[Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions

https://bz.apache.org/bugzilla/show_bug.cgi?id=47055 William A. Rowe Jr. changed: What|Removed |Added Keywords||MassUpdate

[Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions

https://bz.apache.org/bugzilla/show_bug.cgi?id=47055 stingerto...@gmx.com changed: What|Removed |Added CC||stingerto...@gmx.com -- You

[Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions

https://bz.apache.org/bugzilla/show_bug.cgi?id=47055 --- Comment #53 from Techiq --- Comment on attachment 24237 --> https://bz.apache.org/bugzilla/attachment.cgi?id=24237 Light Patch >--- modules/ssl/ssl_engine_kernel.c.orig >+++ modules/ssl/ssl_engine_kernel.c

[Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions

https://bz.apache.org/bugzilla/show_bug.cgi?id=47055 Techiq changed: What|Removed |Added CC|

[Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions

https://bz.apache.org/bugzilla/show_bug.cgi?id=47055 Szőgyényi Gábor changed: What|Removed |Added CC|

[Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions

https://bz.apache.org/bugzilla/show_bug.cgi?id=47055 Gang Kessy changed: What|Removed |Added CC|

[Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions

https://bz.apache.org/bugzilla/show_bug.cgi?id=47055 --- Comment #52 from Gang Kessy --- Comment on attachment 24237 --> https://bz.apache.org/bugzilla/attachment.cgi?id=24237 Light Patch >--- modules/ssl/ssl_engine_kernel.c.orig >+++ modules/ssl/ssl_engine_kernel.c >@@

[Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions

https://bz.apache.org/bugzilla/show_bug.cgi?id=47055 Chris Stevens changed: What|Removed |Added CC||chste...@cisco.com

DO NOT REPLY [Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions

https://issues.apache.org/bugzilla/show_bug.cgi?id=47055 kersus ker...@smtp.ru changed: What|Removed |Added CC||ker...@smtp.ru --

DO NOT REPLY [Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions

https://issues.apache.org/bugzilla/show_bug.cgi?id=47055 Juan Manuel Perez Delgado juan...@gmail.com changed: What|Removed |Added CC|

DO NOT REPLY [Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions

https://issues.apache.org/bugzilla/show_bug.cgi?id=47055 Joe Orton jor...@redhat.com changed: What|Removed |Added CC|

DO NOT REPLY [Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions

https://issues.apache.org/bugzilla/show_bug.cgi?id=47055 --- Comment #50 from Nikhil Kohli ce.kohli.nik...@gmail.com 2010-02-14 11:56:32 UTC --- I think the problem here is introduced due the OpenSSL changes from 0.9.8e to 0.9.8f. Also, the below link describes the same problem in some more

DO NOT REPLY [Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions

https://issues.apache.org/bugzilla/show_bug.cgi?id=47055 --- Comment #49 from Ruediger Pluem rpl...@apache.org 2009-12-17 01:45:48 CET --- (In reply to comment #48) BTW: Chasing this behaviour of getting a new SSL session ID revealed that Apache up to and including 2.2.11 did not have this

DO NOT REPLY [Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions

https://issues.apache.org/bugzilla/show_bug.cgi?id=47055 --- Comment #47 from Joe Orton jor...@redhat.com 2009-12-16 12:36:07 UTC --- Nothing has changed in mod_ssl on this front. It may be that the following change in OpenSSL 0.9.8f is shaking problems out of the woodwork here: *) In the

DO NOT REPLY [Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions

https://issues.apache.org/bugzilla/show_bug.cgi?id=47055 --- Comment #48 from Roger Waldner r.wald...@phion.com 2009-12-16 23:02:09 UTC --- Well, yes this could be the source of the problem. OTH, my impression was that Apache (sorry I can't be more specific but I guess it is mod_ssl) defines

