Bug report for Apache httpd-1.3 [2011/01/02]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=Critical REG=Regression MAJ=Major | | | | MIN=Minor NOR=NormalENH=Enhancement TRV=Trivial | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | |10744|New|Nor|2002-07-12|suexec might fail to open log file| |10747|New|Maj|2002-07-12|ftp SIZE command and 'smart' ftp servers results i| |10760|New|Maj|2002-07-12|empty ftp directory listings from cached ftp direc| |14518|Opn|Reg|2002-11-13|QUERY_STRING parts not incorporated by mod_rewrite| |16013|Opn|Nor|2003-01-13|Fooling mod_autoindex + IndexIgnore | |16631|Inf|Min|2003-01-31|.htaccess errors logged outside the virtual host l| |17318|Inf|Cri|2003-02-23|Abend on deleting a temporary cache file if proxy | |19279|Inf|Min|2003-04-24|Invalid chmod options in solaris build| |21637|Inf|Nor|2003-07-16|Timeout causes a status code of 200 to be logged | |21777|Inf|Min|2003-07-21|mod_mime_magic doesn't handle little gif files| |21975|Opn|Nor|2003-07-29|mod_rewrite RewriteMap from external program gets | |22618|New|Maj|2003-08-21|MultiViews invalidates PATH_TRANSLATED if cgi-wrap| |25057|Inf|Maj|2003-11-27|Empty PUT access control in .htaccess overrides co| |26126|New|Nor|2004-01-14|mod_include hangs with request body | |26152|Ass|Nor|2004-01-15|Apache 1.3.29 and below directory traversal vulner| |26790|New|Maj|2004-02-09|error deleting old cache file | |29257|Opn|Nor|2004-05-27|Problem with apache-1.3.31 and mod_frontpage (dso,| |29498|New|Maj|2004-06-10|non-anonymous ftp broken in mod_proxy | |30207|New|Nor|2004-07-20|Piped logs don't close read end of pipe | |30877|New|Nor|2004-08-26|htpasswd clears passwd file on Sun when /var/tmp i| |30909|New|Cri|2004-08-28|sporadic segfault resulting in broken connections | |31975|New|Nor|2004-10-29|httpd-1.3.33: buffer overflow in htpasswd if calle| |32078|New|Enh|2004-11-05|clean up some compiler warnings | |32539|New|Trv|2004-12-06|[PATCH] configure --enable-shared= brocken on SuSE| |32974|Inf|Maj|2005-01-06|Client IP not set | |33086|New|Nor|2005-01-13|unconsistency betwen 404 displayed path and server| |33495|Inf|Cri|2005-02-10|Apache crashes with WSADuplicateSocket failed for| |33772|New|Nor|2005-02-28|inconsistency in manual and error reporting by sue| |33875|New|Enh|2005-03-07|Apache processes consuming CPU| |34108|New|Nor|2005-03-21|mod_negotiation changes mtime to mtime of Document| |34114|Inf|Nor|2005-03-21|Apache could interleave log entries when writing t| |34404|Inf|Blk|2005-04-11|RewriteMap prg can not handle fpout | |34571|Inf|Maj|2005-04-22|Apache 1.3.33 stops logging vhost| |34573|Inf|Maj|2005-04-22|.htaccess not working / mod_auth_mysql| |35424|New|Nor|2005-06-20|httpd disconnect in Timeout on CGI| |35439|New|Nor|2005-06-21|Problem with remove /../ in util.c and mod_rewri| |35547|Inf|Maj|2005-06-29|Problems with libapreq 1.2 and Apache::Cookie | |3|New|Nor|2005-06-30|Can't find DBM on Debian Sarge| |36375|Opn|Nor|2005-08-26|Cannot include http_config.h from C++ file| |37166|New|Nor|2005-10-19|Under certain conditions, mod_cgi delivers an empt| |37252|New|Reg|2005-10-26|gen_test_char reject NLS string | |38989|New|Nor|2006-03-15|restart + piped logs stalls httpd for 24 minutes (| |39104|New|Enh|2006-03-25|[FR] fix build with -Wl,--as-needed | |39287|New|Nor|2006-04-12|Incorrect If-Modified-Since validation (due to syn| |39937|New|Nor|2006-06-30|Garbage output if README.html is gzipped or compre| |40224|Ver|Nor|2006-08-10|System time crashes Apache @year 2038 (win32 only?