentication by soft
(password-pin)?
2. why *this*
https://issues.apache.org/bugzilla/show_bug.cgi?id=47055
--- Comment #44 from Ruediger Pluem rpl...@apache.org 2009-11-09 12:45:37 CET
---
(In reply to comment #43)
Ruediger,
1. does the config still vulnerable if user redirects to
/mihailp1/www-secure/s only after double authentication by
https://issues.apache.org/bugzilla/show_bug.cgi?id=47055
--- Comment #45 from Mike mike.pech...@gmail.com 2009-11-09 12:16:31 UTC ---
Ruediger, thank you for reply.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because:
https://issues.apache.org/bugzilla/show_bug.cgi?id=47055
--- Comment #40 from rm4dillo rm4di...@gmail.com 2009-10-11 08:24:17 UTC ---
(In reply to comment #39)
Let me restate my earlier comment: I think it must be true that either all the
calls to SSL_set_session_id_context in mod_ssl are
https://issues.apache.org/bugzilla/show_bug.cgi?id=47055
--- Comment #39 from Joe Orton jor...@redhat.com 2009-09-28 10:53:42 PDT ---
Let me restate my earlier comment: I think it must be true that either all the
calls to SSL_set_session_id_context in mod_ssl are unnecessary, or, removing
any of
https://issues.apache.org/bugzilla/show_bug.cgi?id=47055
--- Comment #38 from rm4dillo rm4di...@gmail.com 2009-09-25 01:29:53 PDT ---
Sorry, I did not see your first question.
In fact, the session id is correct and the problem is in the session id
context.
In mod_ssl the session id context
https://issues.apache.org/bugzilla/show_bug.cgi?id=47055
--- Comment #37 from Will Rowe wr...@apache.org 2009-09-24 21:54:44 PDT ---
I had raised a question which was never answered, that's a first good step in
getting a patch committed at all.
Secondly, you need to pass the trunk gauntlet, get
https://issues.apache.org/bugzilla/show_bug.cgi?id=47055
rm4dillo rm4di...@gmail.com changed:
What|Removed |Added
Severity|critical|blocker
--- Comment
https://issues.apache.org/bugzilla/show_bug.cgi?id=47055
--- Comment #34 from Mike mike.pech...@gmail.com 2009-09-10 01:08:42 PDT ---
rm4dillo: Your patch works for me.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail
https://issues.apache.org/bugzilla/show_bug.cgi?id=47055
--- Comment #35 from rm4dillo rm4di...@gmail.com 2009-09-10 01:11:50 PDT ---
(In reply to comment #34)
rm4dillo: Your patch works for me.
Perfect!!!
Thanks for testing.
--
Configure bugmail:
https://issues.apache.org/bugzilla/show_bug.cgi?id=47055
--- Comment #28 from rm4di...@gmail.com 2009-09-09 04:38:59 PDT ---
Hi everybody,
Does anyone know if Mike's patch is going to be applied?
I've been experiencing the same bug because the context id is the memory
address of request_rec-id
https://issues.apache.org/bugzilla/show_bug.cgi?id=47055
rm4dillo rm4di...@gmail.com changed:
What|Removed |Added
Version|2.2.11 |2.2.13
--
https://issues.apache.org/bugzilla/show_bug.cgi?id=47055
--- Comment #29 from Will Rowe wr...@apache.org 2009-09-09 05:23:32 PDT ---
Just for fun, would you try;
SSLVerifyClient optional
SSLVerifyDepth 10
Location /test
SSLVerifyClient require
https://issues.apache.org/bugzilla/show_bug.cgi?id=47055
Will Rowe wr...@apache.org changed:
What|Removed |Added
Keywords||PatchAvailable
--
https://issues.apache.org/bugzilla/show_bug.cgi?id=47055
--- Comment #30 from rm4dillo rm4di...@gmail.com 2009-09-09 06:14:34 PDT ---
Created an attachment (id=24236)
Light patch
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this
https://issues.apache.org/bugzilla/show_bug.cgi?id=47055
--- Comment #32 from Mike mike.pech...@gmail.com 2009-09-09 06:23:18 PDT ---
rm4dillo: Thank you the new version of patch.
I need more time to check it, i will try this week.
