Return-Path: Delivered-To: apmail-httpd-bugs-archive@www.apache.org Received: (qmail 88561 invoked from network); 15 Nov 2003 05:21:33 -0000 Received: from daedalus.apache.org (HELO mail.apache.org) (208.185.179.12) by minotaur-2.apache.org with SMTP; 15 Nov 2003 05:21:33 -0000 Received: (qmail 77591 invoked by uid 500); 15 Nov 2003 05:21:12 -0000 Delivered-To: apmail-httpd-bugs-archive@httpd.apache.org Received: (qmail 77464 invoked by uid 500); 15 Nov 2003 05:21:11 -0000 Mailing-List: contact bugs-help@httpd.apache.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: Reply-To: "Apache HTTPD Bugs Notification List" Delivered-To: mailing list bugs@httpd.apache.org Received: (qmail 77447 invoked from network); 15 Nov 2003 05:21:11 -0000 Received: from unknown (HELO exchange.sun.com) (192.18.33.10) by daedalus.apache.org with SMTP; 15 Nov 2003 05:21:11 -0000 Received: (qmail 19333 invoked by uid 50); 15 Nov 2003 05:21:25 -0000 Date: 15 Nov 2003 05:21:25 -0000 Message-ID: <20031115052125.19332.qmail@nagoya.betaversion.org> From: bugzilla@apache.org To: bugs@httpd.apache.org Cc: Subject: DO NOT REPLY [Bug 24725] New: - SSL Re-negotiation in conjunction with POST method not supported X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT . ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=24725 SSL Re-negotiation in conjunction with POST method not supported Summary: SSL Re-negotiation in conjunction with POST method not supported Product: Apache httpd-2.0 Version: 2.0.48 Platform: All OS/Version: All Status: NEW Severity: Normal Priority: Other Component: mod_ssl AssignedTo: bugs@httpd.apache.org ReportedBy: jimc@math.ucla.edu Comments in httpd-2.0.48/modules/ssl/ssl_engine_kernel.c indicate that the POST data rescue kludge has not yet been ported from 1.3.x to 2.0.x. Is there any progress? I have a secure site with most content and forms available to anonymous users, but a particular database app is for staff only, authenticated by X.509 certs (.htaccess says "SSLVerifyClient require" and a test for our C.A.), and naturally it's a POST form (to keep prolix and subpoena-able stuff out of the access_log). As a workaround, in ssl.conf at global level I changed "SSLVerifyClient none" to "optional", so if there were a cert it would be presented initially, not requiring renegotiation and trashing the POST data. But everyone gets asked for a cert, even though most content is still delivered even if they don't give it. That's not the way it should work. --------------------------------------------------------------------- To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org For additional commands, e-mail: bugs-help@httpd.apache.org