| |41279|New|Nor|2007-01-02|Apache 1.3.37 htpasswd is vulnerable to buffer ove| |42355|New|Maj|2007-05-08|Apache 1.3 permits non-rfc HTTP error code = 600 | |43626|New|Maj|2007-10-15|r-path_info returning invalid value | |44768|New|Blk|2008-04-07|Server suddenly reverted to showing test page only| |44926|New|Nor|2008-05-02|1.3.41 binary downloads are faulty MSIs |
Re: SSLRequire UTF-8 characters backward compatibility
On 31/12/2010 07:52, Kaspar Brand wrote:
On 30.12.2010 13:43, Stefan Fritsch wrote:
The latter. I suggest using ASN1_STRING_print_ex() with
ASN1_STRFLGS_RFC2253 ~ASN1_STRFLGS_ESC_MSB (will escape them as
\0).
OK, makes sense.
ASN1_STRING_print_ex escapes a whole lot of other stuff, too. So this
change would also introduce an incompatibility with 2.2.x for all the
SSL_{CLIENT,SERVER}_{I,S}_DN_* variables.
Good point, I didn't consider this when I came up with the suggestion
quoted above. My new proposal would be to (only) use
ASN1_STRFLGS_ESC_CTRL | ASN1_STRFLGS_UTF8_CONVERT
for the SSL_{CLIENT,SERVER}_{I,S}_DN_* variables instead. This will
escape the control characters (0x0 through 0x1f), but not the others
listed in RFC 2253 - most of which primarily make sense when a complete
DN is rendered, not single attribute values.
This would then also be covered by the SSLOption LegacyDNStringFormat.
With the proposed change to the ASN1_STRING_print_ex flags, I think that
we could unconditionally use the new format for the
SSL_{CLIENT,SERVER}_{I,S}_DN_* variables, as there is no incompatibility
with simple strings (i.e., 7-bit characters encoded as
PRINTABLESTRINGs or IA5STRINGs). For non-ASCII characters, the current
code produces unusable results in many cases anyway, so I would not try
to retain that as a legacy string rendering.
I would like to have opinions from other people before committing this.
Yes, please - additional opinions appreciated.
Well it wont be totally compatible with the old format even if it only contains
7-bit ASCII characters. For example the tab character would be escaped.
There is a bug in OpenSSL currently for those options: it doesn't escape the
escape character itself (which it should treat as a special case and always
escape it if any other escaping is in use). That means some representations are
ambiguous with those options.
When that is fixed even 7 bit without control characters will have at least one
difference: the backslash will always appear escaped as \\.
Steve.
--
Dr Stephen N. Henson. Senior Technical/Cryptography Advisor,
Open Source Software Institute: www.oss-institute.org
OpenSSL Core team: www.openssl.org
Re: svn commit: r1054323 - in /httpd/httpd/trunk: CHANGES docs/manual/mod/mod_ssl.xml docs/manual/upgrading.xml modules/ssl/ssl_engine_config.c modules/ssl/ssl_engine_vars.c modules/ssl/ssl_private.h
On 01/02/2011 12:56 AM, s...@apache.org wrote:
Author: sf
Date: Sat Jan 1 23:56:24 2011
New Revision: 1054323
URL: http://svn.apache.org/viewvc?rev=1054323view=rev
Log:
Change the format of the SSL_{CLIENT,SERVER}_{I,S}_DN variables
to be RFC 2253 compatible, convert non-ASCII characters to UTF8, and
escape other special characters with backslashes. The old format can
still be used with the LegacyDNStringFormat argument to SSLOptions.
