Bug 48215

Summary: Renegotiation with SSLVerifyDepth 0 requires multiple client authentication
Product: Apache httpd-2 Reporter: jmdesp
Component: mod_sslAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: RESOLVED FIXED    
Severity: normal CC: bzasf
Priority: P2 Keywords: FixedInTrunk
Version: 2.2.13   
Target Milestone: ---   
Hardware: All   
OS: All   
See Also: https://issues.apache.org/bugzilla/show_bug.cgi?id=48228
Bug Depends on:    
Bug Blocks: 48228    
Attachments: The error log with LogLevel debug
A complete package of file, for reproduction, with a full capture of the problem
Proposed fix

Description jmdesp 2009-11-17 10:59:35 UTC
Created attachment 24552 [details]
The error log with LogLevel debug

After connecting to an URL without client authentication, connection to an URL
that requires it start a SSL renegociation several times instead of only once.

The exact number of renegociation depends on some unknown factor. 
I have a full repro procedure from scratch where it will be 2 times, but also a
server locally where it is 6 times.

I'll attach :
- an http.conf that repro the problem
- the self-signed certificate and private key of the server
- the content of error.log after an instance of this problem
- a .cap file of the exchange between the client and the server
- the decoding of the exchange with tshark -V  -o "ssl.keys_list:
172.30.24.37,443,http,apache/conf/authentication.key"

Full repro procedure based on EasyPHP 5.3.0 ( Apache/2.2.13 (Win32) -
OpenSSL/0.9.8k ) :
- download and install EasyPHP 5.3.0 (
- edit it's default httpd.conf 
Listen *:443

LoadModule ssl_module modules/mod_ssl.so

SSLSessionCache        "shmcb:${path}/apache/logs/ssl_scache(512000)"
SSLSessionCacheTimeout  3000
SSLCipherSuite AES+RSA+SHA1

NameVirtualHost *:443
<VirtualHost *:443>
   SSLEngine On 
   SSLCertificateFile "${path}/apache/conf/authentication.cer"
   SSLCertificateKeyFile "${path}/apache/conf/authentication.key"
   <Location /authentication/>
    SSLVerifyClient optional_no_ca
       SSLVerifyDepth 0
   </Location>
   DocumentRoot "${path}/www"
</VirtualHost>
- create a index.html file in /www
    <html><head><title> authentication test </title></head>
    <body>authentication test<hr>
    <a href="/authentication" >authentication link</a>
    </body></html>
- create /www/authentication
- copy index.html inside /www/authentication
- connect firefox to /
- follow the link on the page to /authentication
- You'll need a client certificate (a sample p12 is included in the repro
files)
- Have the "remember certificate" option unchecked
- Apache will immediately request authentication a second time
Comment 1 jmdesp 2009-11-17 11:01:43 UTC
Created attachment 24553 [details]
A complete package of file, for reproduction, with a full capture of the problem
Comment 2 Joe Orton 2009-11-18 05:51:41 UTC
This is a bug in the handling of "SSLVerifyDepth 0" in per-dir context.  mod_ssl is forcing a renegotiation each time because it doesn't cache the verify_depth as zero correctly:

[Tue Nov 17 19:54:25 2009] [debug] ssl_engine_kernel.c(423): [client 172.30.25.84] Reduced client verification depth will force renegotiation, referer: https://172.30.24.37/

to fix this either of:

a) configure client cert CA verification properly, and remove or increase the SSLVerifyDepth setting, or

b) move the SSLVerifyDepth setting to vhost context, outside the <Location> block

should work.

--

In ssl_hook_Access, the code uses sslconn->verify_depth as the "current" verify depth only if non-zero, otherwise falling back to the vhost's verify depth.
Comment 3 jmdesp 2009-11-18 08:26:00 UTC
I confirm that using the following configuration works around the problem :

<VirtualHost *:443>
   SSLEngine On 
   SSLCertificateFile "${path}/apache/conf/authentication.cer"
   SSLCertificateKeyFile "${path}/apache/conf/authentication.key"
   SSLVerifyDepth 0
   <Location /authentication/>
    SSLVerifyClient optional_no_ca
   </Location>
   DocumentRoot "${path}/www"
</VirtualHost>

Unfortunately, the source of the problem is far from obvious, so I think the work around is not enough.
Comment 4 jmdesp 2009-11-18 09:33:21 UTC
This said this modification does not fix the other problem with mod_autoindex that Torsten Foertsch signaled.
It somehow does significantly reduces the number of renegociations, I get only 2 renegociation whilst there must have been around 10 before (with 10 files and SSLVerifyDepth 0 within the directory context).

I opened bug 48228 for this issue.
Comment 5 Joe Orton 2009-11-19 00:12:40 UTC
Yup, I suggest a workaround because I don't (yet) have a patch - it's clearly a bug which can and should be fixed.
Comment 6 Kaspar Brand 2009-11-22 04:56:24 UTC
Created attachment 24583 [details]
Proposed fix

(In reply to comment #5)
> it's clearly a bug which can and should be fixed.

I guess I inadvertently introduced this bug when adding support for handling SNI configurations. The attached patch should adress this issue, I believe.

BTW, note that when I was testing a similar configuration with OpenSSL 1.0.0-beta4 and a checkout of OpenSSL_0_9_8-stable, I noticed that these two OpenSSL checkins:

  http://cvs.openssl.org/chngview?cn=18318
  http://cvs.openssl.org/chngview?cn=18320

actually necessitate a backport of either r787722 or r788715, otherwise the renegotiation will stall. I would recommend to include these with 2.2.15.
Comment 7 Joe Orton 2009-11-26 02:53:14 UTC
Thanks Kaspar!

So that OpenSSL change is effectively breaking backwards compat?  What a PITA.
Comment 8 Stefan Fritsch 2011-06-19 18:04:20 UTC
r1137394
Comment 9 Stefan Fritsch 2012-02-26 17:00:29 UTC
fixed in 2.4.1