--
Configure bugmail:
https://issues.apache.org/bugzilla/show_bug.cgi?id=47055
rm4dillo rm4di...@gmail.com changed:
What|Removed |Added
Attachment #24236|0 |1
is
https://issues.apache.org/bugzilla/show_bug.cgi?id=47055
rm4dillo rm4di...@gmail.com changed:
What|Removed |Added
Priority|P2 |P1
https://issues.apache.org/bugzilla/show_bug.cgi?id=47055
rm4dillo rm4di...@gmail.com changed:
What|Removed |Added
CC||rm4di...@gmail.com
https://issues.apache.org/bugzilla/show_bug.cgi?id=47055
--- Comment #27 from Mike mike.pech...@gmail.com 2009-06-29 06:58:32 PST ---
I have had to insert SetEnv nokeepalive inside LocationMatch tag.
Without setenv staff i can still popup window in FF even with my patch.
--
Configure
https://issues.apache.org/bugzilla/show_bug.cgi?id=47055
--- Comment #26 from juan-manuel.pe...@tecsidel.es 2009-06-24 23:57:57 PST ---
[About Bug 44858 marked as duplicated of this one]
This patch solves, indeed, the problem we reported. We have only these
comments:
- It worked properly
https://issues.apache.org/bugzilla/show_bug.cgi?id=47055
Joe Orton jor...@redhat.com changed:
What|Removed |Added
CC||sargas...@yahoo.fr
https://issues.apache.org/bugzilla/show_bug.cgi?id=47055
Mike mike.pech...@gmail.com changed:
What|Removed |Added
Attachment #23689|0 |1
is
https://issues.apache.org/bugzilla/show_bug.cgi?id=47055
--- Comment #17 from Joe Orton jor...@redhat.com 2009-05-20 02:49:26 PST ---
H, very interesting, nice investigative work Mike, thanks a lot for looking
into this in such detail.
I expect the intent of the code in
https://issues.apache.org/bugzilla/show_bug.cgi?id=47055
--- Comment #18 from Joe Orton jor...@redhat.com 2009-05-20 02:52:40 PST ---
Sorry md5(request rec *) should simply read request_rec * i.e. a 4-byte sid
context corresponding to the value of the pointer, per the existing code
touched
https://issues.apache.org/bugzilla/show_bug.cgi?id=47055
--- Comment #19 from Mike mike.pech...@gmail.com 2009-05-20 03:17:50 PST ---
Now, I want mention the history of the problem.
*Every* person in Estonia must have chip smartcard.
*Every* bank which works in Estonia market must implement
https://issues.apache.org/bugzilla/show_bug.cgi?id=47055
--- Comment #20 from Mike mike.pech...@gmail.com 2009-05-20 05:48:48 PST ---
My scenario is trivial.
It's already known (no words about limitations) -
http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html#arbitraryclients
--
Configure
https://issues.apache.org/bugzilla/show_bug.cgi?id=47055
--- Comment #22 from Joe Orton jor...@redhat.com 2009-05-20 06:03:15 PST ---
The fact that newer versions of Firefox do not remember client-cert/URL
associations is a Firefox problem, which I understand they do plan to fix.
I will
https://issues.apache.org/bugzilla/show_bug.cgi?id=47055
--- Comment #23 from Mike mike.pech...@gmail.com 2009-05-20 06:06:49 PST ---
(In reply to comment #22)
The fact that newer versions of Firefox do not remember client-cert/URL
associations is a Firefox problem, which I understand they
https://issues.apache.org/bugzilla/show_bug.cgi?id=47055
--- Comment #24 from Joe Orton jor...@redhat.com 2009-05-20 06:12:32 PST ---
OK, acknowledge the need for improvement would be better wording than plan
to fix. The bug covering this is here:
https://issues.apache.org/bugzilla/show_bug.cgi?id=47055
--- Comment #12 from Mike mike.pech...@gmail.com 2009-05-19 02:34:34 PST ---
As you can see len and context corrupted between step 10 and 11:
[Tue May 19 12:30:29 2009] [debug] ssl_engine_kernel.c(620): Performing full
renegotiation:
https://issues.apache.org/bugzilla/show_bug.cgi?id=47055
--- Comment #13 from Mike mike.pech...@gmail.com 2009-05-19 05:11:00 PST ---
fix for wrong sid_ctx doesn't help.
the core of the issue is here:
if ((dc-nOptions SSL_OPT_OPTRENEGOTIATE)
(verify_old == SSL_VERIFY_NONE)
https://issues.apache.org/bugzilla/show_bug.cgi?id=47055
--- Comment #14 from Mike mike.pech...@gmail.com 2009-05-19 05:38:47 PST ---
config contained wrong SSLOptions -OptRenegotiate that's why i was failed.
