httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Torsten Foertsch <torsten.foert...@gmx.net>
Subject Re: TLS renegotiation disabling : mod_ssl and OpenSSL 0.9.8l
Date Mon, 16 Nov 2009 19:58:53 GMT
On Mon 16 Nov 2009, Jean-Marc Desperrier wrote:
> Here's the wireshark captured exchange between the client and server,
> note that "Hello Request" always *immediatly* follows the end of the
> renegotiation. This is with Apache 2.2.11/Openssl 0.9.8i (not a
>
> production server) :
> > 217   19:30:50.745606 client_ip       server_ip       HTTP    GET
> > /authentication/ HTTP/1.1
> > 218   19:30:50.747473 server_ip       client_ip       TLSv1   Hello
> > Request
> > 219   19:30:50.747896 client_ip       server_ip       TLSv1   Clien
> >t Hello
> > 220   19:30:50.749114 server_ip       client_ip       TLSv1   Serve
> >r Hello, Certificate, Certificate Request, Server Hello Done
> > 257   19:30:59.267340 client_ip       server_ip       TLSv1   Certi
> >ficate, Client Key Exchange, Certificate Verify, Change Cipher Spec,
> > Finished
> > 259   19:30:59.288262 server_ip       client_ip       TLSv1   Chang
> >e Cipher Spec, Finished
> > 260   19:30:59.289066 server_ip       client_ip       TLSv1   Hello
> > Request
> > 262   19:30:59.289511 client_ip       server_ip       TLSv1   Clien
> >t Hello
...
> > 510   19:31:37.260057 server_ip       client_ip       HTTP    HTTP/
> >1.1 200 OK  (text/html)

I have noticed something similar. Don't know if it applies to you. If 
your /authentication/ is a resource that generates a directory listing 
via mod_autoindex then apache issues a subrequest for each directory 
entry. Now, if only /authentication/ requires a client certificate but 
the VHost or base server does not then each entry leads to a 
renegotiation. Correct me if I am wrong but that is how I have 
explained the behavior for me.

Torsten

-- 
Need professional mod_perl support?
Just hire me: torsten.foertsch@gmx.net

Mime
View raw message