SSLRequire problem

SSLRequire problem

am 19.11.2009 21:19:00 von David Rosenstrauch

Hi. I'm tearing my hair out over an SSLRequire directive that doesn't
seem to be working. Can anyone help?

The directive is actually quite simple:

# Require SSL over non-obvious port 81 for SVN access
SSLRequire %{SERVER_PORT} == 81

This is actually working fine when the client is a web browser. (i.e.,
using HTTPD method GET).

But the server is actually hosting Subversion (via WebDAV), so the
client is an SVN client (which uses HTTP methods OPTIONS, PROPFIND, and
REPORT). And when the URL is accessed that way it fails, with the
following appearing in the log:

[Thu Nov 19 19:37:53 2009] [error] [client ] access to
failed, reason: SSL requirement expression not fulfilled
(see SSL logfile for more details)

Even when I crank up the debugging, I still don't get any useful info as
to what's happening:

[Thu Nov 19 19:37:53 2009] [info] Failed expression: %{SERVER_PORT} == 81

Anyone have any idea what's going on here? Is there any way to debug
the SSLRequire expression?

I'm using mod_ssl 2.2.3 with Apache on CentOS 5.2.

Thanks,

DR
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSLRequire problem

am 20.11.2009 10:50:12 von Joe Orton

On Thu, Nov 19, 2009 at 03:19:00PM -0500, David Rosenstrauch wrote:
> Hi. I'm tearing my hair out over an SSLRequire directive that doesn't
> seem to be working. Can anyone help?
>
> The directive is actually quite simple:
>
> # Require SSL over non-obvious port 81 for SVN access
> SSLRequire %{SERVER_PORT} == 81

The port which %{SERVER_PORT} expands to is determined by the settings
of UseCanonicalPhysicalPort and UseCanonicalName. For different
combinations it will depend on either what the client sends in the
request's Host header, what the ServerName directive is set to in the
vhost, or what httpd derives as the "canonical" name for the vhost to be
otherwise.

See docs for more info:

http://httpd.apache.org/docs/2.2/mod/core.html#usecanonicaln ame
http://httpd.apache.org/docs/2.2/mod/core.html#usecanonicalp hysicalport

Regards, Joe
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSLRequire problem

am 20.11.2009 16:28:33 von David Rosenstrauch

On 11/20/2009 04:50 AM, Joe Orton wrote:
> On Thu, Nov 19, 2009 at 03:19:00PM -0500, David Rosenstrauch wrote:
>> Hi. I'm tearing my hair out over an SSLRequire directive that doesn't
>> seem to be working. Can anyone help?
>>
>> The directive is actually quite simple:
>>
>> # Require SSL over non-obvious port 81 for SVN access
>> SSLRequire %{SERVER_PORT} == 81
>
> The port which %{SERVER_PORT} expands to is determined by the settings
> of UseCanonicalPhysicalPort and UseCanonicalName. For different
> combinations it will depend on either what the client sends in the
> request's Host header, what the ServerName directive is set to in the
> vhost, or what httpd derives as the "canonical" name for the vhost to be
> otherwise.
>
> See docs for more info:
>
> http://httpd.apache.org/docs/2.2/mod/core.html#usecanonicaln ame
> http://httpd.apache.org/docs/2.2/mod/core.html#usecanonicalp hysicalport
>
> Regards, Joe

Huh! Never heard of those before!

OK, well, I'm still not sure I quite understand the reason why, but
"UseCanonicalPhysicalPort on" does seem to have fixed the problem.

Thanks much for the help!

DR
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org