Return-Path: Delivered-To: apmail-httpd-bugs-archive@www.apache.org Received: (qmail 2403 invoked from network); 24 Jul 2006 11:39:42 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 24 Jul 2006 11:39:42 -0000 Received: (qmail 82074 invoked by uid 500); 24 Jul 2006 11:39:40 -0000 Delivered-To: apmail-httpd-bugs-archive@httpd.apache.org Received: (qmail 82042 invoked by uid 500); 24 Jul 2006 11:39:40 -0000 Mailing-List: contact bugs-help@httpd.apache.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: Reply-To: "Apache HTTPD Bugs Notification List" List-Id: Delivered-To: mailing list bugs@httpd.apache.org Received: (qmail 82029 invoked by uid 99); 24 Jul 2006 11:39:40 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 24 Jul 2006 04:39:40 -0700 X-ASF-Spam-Status: No, hits=-9.4 required=10.0 tests=ALL_TRUSTED,NO_REAL_NAME X-Spam-Check-By: apache.org Received: from [209.237.227.198] (HELO brutus.apache.org) (209.237.227.198) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 24 Jul 2006 04:39:39 -0700 Received: by brutus.apache.org (Postfix, from userid 33) id 0A8F7714283; Mon, 24 Jul 2006 11:37:21 +0000 (GMT) From: bugzilla@apache.org To: bugs@httpd.apache.org Subject: DO NOT REPLY [Bug 39243] - Can't post files larger than 128k onto ssl client cert secured site In-Reply-To: X-Bugzilla-Reason: AssignedTo Message-Id: <20060724113721.0A8F7714283@brutus.apache.org> Date: Mon, 24 Jul 2006 11:37:21 +0000 (GMT) X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG� RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT . ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND� INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=39243 ------- Additional Comments From p.c.c.wagemans@kpn.com 2006-07-24 11:37 ------- Will Rowe wrote: > The obvious answer for an 'upload' style operation is to ensure they > never hit your upload page without going through a simpler front > page which first enforces the renegotation. This can be your upload > form page. > Once the session is SSLClientVerify'ed it won't renegotate -again- > so this problem won't occur. This can work for interactive applications, but there are common situations without upload page: an application that wants to submit data to the web server in a SOAP POST request. Note: the above proposal for using an upload page request to renegotiate for the client certificate appears to work only with "SSLVerifyClient none" but not with "SSLVerifyClient optional" at top level. In the last case a renegotiation is performed on the subsequent form POST even when a client certificate is already present. Thus you again run into the 128K limit. This is probably explained by the following code in ssl_engine_kernel.c, which only treats "none" as a special case: /* optimization */ if ((dc->nOptions & SSL_OPT_OPTRENEGOTIATE) && (verify_old == SSL_VERIFY_NONE) && ((peercert = SSL_get_peer_certificate(ssl)) != NULL)) { renegotiate_quick = TRUE; X509_free(peercert); } -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org For additional commands, e-mail: bugs-help@httpd.apache.org