Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Apache: Docs

DO NOT REPLY [Bug 52644] New: document how SSL FakeBasicAuth works with strange characters in DNs and with groupfiles

 

 

Apache docs RSS feed   Index | Next | Previous | View Threaded


bugzilla at apache

Feb 11, 2012, 7:39 PM

Post #1 of 1 (187 views)
Permalink
DO NOT REPLY [Bug 52644] New: document how SSL FakeBasicAuth works with strange characters in DNs and with groupfiles

https://issues.apache.org/bugzilla/show_bug.cgi?id=52644

Bug #: 52644
Summary: document how SSL FakeBasicAuth works with strange
characters in DNs and with groupfiles
Product: Apache httpd-2
Version: 2.2.20
Platform: PC
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Documentation
AssignedTo: docs [at] httpd
ReportedBy: calestyo [at] scientia
Classification: Unclassified


Hi.

Could you please share some light (and add to the documentation at
https://httpd.apache.org/docs/current/mod/mod_ssl.html#ssloptions if and how
mod_ssl's FakeBasicAuth feature works with the following:

a) Special characters
A certificates DN can contain basically _ANY_ character, including “:”, “/”, “
”, “"” or any weird Unicode character from any script.
As far as I can see this could affect us at least in the following places:
- user file
There at least the colon seems to have the special meaning of separating the
username from the password, e.g.:
/C=DE/O=GermanGrid/OU=LMU/CN=Christoph Anton
Mitterer:$apr1$7DksooGS$Mz9EkgYft12dREFb1gk8b.
Maybe “$”, “.” or the other characters mentioned above have also special
meanigns?!

Given that this is really security relevant, could you please document whether
all this is _always_ safe for any characters in the DN or not?!

Guess this would mean that the parsing has to work like this regexp ^(.*):(.*)$
and the matching must be "greedy" (i.e. the _last_ “:”) must be matched.


b) DNs in group files
Here things seem to be even more weird.
DNs typically contain “ ” characters (spaces).
The space however is the separation characters in the group files.

I found out that quoting the DN with “"” seems to work.
This is however not (yet) documented.
Further,.. is this safe? I mean, DNs could be made up tricky, containing “"” or
“:” to confuse the parsing of the group files.
This could even be a security problem.


Cheers,
Chris.

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe [at] httpd
For additional commands, e-mail: docs-help [at] httpd

Apache docs RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.