DO NOT REPLY [Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions

https://issues.apache.org/bugzilla/show_bug.cgi?id=47055 --- Comment #46 from Roger Waldner r.wald...@phion.com 2009-12-15 02:10:25 UTC --- Hi, we just ran into exactly the same problem. More analysis revealed that the impacts from this change (be strict about session ID context matching) are

DO NOT REPLY [Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions

https://issues.apache.org/bugzilla/show_bug.cgi?id=47055 --- Comment #41 from Mike mike.pech...@gmail.com 2009-11-09 08:00:48 UTC --- Joe, does config from first comment is vulnerabile to CVE-2009-3555? Any comments? p.s. Just started reading related links. -- Configure bugmail:

DO NOT REPLY [Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions

https://issues.apache.org/bugzilla/show_bug.cgi?id=47055 --- Comment #42 from Ruediger Pluem rpl...@apache.org 2009-11-09 09:28:23 CET --- (In reply to comment #41) Joe, does config from first comment is vulnerabile to CVE-2009-3555? Yes it is. Even with the patch applied. You can only fix it

DO NOT REPLY [Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions

https://issues.apache.org/bugzilla/show_bug.cgi?id=47055 --- Comment #43 from Mike mike.pech...@gmail.com 2009-11-09 08:56:47 UTC --- Ruediger, 1. does the config still vulnerable if user redirects to /mihailp1/www-secure/s only after double authentication by soft (password-pin)? 2. why *this*

DO NOT REPLY [Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions

https://issues.apache.org/bugzilla/show_bug.cgi?id=47055 --- Comment #44 from Ruediger Pluem rpl...@apache.org 2009-11-09 12:45:37 CET --- (In reply to comment #43) Ruediger, 1. does the config still vulnerable if user redirects to /mihailp1/www-secure/s only after double authentication by

DO NOT REPLY [Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions

https://issues.apache.org/bugzilla/show_bug.cgi?id=47055 --- Comment #45 from Mike mike.pech...@gmail.com 2009-11-09 12:16:31 UTC --- Ruediger, thank you for reply. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because:

DO NOT REPLY [Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions

https://issues.apache.org/bugzilla/show_bug.cgi?id=47055 --- Comment #40 from rm4dillo rm4di...@gmail.com 2009-10-11 08:24:17 UTC --- (In reply to comment #39) Let me restate my earlier comment: I think it must be true that either all the calls to SSL_set_session_id_context in mod_ssl are

DO NOT REPLY [Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions

https://issues.apache.org/bugzilla/show_bug.cgi?id=47055 --- Comment #39 from Joe Orton jor...@redhat.com 2009-09-28 10:53:42 PDT --- Let me restate my earlier comment: I think it must be true that either all the calls to SSL_set_session_id_context in mod_ssl are unnecessary, or, removing any of

DO NOT REPLY [Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions

https://issues.apache.org/bugzilla/show_bug.cgi?id=47055 --- Comment #38 from rm4dillo rm4di...@gmail.com 2009-09-25 01:29:53 PDT --- Sorry, I did not see your first question. In fact, the session id is correct and the problem is in the session id context. In mod_ssl the session id context

DO NOT REPLY [Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions

https://issues.apache.org/bugzilla/show_bug.cgi?id=47055 --- Comment #37 from Will Rowe wr...@apache.org 2009-09-24 21:54:44 PDT --- I had raised a question which was never answered, that's a first good step in getting a patch committed at all. Secondly, you need to pass the trunk gauntlet, get

DO NOT REPLY [Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions

https://issues.apache.org/bugzilla/show_bug.cgi?id=47055 rm4dillo rm4di...@gmail.com changed: What|Removed |Added Severity|critical|blocker --- Comment

DO NOT REPLY [Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions

https://issues.apache.org/bugzilla/show_bug.cgi?id=47055 --- Comment #34 from Mike mike.pech...@gmail.com 2009-09-10 01:08:42 PDT --- rm4dillo: Your patch works for me. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail

