A flaw was found in the way NSSVerifyClient was handled when used in both server / vhost context as well as directory context (specified either via <Directory> or <Location> directive). If 'NSSVerifyClient none' was set in the server / vhost context (i.e. when server is configured to not request or require client certificate authentication on the initial connection), and client certificate authentication was expected to be required for a specific directory via 'NSSVerifyClient require' setting, mod_nss failed to properly require expected certificate authentication. Remote attacker able to connect to the web server using such mod_nss configuration and without a valid client certificate could possibly use this flaw to access content of the restricted directories. Documentation of mod_nss configuration directives, including NSSVerifyClient: https://git.fedorahosted.org/cgit/mod_nss.git/plain/docs/mod_nss.html#Directives As mod_nss is derived form mod_ssl, NSSVerifyClient is meant to be functionally equivalent to mod_ssl's SSLVerifyClient: http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslverifyclient
Acknowledgment: Red Hat would like to thank Albert Smith of OUSD(AT&L) for reporting this issue.
Created mod_nss tracking bugs for this issue: Affects: fedora-all [bug 1037722]
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Via RHSA-2013:1779 https://rhn.redhat.com/errata/RHSA-2013-1779.html
Patch as applied to Fedora mod_nss packages: http://pkgs.fedoraproject.org/cgit/mod_nss.git/tree/mod_nss-nssverifyclient.patch?id=63709b8 Not yet merged in mod_nss upstream repository.
mod_nss-1.0.8-27.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
mod_nss-1.0.8-27.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
mod_nss-1.0.8-28.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.