httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 39243] - Can't post files larger than 128k onto ssl client cert secured site
Date Mon, 24 Jul 2006 11:37:21 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=39243>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=39243





------- Additional Comments From p.c.c.wagemans@kpn.com  2006-07-24 11:37 -------
Will Rowe wrote:

> The obvious answer for an 'upload' style operation is to ensure they
> never hit your upload page without going through a simpler front
> page which first enforces the renegotation.  This can be your upload
> form page.

> Once the session is SSLClientVerify'ed it won't renegotate -again-
> so this problem won't occur.

This can work for interactive applications, but there are common
situations without upload page: an application that wants to submit
data to the web server in a SOAP POST request.


Note: the above proposal for using an upload page request to
renegotiate for the client certificate appears to work only with
"SSLVerifyClient none" but not with "SSLVerifyClient optional" at top
level. In the last case a renegotiation is performed on the subsequent
form POST even when a client certificate is already present. Thus you
again run into the 128K limit. This is probably explained by the
following code in ssl_engine_kernel.c, which only treats "none" as a
special case:

        /* optimization */

        if ((dc->nOptions & SSL_OPT_OPTRENEGOTIATE) &&
            (verify_old == SSL_VERIFY_NONE) &&
            ((peercert = SSL_get_peer_certificate(ssl)) != NULL))
        {
            renegotiate_quick = TRUE;
            X509_free(peercert);
        }

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message