Bug report for Apache httpd-1.3 [2011/01/02]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=Critical REG=Regression MAJ=Major | | | | MIN=Minor NOR=NormalENH=Enhancement TRV=Trivial | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | |10744|New|Nor|2002-07-12|suexec might fail to open log file| |10747|New|Maj|2002-07-12|ftp SIZE command and 'smart' ftp servers results i| |10760|New|Maj|2002-07-12|empty ftp directory listings from cached ftp direc| |14518|Opn|Reg|2002-11-13|QUERY_STRING parts not incorporated by mod_rewrite| |16013|Opn|Nor|2003-01-13|Fooling mod_autoindex + IndexIgnore | |16631|Inf|Min|2003-01-31|.htaccess errors logged outside the virtual host l| |17318|Inf|Cri|2003-02-23|Abend on deleting a temporary cache file if proxy | |19279|Inf|Min|2003-04-24|Invalid chmod options in solaris build| |21637|Inf|Nor|2003-07-16|Timeout causes a status code of 200 to be logged | |21777|Inf|Min|2003-07-21|mod_mime_magic doesn't handle little gif files| |21975|Opn|Nor|2003-07-29|mod_rewrite RewriteMap from external program gets | |22618|New|Maj|2003-08-21|MultiViews invalidates PATH_TRANSLATED if cgi-wrap| |25057|Inf|Maj|2003-11-27|Empty PUT access control in .htaccess overrides co| |26126|New|Nor|2004-01-14|mod_include hangs with request body | |26152|Ass|Nor|2004-01-15|Apache 1.3.29 and below directory traversal vulner| |26790|New|Maj|2004-02-09|error deleting old cache file | |29257|Opn|Nor|2004-05-27|Problem with apache-1.3.31 and mod_frontpage (dso,| |29498|New|Maj|2004-06-10|non-anonymous ftp broken in mod_proxy | |30207|New|Nor|2004-07-20|Piped logs don't close read end of pipe | |30877|New|Nor|2004-08-26|htpasswd clears passwd file on Sun when /var/tmp i| |30909|New|Cri|2004-08-28|sporadic segfault resulting in broken connections | |31975|New|Nor|2004-10-29|httpd-1.3.33: buffer overflow in htpasswd if calle| |32078|New|Enh|2004-11-05|clean up some compiler warnings | |32539|New|Trv|2004-12-06|[PATCH] configure --enable-shared= brocken on SuSE| |32974|Inf|Maj|2005-01-06|Client IP not set | |33086|New|Nor|2005-01-13|unconsistency betwen 404 displayed path and server| |33495|Inf|Cri|2005-02-10|Apache crashes with WSADuplicateSocket failed for| |33772|New|Nor|2005-02-28|inconsistency in manual and error reporting by sue| |33875|New|Enh|2005-03-07|Apache processes consuming CPU| |34108|New|Nor|2005-03-21|mod_negotiation changes mtime to mtime of Document| |34114|Inf|Nor|2005-03-21|Apache could interleave log entries when writing t| |34404|Inf|Blk|2005-04-11|RewriteMap prg can not handle fpout | |34571|Inf|Maj|2005-04-22|Apache 1.3.33 stops logging vhost| |34573|Inf|Maj|2005-04-22|.htaccess not working / mod_auth_mysql| |35424|New|Nor|2005-06-20|httpd disconnect in Timeout on CGI| |35439|New|Nor|2005-06-21|Problem with remove /../ in util.c and mod_rewri| |35547|Inf|Maj|2005-06-29|Problems with libapreq 1.2 and Apache::Cookie | |3|New|Nor|2005-06-30|Can't find DBM on Debian Sarge| |36375|Opn|Nor|2005-08-26|Cannot include http_config.h from C++ file| |37166|New|Nor|2005-10-19|Under certain conditions, mod_cgi delivers an empt| |37252|New|Reg|2005-10-26|gen_test_char reject NLS string | |38989|New|Nor|2006-03-15|restart + piped logs stalls httpd for 24 minutes (| |39104|New|Enh|2006-03-25|[FR] fix build with -Wl,--as-needed | |39287|New|Nor|2006-04-12|Incorrect If-Modified-Since validation (due to syn| |39937|New|Nor|2006-06-30|Garbage output if README.html is gzipped or compre| |40224|Ver|Nor|2006-08-10|System time crashes Apache @year 2038 (win32 only?| |41279|New|Nor|2007-01-02|Apache 1.3.37 htpasswd is vulnerable to buffer ove| |42355|New|Maj|2007-05-08|Apache 1.3 permits non-rfc HTTP error code = 600 | |43626|New|Maj|2007-10-15|r-path_info returning invalid value | |44768|New|Blk|2008-04-07|Server suddenly reverted to showing test page only| |44926|New|Nor|2008-05-02|1.3.41 binary downloads are faulty MSIs |
Re: SSLRequire UTF-8 characters backward compatibility
