Bug 488886 - mod_rewrite+mod_ssl+SSLVerifyClient = no POST variables
mod_rewrite+mod_ssl+SSLVerifyClient = no POST variables
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: httpd (Show other bugs)
All Linux
low Severity medium
: rc
: ---
Assigned To: Joe Orton
Depends On:
  Show dependency treegraph
Reported: 2009-03-05 22:59 EST by Karl Grindley
Modified: 2009-09-02 07:50 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 488939 (view as bug list)
Last Closed: 2009-09-02 07:50:39 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Apache Bugzilla 43738 None None None Never

  None (edit)
Description Karl Grindley 2009-03-05 22:59:38 EST
Description of problem:
If SSLClientVerify for a <directory> is configured, such as:
<Directory "/var/www/html/site">
  SSLVerifyClient require
  SSLVerifyDepth  10

And mod rewrite is configured for this site: (via .htaccess in before mentioned

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !=/favicon.ico
RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]

Submitting a POST with variables defined do NOT show up on the script/php side.
 Disabling mod_rewrite or SSLVerifyClient for the path will cause POST
variables to be defined.

Version-Release number of selected component (if applicable):

How reproducible:
every time

Steps to Reproduce:
1. setup an https server with a certificate bundle and turn on sslVerifyClient
2. install a client certificate in your browser
3. setup mod rewrite rules
4. load any page, and try to submit POST variables.  phpinfo() will show no $_POST is defined.
Actual results:
no $_POST variables in php land with this configuration

Expected results:
need those $_POST variables

Additional info:
Comment 1 Joe Orton 2009-03-06 05:39:07 EST
Ah, this is a known bug in the mod_ssl per-dir-reneg code; I fixed it upstream a while back.  Thanks for the report.
Comment 2 Joe Orton 2009-03-06 05:40:39 EST
Fixed upstream by: http://svn.apache.org/viewvc?rev=591393&view=rev
Comment 4 Karl Grindley 2009-03-06 09:43:05 EST
Would it be possible to get this integrated into the next bug release of http/mod_ssl via RHN?

For my short term needs, i think i am going to try to patch the source rpm with your changes and see what happens.
Comment 5 Joe Orton 2009-03-06 10:04:59 EST
The fix is now scheduled for inclusion in RHEL 5.4.  If you need a supported fix sooner please contact Red Hat Support.
Comment 6 Karl Grindley 2009-03-07 11:59:03 EST
Fix works great!  i was able to recompile up the SRPM with the patch, and first round of testing looks great!  Thanks for the pointer.
Comment 7 Joe Orton 2009-03-09 07:45:25 EDT
Good to hear - thanks for posting the feedback.
Comment 11 errata-xmlrpc 2009-09-02 07:50:39 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.