elaka / mod-spdy

Automatically exported from code.google.com/p/mod-spdy
0 stars 0 forks source link

mod_ssl with NPN breaks "VerifyClient optional" #59

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago
What version/revision number of mod_spdy are you using?
0.9.3.3

What version of Apache are you using, and on what operating system?  
Server version: Apache/2.2.15 (Unix) on CentOS 6.3

What other Apache modules are you using?  (Use `apache2ctl -M` to check.)
 core_module (static)
 mpm_worker_module (static)
 http_module (static)
 so_module (static)
 auth_basic_module (shared)
 authn_file_module (shared)
 authn_alias_module (shared)
 authn_default_module (shared)
 authz_host_module (shared)
 authz_user_module (shared)
 authz_owner_module (shared)
 authz_default_module (shared)
 include_module (shared)
 log_config_module (shared)
 env_module (shared)
 mime_magic_module (shared)
 expires_module (shared)
 deflate_module (shared)
 headers_module (shared)
 setenvif_module (shared)
 mime_module (shared)
 status_module (shared)
 autoindex_module (shared)
 info_module (shared)
 vhost_alias_module (shared)
 negotiation_module (shared)
 dir_module (shared)
 actions_module (shared)
 alias_module (shared)
 rewrite_module (shared)
 passenger_module (shared)
 auth_token_module (shared)
 h264_streaming_module (shared)
 fastcgi_module (shared)
 ssl_module (shared)
 spdy_module (shared)
 wsgi_module (shared)

What browser version did you use to access the mod_spdy server?  On what
operating system? What flags was the browser invoked with?  (For
Chrome/Chromium, go to about:version to check.)
Google Chrome   22.0.1229.94 (Official Build 161065)
OS  Linux
WebKit  537.4 (@130860)
JavaScript  V8 3.12.19.15
Flash   11.4.31.110
User Agent  Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.4 (KHTML, like Gecko) 
Chrome/22.0.1229.94 Safari/537.4
Command Line     /opt/google/chrome/google-chrome 
--auth-server-whitelist=*example.com --flag-switches-begin --flag-switches-end
Executable Path /opt/google/chrome/google-chrome
Profile Path    /home/someone/.config/google-chrome/Default

What steps will reproduce the problem?
1. Install mod_spdy on server
2. Configure optional client cert acceptance in Apache Basic auth:

    <Directory /var/www/html>
        # Allow client certs as alternative to basic auth
        SSLVerifyClient      optional
        SSLVerifyDepth       2
        SSLOptions           +FakeBasicAuth +StrictRequire

        AuthName "private"
        AuthType Basic
        AuthUserFile /etc/httpd/pass
        Require valid-user
    </Directory>

3. In your browser import CA and client certificate

4. Try to connect to the private site

What is the expected result? What do you see instead?
Client certificate not accepted as an optional way of authentication

Please provide any additional information below.
Disabling the mod_ssl_with_npn fixes the issue, although mod_spdy is not 
working anymore of course :/

Original issue reported on code.google.com by miroslav...@gmail.com on 22 Oct 2012 at 6:08