On 31/12/2010 07:52, Kaspar Brand wrote: On 30.12.2010 13:43, Stefan Fritsch wrote: The latter. I suggest using ASN1_STRING_print_ex() with ASN1_STRFLGS_RFC2253 ~ASN1_STRFLGS_ESC_MSB (will escape them as \0). OK, makes sense. ASN1_STRING_print_ex escapes a whole lot of other stuff, too. So this change would also introduce an incompatibility with 2.2.x for all the SSL_{CLIENT,SERVER}_{I,S}_DN_* variables. Good point, I didn't consider this when I came up with the suggestion quoted above. My new proposal would be to (only) use ASN1_STRFLGS_ESC_CTRL | ASN1_STRFLGS_UTF8_CONVERT for the SSL_{CLIENT,SERVER}_{I,S}_DN_* variables instead. This will escape the control characters (0x0 through 0x1f), but not the others listed in RFC 2253 - most of which primarily make sense when a complete DN is rendered, not single attribute values. This would then also be covered by the SSLOption LegacyDNStringFormat. With the proposed change to the ASN1_STRING_print_ex flags, I think that we could unconditionally use the new format for the SSL_{CLIENT,SERVER}_{I,S}_DN_* variables, as there is no incompatibility with simple strings (i.e., 7-bit characters encoded as PRINTABLESTRINGs or IA5STRINGs). For non-ASCII characters, the current code produces unusable results in many cases anyway, so I would not try to retain that as a legacy string rendering. I would like to have opinions from other people before committing this. Yes, please - additional opinions appreciated. Well it wont be totally compatible with the old format even if it only contains 7-bit ASCII characters. For example the tab character would be escaped. There is a bug in OpenSSL currently for those options: it doesn't escape the escape character itself (which it should treat as a special case and always escape it if any other escaping is in use). That means some representations are ambiguous with those options. When that is fixed even 7 bit without control characters will have at least one difference: the backslash will always appear escaped as \\. Steve. -- Dr Stephen N. Henson. Senior Technical/Cryptography Advisor, Open Source Software Institute: www.oss-institute.org OpenSSL Core team: www.openssl.org
Re: svn commit: r1054323 - in /httpd/httpd/trunk: CHANGES docs/manual/mod/mod_ssl.xml docs/manual/upgrading.xml modules/ssl/ssl_engine_config.c modules/ssl/ssl_engine_vars.c modules/ssl/ssl_private.h
On 01/02/2011 12:56 AM, s...@apache.org wrote: Author: sf Date: Sat Jan 1 23:56:24 2011 New Revision: 1054323 URL: http://svn.apache.org/viewvc?rev=1054323view=rev Log: Change the format of the SSL_{CLIENT,SERVER}_{I,S}_DN variables to be RFC 2253 compatible, convert non-ASCII characters to UTF8, and escape other special characters with backslashes. The old format can still be used with the LegacyDNStringFormat argument to SSLOptions. Modified: httpd/httpd/trunk/CHANGES httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml httpd/httpd/trunk/docs/manual/upgrading.xml httpd/httpd/trunk/modules/ssl/ssl_engine_config.c httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c httpd/httpd/trunk/modules/ssl/ssl_private.h httpd/httpd/trunk/modules/ssl/ssl_util_ssl.c httpd/httpd/trunk/modules/ssl/ssl_util_ssl.h Modified: httpd/httpd/trunk/modules/ssl/ssl_util_ssl.c URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_util_ssl.c?rev=1054323r1=1054322r2=1054323view=diff == --- httpd/httpd/trunk/modules/ssl/ssl_util_ssl.c (original) +++ httpd/httpd/trunk/modules/ssl/ssl_util_ssl.c Sat Jan 1 23:56:24 2011 @@ -344,14 +344,32 @@ BOOL SSL_X509_getBC(X509 *cert, int *ca, #endif } +/* convert a NAME_ENTRY to UTF8 string */ +char *SSL_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY *xsne) +{ +char *result = NULL; +BIO* bio; +int len; + +if ((bio = BIO_new(BIO_s_mem())) == NULL) +return NULL; +ASN1_STRING_print_ex(bio, X509_NAME_ENTRY_get_data(xsne), + ASN1_STRFLGS_ESC_CTRL|ASN1_STRFLGS_UTF8_CONVERT); +len = BIO_pending(bio); +result = apr_palloc(p, len+1); +len = BIO_read(bio, result, len); +result[len] = NUL; +BIO_free(bio); +ap_xlate_proto_from_ascii(value, len); Shouldn't that be ap_xlate_proto_from_ascii(result, len); instead? Regards Rüdiger
Re: svn commit: r1054323 - in /httpd/httpd/trunk: CHANGES docs/manual/mod/mod_ssl.xml docs/manual/upgrading.xml modules/ssl/ssl_engine_config.c modules/ssl/ssl_engine_vars.c modules/ssl/ssl_private.h
On Sunday 02 January 2011, Rüdiger Plüm wrote: On 01/02/2011 12:56 AM, s...@apache.org wrote: Author: sf Date: Sat Jan 1 23:56:24 2011 New Revision: 1054323 URL: http://svn.apache.org/viewvc?rev=1054323view=rev Log: Change the format of the SSL_{CLIENT,SERVER}_{I,S}_DN variables to be RFC 2253 compatible, convert non-ASCII characters to UTF8, and escape other special characters with backslashes. The old format can still be used with the LegacyDNStringFormat argument to SSLOptions. Modified: httpd/httpd/trunk/CHANGES httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml httpd/httpd/trunk/docs/manual/upgrading.xml httpd/httpd/trunk/modules/ssl/ssl_engine_config.c httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c httpd/httpd/trunk/modules/ssl/ssl_private.h httpd/httpd/trunk/modules/ssl/ssl_util_ssl.c httpd/httpd/trunk/modules/ssl/ssl_util_ssl.h