Bug 491763
Summary: | HTTPS+SSLVerifyClient require in <Directory>+big POST = Apache error | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Karl Grindley <kgrindley> |
Component: | httpd | Assignee: | Joe Orton <jorton> |
Status: | CLOSED ERRATA | QA Contact: | BaseOS QE <qe-baseos-auto> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | 5.5 | CC: | ohudlick |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2009-09-02 11:50:48 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Karl Grindley
2009-03-23 21:47:55 UTC
I can produce test packages with the SSLRenegBufferSize directive added for verification. w.r.t. to the 2 cents: it will be necessary to buffer the request body data somewhere in this case because of the way HTTP over SSL works. Buffering to disk just adds a whole world of extra complexity and different security risks. A well designed web application is able to avoid the case where buffering is required altogether, the buffering in mod_ssl is a workaround for legacy applications. Fixing the web application desing is only the way to avoid the DoS. Joe, I would be happy to test a test package for you. point taken about the complexity and security issues with disk buffering. However, the issue (i *think*) we are having is that there is no way (since http is designed to be stateless) to guarantee that the user would submit the POST before the SSL session cache timeout expires. Therefore some users that take their time submitting the POST data, would get the error. (this however is only my observation, and not sure 100% if this is a correct statement as alot under the hood of apache and mod_ssl is somewhat magic) So far i have been able to find very limited documentation that characterizes this particular issue no documentation as it applies to application design constraints. Do you know of any documentation you might be able to point me too that would shed some light on the issue? Thanks, Karl Ways to avoid this issue are: 1) use a (separate) vhost as the client-cert-protected area, with SSLVerifyClient in vhost context. This ensures that the client cert request is sent in the initial SSL handshake, and a POST request with a 10GB request body will work fine without needing any buffering. 2) ensure by application layout/design that the first request to a client-cert-protected area is a GET, so the server does not have to stop and rehandshake after receiving the POST If you are suffering this issue because of session cache timeouts, why not bump the session cache size/timeout settings? Sorry for the big delay in updating this ticket. We have been characterizing all of the above proposed solutions. Some discovery on our side shows that: -not only does the SSLSessionCacheTimeout impact this issue, as does the KeepAlive and KeepAliveTimeout values -if the keepalive times out first, the SSL renegotiation is triggered, causing this bug to occur I can verify that a get before post (using some simple javascipt on the application side) does the trick, if: -the server has KeepAlive enabled -the KeepAlive timeout values is > than the longest time between the GET and then the POST (should be within seconds) -the SSLSessionCache is enabled and at least the same value of the KeepAlive timeout note that this still does not solve this issue for 100% all users. Since this is dependent on the keepalive working, the user must: -have keepalive enabled in their browser -using a proxy that allows keepalive In our market sector, some DoD agencies might prohibit keepalive either at their proxy or have configured managed desktops with keepalive to be disabled. While #2 solution looks like in the short term, it looks like #1 is the ONLY way to iron-clad solve this issue for all clients. An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2009-1380.html |