DO NOT REPLY [Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions

https://issues.apache.org/bugzilla/show_bug.cgi?id=47055 --- Comment #35 from rm4dillo rm4di...@gmail.com 2009-09-10 01:11:50 PDT --- (In reply to comment #34) rm4dillo: Your patch works for me. Perfect!!! Thanks for testing. -- Configure bugmail:

DO NOT REPLY [Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions

https://issues.apache.org/bugzilla/show_bug.cgi?id=47055 --- Comment #28 from rm4di...@gmail.com 2009-09-09 04:38:59 PDT --- Hi everybody, Does anyone know if Mike's patch is going to be applied? I've been experiencing the same bug because the context id is the memory address of request_rec-id

DO NOT REPLY [Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions

https://issues.apache.org/bugzilla/show_bug.cgi?id=47055 rm4dillo rm4di...@gmail.com changed: What|Removed |Added Version|2.2.11 |2.2.13 --

DO NOT REPLY [Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions

https://issues.apache.org/bugzilla/show_bug.cgi?id=47055 --- Comment #29 from Will Rowe wr...@apache.org 2009-09-09 05:23:32 PDT --- Just for fun, would you try; SSLVerifyClient optional SSLVerifyDepth 10 Location /test SSLVerifyClient require

DO NOT REPLY [Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions

https://issues.apache.org/bugzilla/show_bug.cgi?id=47055 Will Rowe wr...@apache.org changed: What|Removed |Added Keywords||PatchAvailable --

DO NOT REPLY [Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions

https://issues.apache.org/bugzilla/show_bug.cgi?id=47055 --- Comment #30 from rm4dillo rm4di...@gmail.com 2009-09-09 06:14:34 PDT --- Created an attachment (id=24236) Light patch -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this

DO NOT REPLY [Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions

https://issues.apache.org/bugzilla/show_bug.cgi?id=47055 --- Comment #32 from Mike mike.pech...@gmail.com 2009-09-09 06:23:18 PDT --- rm4dillo: Thank you the new version of patch. I need more time to check it, i will try this week. -- Configure bugmail:

DO NOT REPLY [Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions

https://issues.apache.org/bugzilla/show_bug.cgi?id=47055 rm4dillo rm4di...@gmail.com changed: What|Removed |Added Attachment #24236|0 |1 is

DO NOT REPLY [Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions

https://issues.apache.org/bugzilla/show_bug.cgi?id=47055 rm4dillo rm4di...@gmail.com changed: What|Removed |Added Priority|P2 |P1

DO NOT REPLY [Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions

https://issues.apache.org/bugzilla/show_bug.cgi?id=47055 rm4dillo rm4di...@gmail.com changed: What|Removed |Added CC||rm4di...@gmail.com

DO NOT REPLY [Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions

https://issues.apache.org/bugzilla/show_bug.cgi?id=47055 --- Comment #27 from Mike mike.pech...@gmail.com 2009-06-29 06:58:32 PST --- I have had to insert SetEnv nokeepalive inside LocationMatch tag. Without setenv staff i can still popup window in FF even with my patch. -- Configure

DO NOT REPLY [Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions

https://issues.apache.org/bugzilla/show_bug.cgi?id=47055 --- Comment #26 from juan-manuel.pe...@tecsidel.es 2009-06-24 23:57:57 PST --- [About Bug 44858 marked as duplicated of this one] This patch solves, indeed, the problem we reported. We have only these comments: - It worked properly

DO NOT REPLY [Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions

https://issues.apache.org/bugzilla/show_bug.cgi?id=47055 Joe Orton jor...@redhat.com changed: What|Removed |Added CC||sargas...@yahoo.fr

DO NOT REPLY [Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions

https://issues.apache.org/bugzilla/show_bug.cgi?id=47055 Mike mike.pech...@gmail.com changed: What|Removed |Added Attachment #23689|0 |1 is

