[H-GEN] Defining ssl directories

Byron Ellacott bje at apnic.net
Tue Sep 14 21:48:43 EDT 2004 

Byron Ellacott wrote:
> Also, beware Apache2 and SSL.  If you configure an Apache2 server's SSL 
> requirements on a per directory basis, your server will be unable to 
> process POST requests in those directories requiring stronger 
> authentication than the base server.  This is also true for virtual 
> hosts.  Ralf Engeschall is a weiner who refuses to fix the problem.

To clarify this, since I got a private question about it, the specific 
problem is when the SSL connection must be renegotiated during a POST 
request.  The SSL connection is first established before headers are 
sent, when only the host's IP address is known.  At this point, the only 
Apache configuration in use is that for the global server, or for an 
address based virtual server.  Whatever SSLRequire or SSLClientVerify 
options you have there are the ones that will be enforced for the 
initial connection.

After the headers have been read, named virtual hosts and directories 
are known, and the configuration for those locations can be used.  If 
the requirements for the SSL connection are increased, then the 
connection must be renegotiated, for example to request a client 
certificate.

In a GET request, this is fine and dandy, since you can just simply go 
ahead and alter the session parameters, then finish processing the 
request.  In a POST, there is data waiting on the connection still to be 
read.  mod_ssl must therefore read off that POST data before it can 
renegotiate the connection, because otherwise it does not have a two way 
communication channel available.  That POST data is potentially large, 
and in Apache2, can be non-trivial to read (see bucket brigades and 
other odd similies).  So, the current implementation of mod_ssl simply 
gives up at this point.

In Apache1, the data was read, the connection renegotiated, then the 
data reinjected to the input stream.

The specifics of which options lead to a renegotiation are available in 
the mod_ssl source, in ssl_engine.c IIRC, along with an explanation of 
this problem by the mod_ssl authors.

If you're willing to lose the distinction of POST and GET requests, you 
can write an init handler to read POST data, rewrite the request url and 
change the method to GET.  Init handlers are run before headers are 
parsed.  I leave it as an exercise to the reader to figure out how to 
handle file data in this case.

-- 
bje

More information about the General mailing list