Bug 101514 - mod_ssl from apache is compiled with SSL_CONSERVATIVE (bad)
mod_ssl from apache is compiled with SSL_CONSERVATIVE (bad)
Status: CLOSED UPSTREAM
Product: Red Hat Linux
Classification: Retired
Component: mod_ssl (Show other bugs)
9
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2003-08-02 01:09 EDT by mattb
Modified: 2007-04-18 12:56 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2003-10-09 04:16:44 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description mattb 2003-08-02 01:09:28 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030630

Description of problem:
mod_ssl from httpd is compiled with -DSSL_CONSERVATIVE which yields erroneous
behavior when attempting to negotiate an SSL connection with a client presenting
a certificate during a POST operation:

http://www.mail-archive.com/modssl-users@modssl.org/msg16177.html
http://www.mail-archive.com/modssl-users@modssl.org/msg15667.html

Having SSLVerifyClient work with POSTs is absolutely essential in using Apache's
httpd as a commercial Web Services provider, since HTTP POSTs are the
transportation of choice for protocols like SOAP and REST, and client
certificate authentication is necessary for securing those transactions.

The results of compiling with SSL_CONSERVATIVE have far-reaching negative
effects into SSL POST operations in PHP, FastCGI servers, and just about
everything else you can think of.

Version-Release number of selected component (if applicable):
httpd-2.0.40-21.3

How reproducible:
Always

Steps to Reproduce:
You can see that the operations have been left out of RedHat's version of httpd
by doing the following:

# This should print out at least one function name
strings /etc/httpd/modules/mod_ssl.so | grep suck

Actual Results:  As it now stands, the appropriate functions are missing from
the binary version of httpd, and a POST using SSL will fail if SSLVerifyClient
is anything other than "none", resulting in a message in
/etc/httpd/logs/ssl_error_log:

"SSL Re-negotiation in conjunction with POST method not supported!!hint: t
ry SSLOptions +OptRenegotiate"

Expected Results:  If SSL_CONSERVATIVE was not given as a compile flag to
mod_ssl, then an SSL POST with SSLVerifyClient set to "optional_no_ca" should
work just as it would with SSLVerifyClient set to "none".

Additional info:
Comment 1 mattb 2003-08-02 01:52:17 EDT
Okay, this is actually not a bug for RedHat. SSL_CONSERVATIVE has been removed
and its functionality has become part of the standard Apache 2.0 web server. The
problem is the functions which fix this behavior have not been rewritten to take
advantage of the Apache 2 API.

I'm not sure what the appropriate resolved state is, so I'll leave that to
someone who knows better, but this is not a RedHat build issue.
Comment 2 Joe Orton 2003-10-09 04:16:44 EDT
This is being tracked upstream as:

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=18395

Thanks for the report.

Note You need to log in before you can comment on or make changes to this bug.