httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 48215] New: Renegocation requires multiple client authentification
Date Tue, 17 Nov 2009 18:59:38 GMT

           Summary: Renegocation requires multiple client authentification
           Product: Apache httpd-2
           Version: 2.2.13
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_ssl

Created an attachment (id=24552)
 --> (
The error log with LogLevel debug

After connecting to an URL without client authentication, connection to an URL
that requires it start a SSL renegociation several times instead of only once.

The exact number of renegociation depends on some unknown factor. 
I have a full repro procedure from scratch where it will be 2 times, but also a
server locally where it is 6 times.

I'll attach :
- an http.conf that repro the problem
- the self-signed certificate and private key of the server
- the content of error.log after an instance of this problem
- a .cap file of the exchange between the client and the server
- the decoding of the exchange with tshark -V  -o "ssl.keys_list:,443,http,apache/conf/authentication.key"

Full repro procedure based on EasyPHP 5.3.0 ( Apache/2.2.13 (Win32) -
OpenSSL/0.9.8k ) :
- download and install EasyPHP 5.3.0 (
- edit it's default httpd.conf 
Listen *:443

LoadModule ssl_module modules/

SSLSessionCache        "shmcb:${path}/apache/logs/ssl_scache(512000)"
SSLSessionCacheTimeout  3000

NameVirtualHost *:443
<VirtualHost *:443>
   SSLEngine On 
   SSLCertificateFile "${path}/apache/conf/authentication.cer"
   SSLCertificateKeyFile "${path}/apache/conf/authentication.key"
   <Location /authentication/>
    SSLVerifyClient optional_no_ca
       SSLVerifyDepth 0
   DocumentRoot "${path}/www"
- create a index.html file in /www
    <html><head><title> authentication test </title></head>
    <body>authentication test<hr>
    <a href="/authentication" >authentication link</a>
- create /www/authentication
- copy index.html inside /www/authentication
- connect firefox to /
- follow the link on the page to /authentication
- You'll need a client certificate (a sample p12 is included in the repro
- Have the "remember certificate" option unchecked
- Apache will immediately request authentication a second time

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message