attachment.cgi misbehaves if using SSL certificate authentication with Apache 1.3.26/mod_ssl 2.8.7/openssl 0.9.6b

RESOLVED WORKSFORME

Status

()

RESOLVED WORKSFORME
16 years ago
6 years ago

People

(Reporter: dave.kelly, Assigned: myk)

Tracking

Details

(Reporter)

Description

16 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20021003
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20021003

Using RedHat 7.3 / Apache 1.3.26 / mod_ssl 2.8.7 / openssl 0.9.6b / Bugzilla 2.16.1

If using SSL certificate authentication and trying to add an attachment,
attachment.cgi reports that the attachment file is empty.

If trying to view an attachment, attachment.cgi reports that no valid attachment
id has been specified.

/etc/httpd/logs/error_log reports

[Tue Nov 12 13:53:10 2002] attachment.cgi: Use of uninitialized value in pattern
match (m//) at globals.pl line 972.
Use of uninitialized value in pattern match (m//) at globals.pl line 972 (#1)
    (W uninitialized) An undefined value was used as if it were already
    defined.  It was interpreted as a "" or a 0, but maybe it was a mistake.
    To suppress this warning assign a defined value to your variables.

    To help you figure out what was undefined, perl tells you what operation
    you used the undefined value in.  Note, however, that perl optimizes your
    program and the operation displayed in the warning may not necessarily
    appear literally in your program.  For example, "that $foo" is
    usually optimized into "that " . $foo, and the warning will refer to
    the concatenation (.) operator, even though there is no . in your
    program.


If SSL certificate authentication is disabled, everything works fine.

Reproducible: Always

Steps to Reproduce:
Steps taken to create SSL certificates:

1) /usr/share/ssl/misc/CA.pl -newca
2) cat /usr/share/ssl/misc/demoCA/cacert.pem >>
/etc/httpd/conf/ssl.crt/ca-bundle.crt
3) cd /etc/httpd/conf
4) openssl genrsa 1024 > ssl.key/server.key
5) chmod go-rwx ssl.key/server.key
6) make testcert
7) /usr/share/ssl/misc/CA.pl -newreq
8) /usr/share/ssl/misc/CA.pl -sign
9) /usr/share/ssl/misc/CA.pl -pkcs12
10) Import .p12 file into browser.
11) Edit /etc/httpd/conf/httpd.conf and:
   a) In the section beginning with <VirtualHost _default_:443>, uncomment the
   lines:

      SSLCACertificatePath /etc/httpd/conf/ssl.crt
      SSLCACertificateFile /etc/httpd/conf/ssl.crt/ca-bundle.crt

   b) At the bottom of the file, add the lines:

   <Directory /var/www/html/bugzilla>
      SSLVerifyClient   require
      SSLVerifyDepth    1
      SSLRequireSSL
   </Directory>

12) service httpd restart
I have a hunch this is probably fixed already in Bugzilla 2.17.1, because of the
conversion to using Perl's CGI module for handling the file uploads.

Would it be possible for you to upgrade to version 2.17.1 from cvs and give it a
try?  Be forewarned that there are several major schema changes, so make backups
first (of your database, too).  (bugzilla.mozilla.org just pulled it off this
last weekend, so it's not too bad :)   If you can't get to cvs easily, there
should be a tarball of it on the bugzilla.org website by the end of the week.
Summary: attachment.cgi misbehaves if using SSL certificate authentication with Apache 1.3.26/mod_ssl 2.8.7/openssl 0.9.6b → attachment.cgi misbehaves if using SSL certificate authentication with Apache 1.3.26/mod_ssl 2.8.7/openssl 0.9.6b
Dave Kelley:  have you had a chance to try this yet?  We have 2.17.1 in a
tarball on the website now if you have trouble getting to CVS.

We won't be doing anything further with this unless we can confirm whether or
not 2.17.1 fixes this.
(Reporter)

Comment 3

16 years ago
Apologies for not responding.

I was having a bit of trouble stopping the CVS update from messing up my
existing installation.

I will test ASAP.
Dave Kelley: any chance to try this yet?

Dave Lawrence: you have Bugzilla running under SSL at your site, have you run
into this?

Comment 5

16 years ago
I am not seeing this problem myself and I am using the version of 2.17 that
doesnt yet have any conversion in attachment.cgi to using CGI.pm. It is still
pulling the data out of $::FORM{data}.

But I am also doing this before inserting on PostgreSQL

# Encode the data using Base64 if this is a PostgreSQL database
  if ($::db_driver eq 'Pg') {
    use MIME::Base64;
    $data = encode_base64($data);
  }


but I don't think that would have any effect on SSL since the data has already
been passed in by that point.

Comment 6

15 years ago
Okay, no reply from Dave Kelly in over a year. Sounds like it might be a
combination of old Perl, old Apache, old SSL, and old Bugzilla. :-)

Dave Kelly -- if you've found some resolution to this by now, please let us
know! :-)

-M
Status: UNCONFIRMED → RESOLVED
Last Resolved: 15 years ago
Resolution: --- → INVALID
wrong resolution
Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---
.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 15 years ago15 years ago
Resolution: --- → WORKSFORME
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.