now i have a workaround for the bug.
problem is here. there is should be md5
https://issues.apache.org/bugzilla/show_bug.cgi?id=47055
--- Comment #15 from Mike mike.pech...@gmail.com 2009-05-19 06:19:47 PST ---
Created an attachment (id=23689)
-- (https://issues.apache.org/bugzilla/attachment.cgi?id=23689)
patch
--
Configure bugmail:
https://issues.apache.org/bugzilla/show_bug.cgi?id=47055
Mike mike.pech...@gmail.com changed:
What|Removed |Added
Attachment #23683|0 |1
is
https://issues.apache.org/bugzilla/show_bug.cgi?id=47055
--- Comment #6 from Mike mike.pech...@gmail.com 2009-05-18 01:47:31 PST ---
I can repeat it under RHEL5 too.
I tried write service request (1912050) but declined.
--
Configure bugmail:
https://issues.apache.org/bugzilla/show_bug.cgi?id=47055
--- Comment #7 from Mike mike.pech...@gmail.com 2009-05-18 02:11:30 PST ---
I don't see the output from openssl.
i've put hello word in always execute branch.
--
Configure bugmail:
https://issues.apache.org/bugzilla/show_bug.cgi?id=47055
--- Comment #8 from Mike mike.pech...@gmail.com 2009-05-18 07:09:08 PST ---
oops, i see the output :)
fflush() helps.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this
https://issues.apache.org/bugzilla/show_bug.cgi?id=47055
--- Comment #9 from Mike mike.pech...@gmail.com 2009-05-18 08:08:24 PST ---
Created an attachment (id=23683)
-- (https://issues.apache.org/bugzilla/attachment.cgi?id=23683)
enable funny debug
this patch enable debug output. see
https://issues.apache.org/bugzilla/show_bug.cgi?id=47055
--- Comment #10 from Mike mike.pech...@gmail.com 2009-05-18 08:11:48 PST ---
Apply the patch for openssl 0.9.8k (latest)
First scenario, get file from virtual host:
CACHE ret-len: 32, s-len: 32
CACHE ret-str:
https://issues.apache.org/bugzilla/show_bug.cgi?id=47055
--- Comment #11 from Mike mike.pech...@gmail.com 2009-05-18 08:18:44 PST ---
Important, if i copy IF part from openssl 0.9.8e i see:
No warning:
CACHE ret-len: 4, s-len: 32
CACHE ret-str: 17-byte-mess, s-str:
https://issues.apache.org/bugzilla/show_bug.cgi?id=47055
Joe Orton jor...@redhat.com changed:
What|Removed |Added
Attachment #23683|application/octet-stream|text/plain
https://issues.apache.org/bugzilla/show_bug.cgi?id=47055
--- Comment #4 from Joe Orton jor...@redhat.com 2009-05-17 02:27:50 PST ---
It's not clear to me why this would fail. mod_ssl calls
SSL_set_session_id_context() to set the session id context for every new SSL
* object, so this looks
https://issues.apache.org/bugzilla/show_bug.cgi?id=47055
--- Comment #5 from Mike mike.pech...@gmail.com 2009-05-17 22:22:14 PST ---
Thank you, i will reply ASAP.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because:
https://issues.apache.org/bugzilla/show_bug.cgi?id=47055
--- Comment #3 from Mike mike.pech...@gmail.com 2009-05-15 06:45:36 PST ---
How much costs the fix ?
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because:
https://issues.apache.org/bugzilla/show_bug.cgi?id=47055
--- Comment #1 from Mike mike.pech...@gmail.com 2009-04-20 05:19:28 PST ---
it fails at SSL_get_peer_certificate() from ssl_engine_kernel.c
[Thu Apr 16 11:12:02 2009] [debug] ssl_engine_kernel.c(426): Changed client
verification type
https://issues.apache.org/bugzilla/show_bug.cgi?id=47055
--- Comment #2 from Mike mike.pech...@gmail.com 2009-04-20 05:56:52 PST ---
Browser: FF 3.0.8.
1. FF3.0.x has 'Ask me every time' by default (Tools - Options - Advanced -
Encryption), that's pop-up window is the issue here.
2. IE8
65 matches
Mail list logo