bugzilla at apache
Feb 11, 2012, 7:39 PM
Post #1 of 1
(132 views)
Permalink
|
|
DO NOT REPLY [Bug 52644] New: document how SSL FakeBasicAuth works with strange characters in DNs and with groupfiles
|
|
https://issues.apache.org/bugzilla/show_bug.cgi?id=52644
Bug #: 52644
Summary: document how SSL FakeBasicAuth works with strange
characters in DNs and with groupfiles
Product: Apache httpd-2
Version: 2.2.20
Platform: PC
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Documentation
AssignedTo: docs [at] httpd
ReportedBy: calestyo [at] scientia
Classification: Unclassified
Hi.
Could you please share some light (and add to the documentation at
https://httpd.apache.org/docs/current/mod/mod_ssl.html#ssloptions if and how
mod_ssl's FakeBasicAuth feature works with the following:
a) Special characters
A certificates DN can contain basically _ANY_ character, including “:”, “/”, “
”, “"” or any weird Unicode character from any script.
As far as I can see this could affect us at least in the following places:
- user file
There at least the colon seems to have the special meaning of separating the
username from the password, e.g.:
/C=DE/O=GermanGrid/OU=LMU/CN=Christoph Anton
Mitterer:$apr1$7DksooGS$Mz9EkgYft12dREFb1gk8b.
Maybe “$”, “.” or the other characters mentioned above have also special
meanigns?!
Given that this is really security relevant, could you please document whether
all this is _always_ safe for any characters in the DN or not?!
Guess this would mean that the parsing has to work like this regexp ^(.*):(.*)$
and the matching must be "greedy" (i.e. the _last_ “:”) must be matched.
b) DNs in group files
Here things seem to be even more weird.
DNs typically contain “ ” characters (spaces).
The space however is the separation characters in the group files.
I found out that quoting the DN with “"” seems to work.
This is however not (yet) documented.
Further,.. is this safe? I mean, DNs could be made up tricky, containing “"” or
“:” to confuse the parsing of the group files.
This could even be a security problem.
Cheers,
Chris.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe [at] httpd
For additional commands, e-mail: docs-help [at] httpd
|
