Action directive and client cert authentication

Action directive and client cert authentication

am 07.01.2005 01:39:51 von ohannet

When I use an Action directive in a directory secured by client certificate
authentication, the CGI output does not display.

My server is Apache 1.3.33 with mod_ssl-2.8.22. My config.status looks like this:

CFLAGS="-g -DSSL_EXPERIMENTAL -DSSL_EXPERIMENTAL_PROXY_IGNORE -DSSL_EXPERIMENTAL_ENGINE_IGNORE" \
../configure \
"--with-layout=Apache" \
"--prefix=/usr/local/apache" \
"--enable-module=ssl" \
"$@"

I have a directory htdocs/secure, which contains this .htaccess file:

AddType application/test .test
Action application/test /cgi-bin/test.pl
SSLRequireSSL
SSLVerifyClient require
SSLCACertificateFile /usr/local/etc/ca.crt

My Apache configuration contains:

SSLPassPhraseDialog builtin
SSLSessionCache dbm:/usr/local/apache/logs/ssl_scache
SSLSessionCacheTimeout 300
SSLMutex file:/usr/local/apache/logs/ssl_mutex
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLLog /usr/local/apache/logs/ssl_engine_log
SSLLogLevel trace
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+e NULL
SSLCertificateFile /usr/local/apache/conf/server.crt
SSLCertificateKeyFile /usr/local/apache/conf/server.key
SSLCertificateChainFile /usr/local/apache/conf/equifax.crt
SSLCACertificateFile /usr/local/apache/conf/ca.crt
SSLVerifyDepth 10

The SSLCACertificateFile (ca.crt) is a self-signed CA which I created.
I have added the CA to my browser, along with a client cert signed by
that CA. The same CA is copied to /usr/local/etc/ca.crt, which is
referenced by the SSLCACertificateFile directive in my .htaccess file.
This CA is different from the one securing the web server itself.

Within the htdocs/secure directory are files index.html and x.test.
When I browse with HTTPS to /secure/index.html or to /cgi-bin/test.pl,
the results are displayed just as they should be.

However, when I access /secure/x.test, the CGI output does not appear
at all. Instead, the following messages appear in ssl_engine_log:

[06/Jan/2005 17:27:23 55592] [error] SSL error on reading data (OpenSSL library error follows)
[06/Jan/2005 17:27:23 55592] [error] OpenSSL: error:0B07C065:x509 certificate routines:X509_STORE_add_cert:cert already
in hash table
[06/Jan/2005 17:27:23 55592] [error] OpenSSL: error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad
record mac

Is this a bug in mod_ssl, or is there something I need do to differently
to get my CGI output?

Thanks
--
Omar W. Hannet
Allez-Oop Net
http://www.allez-oop.net/
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org