DO NOT REPLY [Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions

https://issues.apache.org/bugzilla/show_bug.cgi?id=47055 --- Comment #17 from Joe Orton jor...@redhat.com 2009-05-20 02:49:26 PST --- H, very interesting, nice investigative work Mike, thanks a lot for looking into this in such detail. I expect the intent of the code in

DO NOT REPLY [Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions

https://issues.apache.org/bugzilla/show_bug.cgi?id=47055 --- Comment #18 from Joe Orton jor...@redhat.com 2009-05-20 02:52:40 PST --- Sorry md5(request rec *) should simply read request_rec * i.e. a 4-byte sid context corresponding to the value of the pointer, per the existing code touched

DO NOT REPLY [Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions

https://issues.apache.org/bugzilla/show_bug.cgi?id=47055 --- Comment #19 from Mike mike.pech...@gmail.com 2009-05-20 03:17:50 PST --- Now, I want mention the history of the problem. *Every* person in Estonia must have chip smartcard. *Every* bank which works in Estonia market must implement

DO NOT REPLY [Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions

https://issues.apache.org/bugzilla/show_bug.cgi?id=47055 --- Comment #20 from Mike mike.pech...@gmail.com 2009-05-20 05:48:48 PST --- My scenario is trivial. It's already known (no words about limitations) - http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html#arbitraryclients -- Configure

DO NOT REPLY [Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions

https://issues.apache.org/bugzilla/show_bug.cgi?id=47055 --- Comment #22 from Joe Orton jor...@redhat.com 2009-05-20 06:03:15 PST --- The fact that newer versions of Firefox do not remember client-cert/URL associations is a Firefox problem, which I understand they do plan to fix. I will

DO NOT REPLY [Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions

https://issues.apache.org/bugzilla/show_bug.cgi?id=47055 --- Comment #23 from Mike mike.pech...@gmail.com 2009-05-20 06:06:49 PST --- (In reply to comment #22) The fact that newer versions of Firefox do not remember client-cert/URL associations is a Firefox problem, which I understand they

DO NOT REPLY [Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions

https://issues.apache.org/bugzilla/show_bug.cgi?id=47055 --- Comment #24 from Joe Orton jor...@redhat.com 2009-05-20 06:12:32 PST --- OK, acknowledge the need for improvement would be better wording than plan to fix. The bug covering this is here:

DO NOT REPLY [Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions

https://issues.apache.org/bugzilla/show_bug.cgi?id=47055 --- Comment #12 from Mike mike.pech...@gmail.com 2009-05-19 02:34:34 PST --- As you can see len and context corrupted between step 10 and 11: [Tue May 19 12:30:29 2009] [debug] ssl_engine_kernel.c(620): Performing full renegotiation:

DO NOT REPLY [Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions

https://issues.apache.org/bugzilla/show_bug.cgi?id=47055 --- Comment #13 from Mike mike.pech...@gmail.com 2009-05-19 05:11:00 PST --- fix for wrong sid_ctx doesn't help. the core of the issue is here: if ((dc-nOptions SSL_OPT_OPTRENEGOTIATE) (verify_old == SSL_VERIFY_NONE)

DO NOT REPLY [Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions

https://issues.apache.org/bugzilla/show_bug.cgi?id=47055 --- Comment #14 from Mike mike.pech...@gmail.com 2009-05-19 05:38:47 PST --- config contained wrong SSLOptions -OptRenegotiate that's why i was failed. now i have a workaround for the bug. problem is here. there is should be md5

DO NOT REPLY [Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions

https://issues.apache.org/bugzilla/show_bug.cgi?id=47055 --- Comment #15 from Mike mike.pech...@gmail.com 2009-05-19 06:19:47 PST --- Created an attachment (id=23689) -- (https://issues.apache.org/bugzilla/attachment.cgi?id=23689) patch -- Configure bugmail:

DO NOT REPLY [Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions

https://issues.apache.org/bugzilla/show_bug.cgi?id=47055 Mike mike.pech...@gmail.com changed: What|Removed |Added Attachment #23683|0 |1 is

