httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 46952] ssl renegotiation hangs with long ca list
Date Thu, 13 May 2010 20:25:58 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=46952

--- Comment #14 from steve.berube@hp.com 2010-05-13 16:25:51 EDT ---
Does anyone have an update on this issue? We hit this exact issue on both
firefox and IE when using SSLVerifyClient on a particular location directive.
It is reproducable every time. Shrinking the CA Size to < 200k helped for the
most part, but there are still cases where we get the renegotiation error.

We are running a slightly customized build of Apache 2.2.15 and OpenSSL 0.9.8.k
The issue can be reproduced easily with the binaries on httpd.apache.org with
the OpenSSL they ship as well.

Basically here is the issue.

ca-bundle.crt is 253k with a hundred or so CA's in it (generated from Mozilla
certdata.txt)

1. User connects to https://server/logonx509 via IE or Firefox
2. URL is protected using this directive:
    <location logonx509>
        SSLOptions +StdEnvVars +ExportCertData
        SSLRequireSSL
        SSLVerifyClient require
        SSLVerifyDepth 10
        RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}e"
    </location>
3. Firefox connects will prompt for smartcard pin, authenticate then fail on
re-negotiation.
4. IE connects will prompt for smartcard pin, authenticate then fail on
re-negotiation.


Shrinking CA size will greatly help, but not always.

Typical error in our apache ssl error logs is:

Thu May 13 10:53:49 2010] [debug] ssl_engine_io.c(1893): OpenSSL: I/O error, 5
bytes expected to read on BIO#7d7d480 [mem: 7dd72e8]
[Thu May 13 10:53:49 2010] [debug] ssl_engine_kernel.c(1903): OpenSSL: Exit:
error in SSLv3 read client certificate A
[Thu May 13 10:53:49 2010] [error] [client x.x.x.x] Re-negotiation handshake
failed: Not accepted by client!?, referer:
https://x.x.x.x/sessionmanager/login.jsp?back=https%3a%2f%2fx.x.x.x%2fem

I've reviewed this thread in depth and am not sure it resolves all of the
issues. Any help appreciated here.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message