Bug 39154

Summary: Problem with webdav over SSL with client certificate autentication
Product: Apache httpd-2 Reporter: Gregor Meinusch <gmeinusch>
Component: mod_sslAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: RESOLVED DUPLICATE    
Severity: major    
Priority: P2    
Version: 2.2.0   
Target Milestone: ---   
Hardware: All   
OS: Linux   

Description Gregor Meinusch 2006-03-30 14:46:35 UTC 
I have a problem with apache 2.2.0 + mod_ssl and mod_dav
If I try to upload a file over a Client-Certificate secured connection to
Webdav-folder on Apache-Server, I get a unspecified error on the Webdav-client
(MS Explorer) and a “request body exceeds maximum size for SSL buffer”-error on
the Apache-side. 
If I’ take off the Client-Certificate-Authentication everything works fine.

I think that is a bug in the mod_ssl module.

Thank's
Gregory


----------------
Logfile:

Error.log
[Thu Mar 30 13:25:26 2006] [error] [client 217.228.63.33] request body exceeds
maximum size for SSL buffer
[Thu Mar 30 13:25:26 2006] [error] [client 217.228.63.33] could not buffer
message body to allow SSL renegotiation to proceed

access.log
217.228.63.33 - - [30/Mar/2006:13:25:15 +0200] "PROPFIND /freunde/upload/test
HTTP/1.1" 207 853 "-" "Microsoft Data Access Internet Publishing Provider DAV"
217.228.63.33 - - [30/Mar/2006:13:25:15 +0200] "PROPFIND /freunde/upload/test
HTTP/1.1" 207 963 "-" "Microsoft Data Access Internet Publishing Provider DAV"
217.228.63.33 - - [30/Mar/2006:13:25:20 +0200] "HEAD
/freunde/upload/test/test.jpg HTTP/1.1" 404 - "-" "Microsoft Data Access
Internet Publishing Provider DAV"
217.228.63.33 - - [30/Mar/2006:13:25:20 +0200] "PUT
/freunde/upload/test/test.jpg HTTP/1.1" 413 1090 "-" "Microsoft Data Access
Internet Publishing Provider DAV"

----------------
Configuration:
http.conf:

…
<VirtualHost 80.xx.xx.xx:443>
	ServerName   www.xxxxxxx.de

	DocumentRoot /home/xxxxxxx.de/httpsdocs
	CustomLog  /home/xxxxxxx.de/statistics/logs/access_ssl.log 
       CustomLog /home/xxxxxxx.de/statistics/logs/request_ssl.log \
                    "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
	ErrorLog     /home/xxxxxxx.de/statistics/logs/error_ssl.log

	SSLEngine on		
	SSLOptions +StrictRequire 	
. . . 
DavLockDB /home/xxxxxx.de/conf/webdav/lockdb

Alias /freunde/upload /home/xxxxxx.de/webdav/freunde
    	<Directory  /home/xxxxxx.de/webdav/freunde>
		SSLVerifyClient require
		SSLRequire (%{SSL_CIPHER} !~ m/^(EXP|NULL)/ and %{SSL_CLIENT_S_DN_O} eq
"Xxxxxx" &&  %{SSL_CLIENT_S_DN_CN} in {"Gregor Meinusch"} )
		     
  	       Dav On
		<LimitExcept GET HEAD OPTIONS>       
		</LimitExcept>	  			
		
		Options +SymLinksIfOwnerMatch -Includes -ExecCGI
	</Directory>

. . .
</virtualhost>



Ssl-global.conf
AddType application/x-x509-ca-cert .crt
	AddType application/x-pkcs7-crl    .crl
	SSLPassPhraseDialog  builtin

	
	#SSLSessionCache        nonenotnull
	#SSLSessionCache         dbm:/var/lib/apache2/ssl_cache 
	#SSLSessionCache          shmht:/var/lib/apache2/ssl_scache(512000)
	#SSLSessionCache 		shm:/var/lib/apache2/ssl_cache(512000)
	SSLSessionCache         shmcb:/var/lib/apache2/ssl_scache
	SSLSessionCacheTimeout  600

	SSLMutex  file:/var/lib/apache2/ssl_mutex
	SSLMutex  sem
	
	SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
        SSLProtocol all -SSLv2	

	SSLCertificateFile 	/home/xxxxxx.de/conf/certificates/www.xxx.de.cert
	SSLCertificateKeyFile 	/home/xxxxxx.de/conf/certificates/www.xxx.de.key
	SSLCACertificateFile 	/home/xxxxxx.de/conf/certificates/cacerts.pem
	SSLVerifyDepth  2

	SSLRandomSeed startup builtin
	SSLRandomSeed connect builtin
Comment 1 Ruediger Pluem 2006-03-30 21:16:14 UTC 
This does not work on directory level with large files, because we currently do
not buffer the request body on disk but only 128k at max in memory. Moving
SSLVerifyClient require to virtual host level will make it work (see also PR12355)

*** This bug has been marked as a duplicate of 12355 ***
Comment 2 Gregor Meinusch 2006-03-31 07:12:03 UTC 
Thank you! Now it works perfectly!