Return-Path: 
 <dev-return-66548-apmail-httpd-dev-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-dev-archive@www.apache.org
Received: (qmail 14555 invoked from network); 27 Oct 2009 22:47:42 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3)
  by minotaur.apache.org with SMTP; 27 Oct 2009 22:47:42 -0000
Received: (qmail 86489 invoked by uid 500); 27 Oct 2009 22:47:41 -0000
Delivered-To: apmail-httpd-dev-archive@httpd.apache.org
Received: (qmail 86415 invoked by uid 500); 27 Oct 2009 22:47:41 -0000
Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help: <mailto:dev-help@httpd.apache.org>
list-unsubscribe: <mailto:dev-unsubscribe@httpd.apache.org>
List-Post: <mailto:dev@httpd.apache.org>
List-Id: <dev.httpd.apache.org>
Delivered-To: mailing list dev@httpd.apache.org
Received: (qmail 86405 invoked by uid 99); 27 Oct 2009 22:47:41 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 27 Oct 2009 22:47:41 +0000
X-ASF-Spam-Status: No, hits=-1.8 required=5.0
	tests=AWL,BAYES_00,URIBL_JP_SURBL
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: domain of shenson@oss-institute.org
 designates 67.18.157.234 as permitted sender)
Received: from [67.18.157.234] (HELO ns1.oss-institute.org) (67.18.157.234)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 27 Oct 2009 22:47:37 +0000
Received: from drh-consultancy.demon.co.uk ([80.177.30.10] helo=[192.168.7.8])
	by ns1.oss-institute.org with esmtpsa (TLSv1:AES256-SHA:256)
	(Exim 4.69)
	(envelope-from <shenson@oss-institute.org>)
	id 1N2uor-0000dD-1W
	for dev@httpd.apache.org; Tue, 27 Oct 2009 17:47:13 -0500
Message-ID: <4AE7787D.1030301@oss-institute.org>
Date: Tue, 27 Oct 2009 22:47:25 +0000
From: Dr Stephen Henson <shenson@oss-institute.org>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: dev@httpd.apache.org
Subject: Re: Strange error(parse tlsext bug) in mod_ssl since httpd-2.2.12
References: <4ADF0D8E.1000202@collab.net> <4ADF3E06.7010708@velox.ch>
 <4AE0076E.1090909@collab.net> <20091022083956.GA8671@redhat.com>
 <4AE1BC79.5070501@collab.net> <4AE1D514.1060609@velox.ch>
 <0213965108DEAD48960CE83455E07DFF0192BAC2@maa-exchmb.maa.corp.collab.net>
 <4AE2C1CA.5040302@velox.ch> <4AE2FD72.3040208@oss-institute.org>
 <4AE458E8.6030309@oss-institute.org> <4AE47418.5070502@velox.ch>
 <4AE57864.1050802@collab.net>
In-Reply-To: <4AE57864.1050802@collab.net>
X-Enigmail-Version: 0.96.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-AntiAbuse: This header was added to track abuse,
 please include it with any abuse report
X-AntiAbuse: Primary Hostname - ns1.oss-institute.org
X-AntiAbuse: Original Domain - httpd.apache.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - oss-institute.org
X-Source: 
X-Source-Args: 
X-Source-Dir: 

Kamesh Jayachandran wrote:
> Hi Kaspar,
> 
> I applied your 'mod_ssl-disable_tls_tickets.diff' and
> 'mod_ssl-log_ssloptions.diff' to apache-2.2.12
> 
> and initiated the 'failing svn import operation'.
> 
> <snip from error_log while this fails>
> [Mon Oct 26 15:48:21 2009] [warn] [client 10.2.0.88]
> ssl_init_ssl_connection: options=0x1114fff
> [Mon Oct 26 15:48:22 2009] [warn] [client 10.2.0.88]
> ssl_init_ssl_connection: options=0x1114fff
> [Mon Oct 26 15:48:22 2009] [warn] [client 10.2.0.88]
> ssl_init_ssl_connection: options=0x1114fff
> </snip>
> 
> The tcpdump for this failure is at,
> 
> http://www.livecipher.com/tlsext_dump/tlsext.dmp.4
> 

As I mentioned something strange is going on there. The server is sending back
empty session IDs which shouldn't be happening if tickets are disabled properly.

With OpenSSL 0.9.8k client, can you try this connecting to that server:

openssl s_client -connect hostname.whatever.com:443
		-servername hostname.whatever.com -tls1

Does any value appear after "Session-ID"? Hit Q<return> to exit.

Also try:

openssl s_client -connect hostname.whatever.com:443
		-servername hostname.whatever.com -tls1 -no_ticket

again do you get anything after "Session-ID"?

Finally this pair of commands:

openssl s_client -connect hostname.whatever.com:443
		-servername hostname.whatever.com -tls1
		-sess_out foo.pem


openssl s_client -connect hostname.whatever.com:443
		-servername hostname.whatever.com -tls1
		-sess_in foo.pem

Do you still get the error when you call the command with the server including
SSL_OP_NO_TICKET?

Steve.
-- 
Dr Stephen N. Henson. Senior Technical/Cryptography Advisor,
Open Source Software Institute: www.oss-institute.org
OpenSSL Core team: www.openssl.org