Modified: httpd/httpd/trunk/modules/ssl/ssl_util_ssl.c URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_u til_ssl.c?rev=1054323r1=1054322r2=1054323view=diff == --- httpd/httpd/trunk/modules/ssl/ssl_util_ssl.c (original) +++ httpd/httpd/trunk/modules/ssl/ssl_util_ssl.c Sat Jan 1 23:56:24 2011 @@ -344,14 +344,32 @@ BOOL SSL_X509_getBC(X509 *cert, int *ca, #endif } +/* convert a NAME_ENTRY to UTF8 string */ +char *SSL_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY *xsne) +{ +char *result = NULL; +BIO* bio; +int len; + +if ((bio = BIO_new(BIO_s_mem())) == NULL) +return NULL; +ASN1_STRING_print_ex(bio, X509_NAME_ENTRY_get_data(xsne), + ASN1_STRFLGS_ESC_CTRL|ASN1_STRFLGS_UTF8_CONVERT); +len = BIO_pending(bio); +result = apr_palloc(p, len+1); +len = BIO_read(bio, result, len); +result[len] = NUL; +BIO_free(bio); +ap_xlate_proto_from_ascii(value, len); Shouldn't that be ap_xlate_proto_from_ascii(result, len); instead? Of course, thanks. Fixed in r1054453.
Re: SSLRequire UTF-8 characters backward compatibility
On Sunday 02 January 2011, Dr Stephen Henson wrote: On 31/12/2010 07:52, Kaspar Brand wrote: On 30.12.2010 13:43, Stefan Fritsch wrote: The latter. I suggest using ASN1_STRING_print_ex() with ASN1_STRFLGS_RFC2253 ~ASN1_STRFLGS_ESC_MSB (will escape them as \0). OK, makes sense. ASN1_STRING_print_ex escapes a whole lot of other stuff, too. So this change would also introduce an incompatibility with 2.2.x for all the SSL_{CLIENT,SERVER}_{I,S}_DN_* variables. Good point, I didn't consider this when I came up with the suggestion quoted above. My new proposal would be to (only) use ASN1_STRFLGS_ESC_CTRL | ASN1_STRFLGS_UTF8_CONVERT for the SSL_{CLIENT,SERVER}_{I,S}_DN_* variables instead. This will escape the control characters (0x0 through 0x1f), but not the others listed in RFC 2253 - most of which primarily make sense when a complete DN is rendered, not single attribute values. This would then also be covered by the SSLOption LegacyDNStringFormat. With the proposed change to the ASN1_STRING_print_ex flags, I think that we could unconditionally use the new format for the SSL_{CLIENT,SERVER}_{I,S}_DN_* variables, as there is no incompatibility with simple strings (i.e., 7-bit characters encoded as PRINTABLESTRINGs or IA5STRINGs). For non-ASCII characters, the current code produces unusable results in many cases anyway, so I would not try to retain that as a legacy string rendering. I would like to have opinions from other people before committing this. Yes, please - additional opinions appreciated. Well it wont be totally compatible with the old format even if it only contains 7-bit ASCII characters. For example the tab character would be escaped. I don't think we need to care about control characters. I can't imagine any legitimate use in certificates. There is a bug in OpenSSL currently for those options: it doesn't escape the escape character itself (which it should treat as a special case and always escape it if any other escaping is in use). That means some representations are ambiguous with those options. When that is fixed even 7 bit without control characters will have at least one difference: the backslash will always appear escaped as \\. I guess backslashes are very seldomly used in certificates. Therefore, I would just document that change for now and only add a backward compatibility option if the change turns out to be a problem for users.
Re: SSLRequire UTF-8 characters backward compatibility
On 02/01/2011 18:42, Stefan Fritsch wrote: On Sunday 02 January 2011, Dr Stephen Henson wrote: There is a bug in OpenSSL currently for those options: it doesn't escape the escape character itself (which it should treat as a special case and always escape it if any other escaping is in use). That means some representations are ambiguous with those options. When that is fixed even 7 bit without control characters will have at least one difference: the backslash will always appear escaped as \\. I guess backslashes are very seldomly used in certificates. Therefore, I would just document that change for now and only add a backward compatibility option if the change turns out to be a problem for users. I'm thinking here how that might be abused. In the current broken OpenSSL code it doesn't escape a backslash with those options. So the following look identical when printed: 1. The single octet 0xFF. 2. The three character string \FF. Steve. -- Dr Stephen N. Henson. Senior Technical/Cryptography Advisor, Open Source Software Institute: www.oss-institute.org OpenSSL Core team: www.openssl.org