bugzilla at apache
Feb 11, 2012, 7:39 PM
Post #1 of 1
DO NOT REPLY [Bug 52644] New: document how SSL FakeBasicAuth works with strange characters in DNs and with groupfiles
Bug #: 52644
Summary: document how SSL FakeBasicAuth works with strange
characters in DNs and with groupfiles
Product: Apache httpd-2
AssignedTo: docs [at] httpd
ReportedBy: calestyo [at] scientia
Could you please share some light (and add to the documentation at
https://httpd.apache.org/docs/current/mod/mod_ssl.html#ssloptions if and how
mod_ssl's FakeBasicAuth feature works with the following:
a) Special characters
A certificates DN can contain basically _ANY_ character, including “:”, “/”, “
”, “"” or any weird Unicode character from any script.
As far as I can see this could affect us at least in the following places:
- user file
There at least the colon seems to have the special meaning of separating the
username from the password, e.g.:
Maybe “$”, “.” or the other characters mentioned above have also special
Given that this is really security relevant, could you please document whether
all this is _always_ safe for any characters in the DN or not?!
Guess this would mean that the parsing has to work like this regexp ^(.*):(.*)$
and the matching must be "greedy" (i.e. the _last_ “:”) must be matched.
b) DNs in group files
Here things seem to be even more weird.
DNs typically contain “ ” characters (spaces).
The space however is the separation characters in the group files.
I found out that quoting the DN with “"” seems to work.
This is however not (yet) documented.
Further,.. is this safe? I mean, DNs could be made up tricky, containing “"” or
“:” to confuse the parsing of the group files.
This could even be a security problem.
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
To unsubscribe, e-mail: docs-unsubscribe [at] httpd
For additional commands, e-mail: docs-help [at] httpd