httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 24725] New: - SSL Re-negotiation in conjunction with POST method not supported
Date Sat, 15 Nov 2003 05:21:25 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=24725>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=24725

SSL Re-negotiation in conjunction with POST method not supported

           Summary: SSL Re-negotiation in conjunction with POST method not
                    supported
           Product: Apache httpd-2.0
           Version: 2.0.48
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Normal
          Priority: Other
         Component: mod_ssl
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: jimc@math.ucla.edu


Comments in httpd-2.0.48/modules/ssl/ssl_engine_kernel.c indicate that the POST 
data rescue kludge has not yet been ported from 1.3.x to 2.0.x.  Is there any 
progress?  
    I have a secure site with most content and forms available to anonymous 
users, but a particular database app is for staff only, authenticated by X.509 
certs (.htaccess says "SSLVerifyClient require" and a test for our C.A.), and 
naturally it's a POST form (to keep prolix and subpoena-able stuff out of the 
access_log).  As a workaround, in ssl.conf at global level I changed 
"SSLVerifyClient none" to "optional", so if there were a cert it would be 
presented initially, not requiring renegotiation and trashing the POST data.  
But everyone gets asked for a cert, even though most content is still delivered 
even if they don't give it.  That's not the way it should work.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message