610095 – Apache mod_ssl ignores IE when requesting client certificate

Bug 610095 - Apache mod_ssl ignores IE when requesting client certificate

Summary: Apache mod_ssl ignores IE when requesting client certificate

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	httpd
Sub Component:
Version:	5.5
Hardware:	i686
OS:	Linux
Priority:	low
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Joe Orton
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2010-07-01 14:53 UTC by oscar.gomez
Modified:	2010-07-06 15:14 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2010-07-06 15:14:28 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description oscar.gomez 2010-07-01 14:53:40 UTC

Description of problem:

We have a site that with RHEL 5.4 (httpd and mod_ssl 2.2.3-31) prompted the user for a client certificate due to a "SSLVerifyClient require" statement. When upgrading to RHEL 5.5 (httpd and mod_ssl 2.2.3-43), it stops working with IE, and with Firefox, it works randomly, maybe depending on the browser version. Currently we have restored the backup for 5.4 to keep the environment working, but we'd like to upgrade to 5.5 because this also affects other systems.

There's nothing in logs when using IE (we didn't try hard debugging because we couldn't stand without working).

How reproducible:
Always

Steps to Reproduce:
1. Set SSLVerifyClient require in apache config
2. Browse with IE
3. 
  
Actual results:
IE fails to authenticate, unlike firefox (but not always firefox succeeds).

Expected results:
Any browser should be asked for the client certificate

Additional info:
We have set these SSL options, according to examples:

    SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
    SetEnvIf User-Agent ".*MSIE.*" \
            nokeepalive ssl-unclean-shutdown \
            downgrade-1.0 force-response-1.0

but no luck at all

Comment 1 oscar.gomez 2010-07-05 11:10:36 UTC

According to some investigation with httpd developers, it looks like there's a relationship with https://issues.apache.org/bugzilla/show_bug.cgi?id=44073

If this fixes the problem, it looks that the old httpd version supplied with RHEL needs a big upgrade (it's for 2.2.6), and it would be the only solution.

Comment 2 Joe Orton 2010-07-06 10:07:02 UTC

Oscar, I'd recommend you contact Red Hat Support in the first instance where you need help troubleshooting a problem like this.

The upstream bug you reference is not present in the 5.5 httpd package, and the code paths in question would not get executed in a configuration as you indicate.

If you are placing "SSLVerifyClient require" in Directory or Location context, and this problem only occurs with 5.5 and is browser-dependent, then it is highly likely that the issue is due to the secure renegotiation fixes, see:

  https://access.redhat.com/kb/docs/DOC-20491

for more information.  If using "SSLInsecureRenegotiation on" makes the problem go away, that will confirm that hypothesis.  See the above kbase entry and:

http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslinsecurerenegotiation

for more information.

Comment 3 oscar.gomez 2010-07-06 11:26:40 UTC

Hi, Joe.


Your suggestion fixed the problem. Thank you very much.

Comment 4 Joe Orton 2010-07-06 15:14:28 UTC

OK.  Please be sure to understand the security implications from using that directive, as described in the kbase article.  I'm closing this bug.

Note You need to log in before you can comment on or make changes to this bug.