Here is a more complete description of the problem, aligned with my latest
tests.
As the situation is very fuzzy, do not hesitate to answer if you found
additional info.
General Apache configuration to reproduce the problem:
SSLVerifyClient none
SSLVerifyClient require
What's the goal of the question ?
The problem is present, and the solution is trivial.
Do we have to provide a business case with each bug description ?
In this case, the solution implementation would be based on the current use
of the software, only in some environments (the ones the people desc
Bug #25659 is about a memory leak.
The (quite trivial) patch has been provided in 2003, and the
bug is still not corrected !!!
Could somebody include this is next version ?
Thanks,
Marc
It appears that Apache does not use the built-in mechanism
from OpenSSL for CRL validation, but it implements its own one (I guess
because the one from OpenSSL was not complete enough some time ago
?).
It also seems that OpenSSL CRL validation is now much more
complete (IDP, delta CRL, etc.)
This problem is solved, in a much general manner in mod_ssl_error (see bug
35083 - http://nagoya.apache.org/bugzilla/show_bug.cgi?id=35083).
Could we include this soon ?
The only decision is about the inclusion:
- in the distribution, with an option
- as a separate module, with an option
- as a
Couldn't we add one (or several) keywords for important
problems that have a trivial solution ?
This would allow quicker integration.
I think typically about memory leaks and buffer overruns. Once
they are discovered (which is the real difficult part), the fix is usually
trivial - often one
I think I found a buffer overrun in
ssl_callback_SSLVerify_CRL( ) (ssl_engine_kernel.c):
char buff[512]; /* should be plenty
*/[...]
n = BIO_read(bio, buff,
sizeof(buff));buff[n] = '\0';
If there are more than 512 bytes, n=512, thus we write in
buff[512].
We should use
n = BIO_read(b
VC.NET 2005 (still in Beta 5) has much more optimizations (global nes at
link time).
Maybe it would be better to go directly to it, no ?
- Original Message -
From: "Branko Äibej" <[EMAIL PROTECTED]>
To: "William A. Rowe, Jr." <[EMAIL PROTECTED]>
Cc: ; "Tomcat Developers List"
;
Sent: W
In mod_ssl.h, BOOL
is defined as "unsigned
int".
Some mod_ssl parameters are defined as BOOL:
struct SSLSrvConfigRec
{ SSLModConfigRec
*mc; BOOL
enabled; BOOL
proxy_enabled; const
char *vhost_id;
int
vhost
The command
apr_table_setn(r->notes, "ssl-access-forbidden",
"1");is incorrect, as we don't have access to the request
(request_rec struct).
I suppose we could find it, but do we really need this line
?
- Original Message -
From:
[EMAIL PROTECTED]
To: dev@httpd.apa
Here is my final proposal.
I changed it a bit in order to be fully compatible with the
current implementation.
Technical description (based on
2.0.54):
In ssl_io_filter_connect( ) - ssl_engine_io.c - we have 2
cases (at line 1147 and 1173) where the connection may break because of
certifi
I got it working !
Here is my solution. Questions 1 & 4 still
remain.
The additional module (ssl_error) also works, although I
need to fine-tune it.
Feel free to criticize and enhance.
Marc
---
In 'ssl_hook_Access( )' (ssl_engine_kernel.c), the last line
can be replace
Maybe another possibility (?) is to extend the
SSL_CVERIFY_OPTIONAL_NO_CA to also suppress other types of error, although this
may be dangerous as, in this case the certificates are accepted and no error is
generated. Can we still trap the error later ?
To investigate ...
- Original Me
If I'm not wrong, I think what you're looking for is in
${openssl_home}/crypto/x509/x509_vfy.h
Look for :
#define X509_V_OK 0
[... error codes ]
My remark was that I see no variable containing the error code, so i have to
check a string
- Original Message -
From: "Stephane Bailliez"
In case a SSL connection fails because a certificate is
expired, or a CRL is unavailable, etc., the browser receives a SSL error that
results in a cryptic technical error displayed to the user - sometimes only an
error number like in Firefox. In such a situation, the SSL connection could be
15 matches
Mail list logo
