Bug 488886

Summary: mod_rewrite+mod_ssl+SSLVerifyClient = no POST variables
Product: Red Hat Enterprise Linux 5 Reporter: Karl Grindley <kgrindley>
Component: httpdAssignee: Joe Orton <jorton>
Status: CLOSED ERRATA QA Contact: BaseOS QE <qe-baseos-auto>
Severity: medium Docs Contact:
Priority: low    
Version: 5.5CC: ohudlick
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 488939 (view as bug list) Environment:
Last Closed: 2009-09-02 07:50:39 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Karl Grindley 2009-03-05 22:59:38 EST
Description of problem:
If SSLClientVerify for a <directory> is configured, such as:
<Directory "/var/www/html/site">
  SSLVerifyClient require
  SSLVerifyDepth  10

And mod rewrite is configured for this site: (via .htaccess in before mentioned

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !=/favicon.ico
RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]

Submitting a POST with variables defined do NOT show up on the script/php side.
 Disabling mod_rewrite or SSLVerifyClient for the path will cause POST
variables to be defined.

Version-Release number of selected component (if applicable):

How reproducible:
every time

Steps to Reproduce:
1. setup an https server with a certificate bundle and turn on sslVerifyClient
2. install a client certificate in your browser
3. setup mod rewrite rules
4. load any page, and try to submit POST variables.  phpinfo() will show no $_POST is defined.
Actual results:
no $_POST variables in php land with this configuration

Expected results:
need those $_POST variables

Additional info:
Comment 1 Joe Orton 2009-03-06 05:39:07 EST
Ah, this is a known bug in the mod_ssl per-dir-reneg code; I fixed it upstream a while back.  Thanks for the report.
Comment 2 Joe Orton 2009-03-06 05:40:39 EST
Fixed upstream by: http://svn.apache.org/viewvc?rev=591393&view=rev
Comment 4 Karl Grindley 2009-03-06 09:43:05 EST
Would it be possible to get this integrated into the next bug release of http/mod_ssl via RHN?

For my short term needs, i think i am going to try to patch the source rpm with your changes and see what happens.
Comment 5 Joe Orton 2009-03-06 10:04:59 EST
The fix is now scheduled for inclusion in RHEL 5.4.  If you need a supported fix sooner please contact Red Hat Support.
Comment 6 Karl Grindley 2009-03-07 11:59:03 EST
Fix works great!  i was able to recompile up the SRPM with the patch, and first round of testing looks great!  Thanks for the pointer.
Comment 7 Joe Orton 2009-03-09 07:45:25 EDT
Good to hear - thanks for posting the feedback.
Comment 11 errata-xmlrpc 2009-09-02 07:50:39 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.