Modified:
httpd/httpd/trunk/CHANGES
httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml
httpd/httpd/trunk/docs/manual/upgrading.xml
httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c
httpd/httpd/trunk/modules/ssl/ssl_private.h
httpd/httpd/trunk/modules/ssl/ssl_util_ssl.c
httpd/httpd/trunk/modules/ssl/ssl_util_ssl.h
Modified: httpd/httpd/trunk/modules/ssl/ssl_util_ssl.c
URL:
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_util_ssl.c?rev=1054323r1=1054322r2=1054323view=diff
==
--- httpd/httpd/trunk/modules/ssl/ssl_util_ssl.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_util_ssl.c Sat Jan 1 23:56:24 2011
@@ -344,14 +344,32 @@ BOOL SSL_X509_getBC(X509 *cert, int *ca,
#endif
}
+/* convert a NAME_ENTRY to UTF8 string */
+char *SSL_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY *xsne)
+{
+char *result = NULL;
+BIO* bio;
+int len;
+
+if ((bio = BIO_new(BIO_s_mem())) == NULL)
+return NULL;
+ASN1_STRING_print_ex(bio, X509_NAME_ENTRY_get_data(xsne),
+ ASN1_STRFLGS_ESC_CTRL|ASN1_STRFLGS_UTF8_CONVERT);
+len = BIO_pending(bio);
+result = apr_palloc(p, len+1);
+len = BIO_read(bio, result, len);
+result[len] = NUL;
+BIO_free(bio);
+ap_xlate_proto_from_ascii(value, len);
Shouldn't that be ap_xlate_proto_from_ascii(result, len); instead?
Regards
Rüdiger
Re: svn commit: r1054323 - in /httpd/httpd/trunk: CHANGES docs/manual/mod/mod_ssl.xml docs/manual/upgrading.xml modules/ssl/ssl_engine_config.c modules/ssl/ssl_engine_vars.c modules/ssl/ssl_private.h
On Sunday 02 January 2011, Rüdiger Plüm wrote:
On 01/02/2011 12:56 AM, s...@apache.org wrote:
Author: sf
Date: Sat Jan 1 23:56:24 2011
New Revision: 1054323
URL: http://svn.apache.org/viewvc?rev=1054323view=rev
Log:
Change the format of the SSL_{CLIENT,SERVER}_{I,S}_DN variables
to be RFC 2253 compatible, convert non-ASCII characters to UTF8,
and escape other special characters with backslashes. The old
format can still be used with the LegacyDNStringFormat argument
to SSLOptions.
Modified:
httpd/httpd/trunk/CHANGES
httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml
httpd/httpd/trunk/docs/manual/upgrading.xml
httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c
httpd/httpd/trunk/modules/ssl/ssl_private.h
httpd/httpd/trunk/modules/ssl/ssl_util_ssl.c
httpd/httpd/trunk/modules/ssl/ssl_util_ssl.h
Modified: httpd/httpd/trunk/modules/ssl/ssl_util_ssl.c
URL:
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_u
til_ssl.c?rev=1054323r1=1054322r2=1054323view=diff
== --- httpd/httpd/trunk/modules/ssl/ssl_util_ssl.c
(original) +++ httpd/httpd/trunk/modules/ssl/ssl_util_ssl.c Sat
Jan 1 23:56:24 2011 @@ -344,14 +344,32 @@ BOOL
SSL_X509_getBC(X509 *cert, int *ca,
#endif
}
+/* convert a NAME_ENTRY to UTF8 string */
+char *SSL_X509_NAME_ENTRY_to_string(apr_pool_t *p,
X509_NAME_ENTRY *xsne) +{
+char *result = NULL;
+BIO* bio;
+int len;
+
+if ((bio = BIO_new(BIO_s_mem())) == NULL)
+return NULL;
+ASN1_STRING_print_ex(bio, X509_NAME_ENTRY_get_data(xsne),
+
ASN1_STRFLGS_ESC_CTRL|ASN1_STRFLGS_UTF8_CONVERT); +len =
BIO_pending(bio);
+result = apr_palloc(p, len+1);
+len = BIO_read(bio, result, len);
+result[len] = NUL;
+BIO_free(bio);
+ap_xlate_proto_from_ascii(value, len);
Shouldn't that be ap_xlate_proto_from_ascii(result, len); instead?
