Bug 610095 - Apache mod_ssl ignores IE when requesting client certificate
Apache mod_ssl ignores IE when requesting client certificate
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: httpd (Show other bugs)
5.5
i686 Linux
low Severity high
: rc
: ---
Assigned To: Joe Orton
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-07-01 10:53 EDT by oscar.gomez
Modified: 2010-07-06 11:14 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-07-06 11:14:28 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description oscar.gomez 2010-07-01 10:53:40 EDT
Description of problem:

We have a site that with RHEL 5.4 (httpd and mod_ssl 2.2.3-31) prompted the user for a client certificate due to a "SSLVerifyClient require" statement. When upgrading to RHEL 5.5 (httpd and mod_ssl 2.2.3-43), it stops working with IE, and with Firefox, it works randomly, maybe depending on the browser version. Currently we have restored the backup for 5.4 to keep the environment working, but we'd like to upgrade to 5.5 because this also affects other systems.

There's nothing in logs when using IE (we didn't try hard debugging because we couldn't stand without working).

How reproducible:
Always

Steps to Reproduce:
1. Set SSLVerifyClient require in apache config
2. Browse with IE
3. 
  
Actual results:
IE fails to authenticate, unlike firefox (but not always firefox succeeds).

Expected results:
Any browser should be asked for the client certificate

Additional info:
We have set these SSL options, according to examples:

    SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
    SetEnvIf User-Agent ".*MSIE.*" \
            nokeepalive ssl-unclean-shutdown \
            downgrade-1.0 force-response-1.0

but no luck at all
Comment 1 oscar.gomez 2010-07-05 07:10:36 EDT
According to some investigation with httpd developers, it looks like there's a relationship with https://issues.apache.org/bugzilla/show_bug.cgi?id=44073

If this fixes the problem, it looks that the old httpd version supplied with RHEL needs a big upgrade (it's for 2.2.6), and it would be the only solution.
Comment 2 Joe Orton 2010-07-06 06:07:02 EDT
Oscar, I'd recommend you contact Red Hat Support in the first instance where you need help troubleshooting a problem like this.

The upstream bug you reference is not present in the 5.5 httpd package, and the code paths in question would not get executed in a configuration as you indicate.

If you are placing "SSLVerifyClient require" in Directory or Location context, and this problem only occurs with 5.5 and is browser-dependent, then it is highly likely that the issue is due to the secure renegotiation fixes, see:

  https://access.redhat.com/kb/docs/DOC-20491

for more information.  If using "SSLInsecureRenegotiation on" makes the problem go away, that will confirm that hypothesis.  See the above kbase entry and:

http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslinsecurerenegotiation

for more information.
Comment 3 oscar.gomez 2010-07-06 07:26:40 EDT
Hi, Joe.


Your suggestion fixed the problem. Thank you very much.
Comment 4 Joe Orton 2010-07-06 11:14:28 EDT
OK.  Please be sure to understand the security implications from using that directive, as described in the kbase article.  I'm closing this bug.

Note You need to log in before you can comment on or make changes to this bug.