A flaw was found in the way NSSVerifyClient was handled when used in both server / vhost context as well as directory context (specified either via <Directory> or <Location> directive). If 'NSSVerifyClient none' was set in the server / vhost context (i.e. when server is configured to not request or require client certificate authentication on the initial connection), and client certificate authentication was expected to be required for a specific directory via 'NSSVerifyClient require' setting, mod_nss failed to properly require expected certificate authentication. Remote attacker able to connect to the web server using such mod_nss configuration and without a valid client certificate could possibly use this flaw to access content of the restricted directories.
Documentation of mod_nss configuration directives, including NSSVerifyClient:
As mod_nss is derived form mod_ssl, NSSVerifyClient is meant to be functionally equivalent to mod_ssl's SSLVerifyClient:
Red Hat would like to thank Albert Smith of OUSD(AT&L) for reporting this issue.
Created mod_nss tracking bugs for this issue:
Affects: fedora-all [bug 1037722]
This issue has been addressed in following products:
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Via RHSA-2013:1779 https://rhn.redhat.com/errata/RHSA-2013-1779.html
Patch as applied to Fedora mod_nss packages:
Not yet merged in mod_nss upstream repository.
mod_nss-1.0.8-27.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
mod_nss-1.0.8-27.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
mod_nss-1.0.8-28.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.