httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 46952] ssl renegotiation hangs with long ca list
Date Thu, 13 May 2010 20:26:22 GMT

--- Comment #15 from 2010-05-13 16:26:18 EDT ---
Does anyone have an update on this issue? We hit this exact issue on both
firefox and IE when using SSLVerifyClient on a particular location directive.
It is reproducable every time. Shrinking the CA Size to < 200k helped for the
most part, but there are still cases where we get the renegotiation error.

We are running a slightly customized build of Apache 2.2.15 and OpenSSL 0.9.8.k
The issue can be reproduced easily with the binaries on with
the OpenSSL they ship as well.

Basically here is the issue.

ca-bundle.crt is 253k with a hundred or so CA's in it (generated from Mozilla

1. User connects to https://server/logonx509 via IE or Firefox
2. URL is protected using this directive:
    <location logonx509>
        SSLOptions +StdEnvVars +ExportCertData
        SSLVerifyClient require
        SSLVerifyDepth 10
        RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}e"
3. Firefox connects will prompt for smartcard pin, authenticate then fail on
4. IE connects will prompt for smartcard pin, authenticate then fail on

Shrinking CA size will greatly help, but not always.

Typical error in our apache ssl error logs is:

Thu May 13 10:53:49 2010] [debug] ssl_engine_io.c(1893): OpenSSL: I/O error, 5
bytes expected to read on BIO#7d7d480 [mem: 7dd72e8]
[Thu May 13 10:53:49 2010] [debug] ssl_engine_kernel.c(1903): OpenSSL: Exit:
error in SSLv3 read client certificate A
[Thu May 13 10:53:49 2010] [error] [client x.x.x.x] Re-negotiation handshake
failed: Not accepted by client!?, referer:

I've reviewed this thread in depth and am not sure it resolves all of the
issues. Any help appreciated here.

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message