SSLRequire: core dump with long strings, sometimes unreliable expressions

SSLRequire: core dump with long strings, sometimes unreliable expressions

am 07.11.2006 16:35:18 von Jan Klever

Hi,

im trying to protect URLs with SSLRequire and i am running into trouble
with Apache segmentation faults und expressions that work sometimes, but
not always.

Setup ist Apache 1.3.37 on a Linux box with ModSSL built into Apache,
not as external .so. No RPMs, everything built from source.

I want to protect two URLS: /foo and /cgi-bin/foo. /foo redirects per
'http-equiv="refresh" content="0' to /cgi-bin/foo. /cgi-bin/foo displays
a frameset of two frames, which are generated by perl-scripts.

So, i am using two blocks, one for /foo and one for
/cgi-bin/foo, each containing the same SSLRequire expression. The blocks
are contained in a external file, that ist included to Apache
configuration with "Include". Everything is fine, when i am using
expressions like:

SSLRequire ( %{SSL_CLIENT_I_DN_CN} eq "Foo CA" \
and %{SSL_CLIENT_S_DN_CN} in {"Bar", "Baz"} )

Works great, but for some reason i want to check against the whole
certificate. This is where the trouble starts.

I tried:
SSLRequire (%{SSL_CLIENT_CERT} == file ("/path/to/bar.pem") \
or %{SSL_CLIENT_CERT} == file ("/path/to/baz.pem")) \
and %{SSL_CLIENT_CERT_CHAIN_0} == file ("/path/to/foo-ca.pem")

Browsing to /foo and being redirect to /cgi-bin/foo i sometimes get:
- One frame with content, the other with 403 forbidden.
- Both frames with 403 forbidden.
- Both frames with content
- One Page (no frames) with 403 forbidden

In case of 403 the error log states: Failed expression.

Then i tried to in include the PEM encoded cert into SSLRequire:

SSLRequire (%{SSL_CLIENT_CERT} eq "-----BEGIN
CERTIFICATE-----\nImage_completet_PEM_in_here\n-----END CERTIFICATE-----\n

Which results in segmentation faults when trying to start Apache! The
parser of ModSSL seems to be limited to a number of characters in
this place. Shorter expressions are ok, complete PEM certificate and my
Apache won't start, instead he throws a segmentation fault.

Finally i came up with matching against the last 128 or 256 bytes of the
certificate where the signature is located. I match with m## so slashes
inside PEM don't matter, '+' are quoted, \n is replace by .?:

SSLRequire %{SSL_CLIENT_CERT} =~
m#ZlL5lB6BhQqB9Cwa3OCetBxuqT5Rx6eQB0UJQQF\+v5
R80H6XPjeURnbD8UvNflZG.?2noIZ4UxkVoKxFAlTeept5EylxVclQ4NTsLy rsQnxjrrAUUy3eP3I\+C
kreLRuv0F.?f08ISFtKaHttoQ==.?-----END CERTIFICATE-----# \
and %{SSL_CLIENT_CERT_CHAIN_0} =~
m#w3qcUn85WX5Vmi/QI\+UCG6kuNtKk\+CAWYkN\+n
t4vwa11SzCQLCYYccMrr\+5CMCpG.?PeXsmiMCpYUitWk9AryzyMPiDBc9ac ZebdY44EbQHE4DaNNrrW
N1rcdagQ\+RMWZt.?8cv\+nUG4NUQCPeUffrKVLHw56jvWsR6GJaode2GDh7 9yRKdj5w==.?-----END
CERTIFICATE-----#

And what do i get? Same result as with file():

Browsing to /foo and being redirect to /cgi-bin/foo i sometimes get:
- One frame with content, the other with 403 forbidden.
- Both frames with 403 forbidden.
- Both frames with content
- One Page (no frames) with 403 forbidden

Is this behaviour known? Any Solution?

Cheers
Jan
--
Jan Klever (PKI Team), DFN-CERT Services GmbH
https://www.dfn-cert.de, +49 40 808077-619 / +49 40 808077-555 (Hotline)
PGP RSA/2048, 501B8FB1, 37 DD 41 9A E9 3B CB 2B 94 E5 F8 6A 76 CA 16 C1
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org