DO NOT REPLY [Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions

https://issues.apache.org/bugzilla/show_bug.cgi?id=47055 --- Comment #6 from Mike mike.pech...@gmail.com 2009-05-18 01:47:31 PST --- I can repeat it under RHEL5 too. I tried write service request (1912050) but declined. -- Configure bugmail:

DO NOT REPLY [Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions

https://issues.apache.org/bugzilla/show_bug.cgi?id=47055 --- Comment #7 from Mike mike.pech...@gmail.com 2009-05-18 02:11:30 PST --- I don't see the output from openssl. i've put hello word in always execute branch. -- Configure bugmail:

DO NOT REPLY [Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions

https://issues.apache.org/bugzilla/show_bug.cgi?id=47055 --- Comment #8 from Mike mike.pech...@gmail.com 2009-05-18 07:09:08 PST --- oops, i see the output :) fflush() helps. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this

DO NOT REPLY [Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions

https://issues.apache.org/bugzilla/show_bug.cgi?id=47055 --- Comment #9 from Mike mike.pech...@gmail.com 2009-05-18 08:08:24 PST --- Created an attachment (id=23683) -- (https://issues.apache.org/bugzilla/attachment.cgi?id=23683) enable funny debug this patch enable debug output. see

DO NOT REPLY [Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions

https://issues.apache.org/bugzilla/show_bug.cgi?id=47055 --- Comment #10 from Mike mike.pech...@gmail.com 2009-05-18 08:11:48 PST --- Apply the patch for openssl 0.9.8k (latest) First scenario, get file from virtual host: CACHE ret-len: 32, s-len: 32 CACHE ret-str:

DO NOT REPLY [Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions

https://issues.apache.org/bugzilla/show_bug.cgi?id=47055 --- Comment #11 from Mike mike.pech...@gmail.com 2009-05-18 08:18:44 PST --- Important, if i copy IF part from openssl 0.9.8e i see: No warning: CACHE ret-len: 4, s-len: 32 CACHE ret-str: 17-byte-mess, s-str:

DO NOT REPLY [Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions

https://issues.apache.org/bugzilla/show_bug.cgi?id=47055 Joe Orton jor...@redhat.com changed: What|Removed |Added Attachment #23683|application/octet-stream|text/plain

DO NOT REPLY [Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions

https://issues.apache.org/bugzilla/show_bug.cgi?id=47055 --- Comment #4 from Joe Orton jor...@redhat.com 2009-05-17 02:27:50 PST --- It's not clear to me why this would fail. mod_ssl calls SSL_set_session_id_context() to set the session id context for every new SSL * object, so this looks

DO NOT REPLY [Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions

https://issues.apache.org/bugzilla/show_bug.cgi?id=47055 --- Comment #5 from Mike mike.pech...@gmail.com 2009-05-17 22:22:14 PST --- Thank you, i will reply ASAP. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because:

DO NOT REPLY [Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions

https://issues.apache.org/bugzilla/show_bug.cgi?id=47055 --- Comment #3 from Mike mike.pech...@gmail.com 2009-05-15 06:45:36 PST --- How much costs the fix ? -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because:

DO NOT REPLY [Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions

https://issues.apache.org/bugzilla/show_bug.cgi?id=47055 --- Comment #1 from Mike mike.pech...@gmail.com 2009-04-20 05:19:28 PST --- it fails at SSL_get_peer_certificate() from ssl_engine_kernel.c [Thu Apr 16 11:12:02 2009] [debug] ssl_engine_kernel.c(426): Changed client verification type

DO NOT REPLY [Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions

https://issues.apache.org/bugzilla/show_bug.cgi?id=47055 --- Comment #2 from Mike mike.pech...@gmail.com 2009-04-20 05:56:52 PST --- Browser: FF 3.0.8. 1. FF3.0.x has 'Ask me every time' by default (Tools - Options - Advanced - Encryption), that's pop-up window is the issue here. 2. IE8