Of course, thanks. Fixed in r1054453.
Re: SSLRequire UTF-8 characters backward compatibility
On Sunday 02 January 2011, Dr Stephen Henson wrote:
On 31/12/2010 07:52, Kaspar Brand wrote:
On 30.12.2010 13:43, Stefan Fritsch wrote:
The latter. I suggest using ASN1_STRING_print_ex() with
ASN1_STRFLGS_RFC2253 ~ASN1_STRFLGS_ESC_MSB (will escape them
as \0).
OK, makes sense.
ASN1_STRING_print_ex escapes a whole lot of other stuff, too. So
this change would also introduce an incompatibility with 2.2.x
for all the SSL_{CLIENT,SERVER}_{I,S}_DN_* variables.
Good point, I didn't consider this when I came up with the
suggestion quoted above. My new proposal would be to (only) use
ASN1_STRFLGS_ESC_CTRL | ASN1_STRFLGS_UTF8_CONVERT
for the SSL_{CLIENT,SERVER}_{I,S}_DN_* variables instead. This
will escape the control characters (0x0 through 0x1f), but not
the others listed in RFC 2253 - most of which primarily make
sense when a complete DN is rendered, not single attribute
values.
This would then also be covered by the SSLOption
LegacyDNStringFormat.
With the proposed change to the ASN1_STRING_print_ex flags, I
think that we could unconditionally use the new format for the
SSL_{CLIENT,SERVER}_{I,S}_DN_* variables, as there is no
incompatibility with simple strings (i.e., 7-bit characters
encoded as PRINTABLESTRINGs or IA5STRINGs). For non-ASCII
characters, the current code produces unusable results in many
cases anyway, so I would not try to retain that as a legacy
string rendering.
I would like to have opinions from other people before
committing this.
Yes, please - additional opinions appreciated.
Well it wont be totally compatible with the old format even if it
only contains 7-bit ASCII characters. For example the tab
character would be escaped.
I don't think we need to care about control characters. I can't
imagine any legitimate use in certificates.
There is a bug in OpenSSL currently for those options: it doesn't
escape the escape character itself (which it should treat as a
special case and always escape it if any other escaping is in
use). That means some representations are ambiguous with those
options.
When that is fixed even 7 bit without control characters will have
at least one difference: the backslash will always appear escaped
as \\.
I guess backslashes are very seldomly used in certificates. Therefore,
I would just document that change for now and only add a backward
compatibility option if the change turns out to be a problem for
users.
Re: SSLRequire UTF-8 characters backward compatibility
On 02/01/2011 18:42, Stefan Fritsch wrote: On Sunday 02 January 2011, Dr Stephen Henson wrote: There is a bug in OpenSSL currently for those options: it doesn't escape the escape character itself (which it should treat as a special case and always escape it if any other escaping is in use). That means some representations are ambiguous with those options. When that is fixed even 7 bit without control characters will have at least one difference: the backslash will always appear escaped as \\. I guess backslashes are very seldomly used in certificates. Therefore, I would just document that change for now and only add a backward compatibility option if the change turns out to be a problem for users. I'm thinking here how that might be abused. In the current broken OpenSSL code it doesn't escape a backslash with those options. So the following look identical when printed: 1. The single octet 0xFF. 2. The three character string \FF. Steve. -- Dr Stephen N. Henson. Senior Technical/Cryptography Advisor, Open Source Software Institute: www.oss-institute.org OpenSSL Core team: www.openssl.org
