Bug#642357: Connections from localhost in plaintext

Fri, 30 Sep 2011 06:00:28 -0700 

Package: libapache2-mod-gnutls
Version: 0.5.10-1

I have a similar experience, it seems to have something to do with the origin 
of the connection though.
My VHost is defined as:

Listen 443
NameVirtualHost 76.101.44.212:443
<VirtualHost 76.101.44.212:443>
     ServerName nanoplex.net
     DocumentRoot /var/www
     <Directory />
         Options FollowSymLinks
         AllowOverride None
     </Directory>
     <IfModule mod_ssl.c>
         SSLEngine On
         SSLCACertificatePath /etc/ssl/certs
         SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.crt
         SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
     </IfModule>
     <IfModule mod_gnutls.c>
       <IfModule !mod_ssl.c>
         GnuTLSEnable On
         GnuTLSPriorities SECURE:!ANON-DH:!MD5
         GnuTLSCertificateFile /etc/ssl/certs_chained/ssl-cert-snakeoil.crt
         GnuTLSKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
       </IfModule>
     </IfModule>
</VirtualHost>



Now, with mod-gnutls enabled this happens:

testhost:~# curl -o out.txt -# --location https://76.101.44.212
curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
testhost:~# curl --interface lo -o out.txt -# --location https://76.101.44.212
######################################################################## 100.0%


which is a bit strange. It works both ways with mod-ssl though:

testhost:~# curl -o out.txt -# --location https://76.101.44.212
######################################################################## 100.0%
testhost:~# curl --interface lo -o out.txt -# --location https://76.101.44.212
######################################################################## 100.0%


Connections from a different box always work.

I have a feeling this is caused by a "bugfix" that doesn't engage encryption if 
remote and local ip are the same...
http://modgnutls.git.sourceforge.net/git/gitweb.cgi?p=modgnutls/modgnutls;a=commitdiff;h=60cf11c4c8c984d7fafd369171bfa950eefd3c4f


@@ -749,10 +750,11 @@ int mgs_hook_pre_connection(conn_rec * c, void *csd) 
return DECLINED; } - if (c->remote_addr->hostname) - /* Connection initiated 
by Apache (mod_proxy) => ignore */ - return OK; - + if 
(c->remote_addr->hostname || apr_strnatcmp(c->remote_ip,c->local_ip) == 0) { + 
/* Connection initiated by Apache (mod_proxy) => ignore */ + return OK; + } + 
ctxt = create_gnutls_handle(c->pool, c); ap_set_module_config(c->conn_config, 
&gnutls_module, ctxt);


EmTeedee




--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]















    











					Reply via email to