httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 46952] ssl renegotiation hangs with long ca list
Date Fri, 19 Jun 2009 10:15:39 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=46952





--- Comment #6 from szamcsi <Akos.Frohner@cern.ch>  2009-06-19 03:15:34 PST ---
Created an attachment (id=23831)
 --> (https://issues.apache.org/bugzilla/attachment.cgi?id=23831)
test case for the bug

I've attached a test case for the bug, which generates test 
certificate to trigger the problem. 

The first point is that the certificate of the server has to be 
bigger than OpenSSL's buffer size, which is 4kB by default. I have
padded the server certificate with comments. 
One can play with this number by using the '--pads 123' option.

The second point is to create enough CA entries that the summary 
of ServerHello, Certificate, ServerKeyExchange, CertificateRequest
and ServerHelloDone record sizes adds up over 12kB (4kB of the 
buffer in OpenSSL and 8kB for the BIO of mod_ssl).
One can play with this number by using the '--cas 123' option.


Run the script and follow the instructions:
   ../test-certs
   ./httpd/server start
   ./httpd/client # which shall hang
   ./httpd/server stop

You can clean up/regernerate with different parameters:
    ../test-certs --cas 70 # works
    ../test-certs --cas 80 # hangs
    ../test-certs --cas 110 # hangs
    ../test-certs --cas 120 # works

I hope it clarifies the problem!

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message