httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kamesh Jayachandran <kam...@collab.net>
Subject Re: Strange error(parse tlsext bug) in mod_ssl since httpd-2.2.12
Date Mon, 26 Oct 2009 10:22:28 GMT
Hi Kaspar,

I applied your 'mod_ssl-disable_tls_tickets.diff' and 
'mod_ssl-log_ssloptions.diff' to apache-2.2.12

and initiated the 'failing svn import operation'.

<snip from error_log while this fails>
[Mon Oct 26 15:48:21 2009] [warn] [client 10.2.0.88] 
ssl_init_ssl_connection: options=0x1114fff
[Mon Oct 26 15:48:22 2009] [warn] [client 10.2.0.88] 
ssl_init_ssl_connection: options=0x1114fff
[Mon Oct 26 15:48:22 2009] [warn] [client 10.2.0.88] 
ssl_init_ssl_connection: options=0x1114fff
</snip>

The tcpdump for this failure is at,

http://www.livecipher.com/tlsext_dump/tlsext.dmp.4

With regards
Kamesh Jayachandran
On 10/25/2009 09:21 PM, Kaspar Brand wrote:
> Dr Stephen Henson wrote:
>    
>> Disabling tickets using SSL_OP_NO_TICKET server side SHOULD work too (does in my
>> tests) so I've no idea why that wouldn't in the OPs setup unless the patch
>> doesn't set it in all contexts. Try placing it right after any call to
>> SSL_CTX_new().
>>      
> I'm still a bit puzzled as to why my previously posted patch does not
> turn off TLS session tickets... there's only one place in mod_ssl where
> a new context is created, and in my tests, SSL_OP_NO_TICKET was reliably
> applied (i.e., I didn't see any session tickets on the wire). Maybe
> there's another issue if tickets are turned off?
>
> Kamesh, could you apply the attached patch, for diagnostic purposes (in
> addition to mod_ssl-disable_tls_tickets.diff), and let us know what
> "options=" values you see in your ErrorLog? Note that you don't have to
> increase Apache's LogLevel, the options for any new SSL connection will
> be logged with "warn" already. Also, it would be helpful to have another
> capture (with mod_ssl patched like this) where the svn client still
> fails with a "parse tlsext" error. Thanks.
>
> Kaspar
>    


Mime
View raw message