httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jean-Marc Desperrier <>
Subject Re: TLS renegotiation disabling : mod_ssl and OpenSSL 0.9.8l
Date Mon, 16 Nov 2009 12:26:31 GMT
Stefan Fritsch wrote:
> On Tuesday 10 November 2009, Jean-Marc Desperrier wrote:
>> [ Apache + openssl 0.9.8l = TLS renegotiation fully disabled ]
>> First there's the short SSLSessionCacheTimeout problem :
>> [...] If they actually are renegotiation caused by SSLSessionCacheTimeout,
 >> [...], this means this was
>>   already broken in some way before, but it used to be of little
>>   consequences and will now be a huge problem.
>> Second there's the SSLVerifyClient optional problem :
>> [...]  what this comment report is that simply having SSLVerifyClient
>>  optional set, [...], will cause renegotiation to happen
>>  and therefore sites to break when TLS renegotiation is disabled.
> I cannot reproduce the problems. With an openssl that rejects all
> renegotiations, both reconnections after ssl session timeout and
> connections to a host with sslverifyclient optional work fine (with
> openssl s_client).

Thank you for your interest on that problem.

One thing still : Everyone who uses client certificate authentication 
knows that they are many apache configurations around that will force 
the user to repeatedly reauthenticate himself for apparently no good reason.

It's hard to believe the explanation is only that all of the concerned 
sites forgot to activate the "session resume" option.
SSLVerifyClient and SSLSessionCacheTimeout forcing unnecessary 
renegotiation did seem like a very plausible alternative explanation.

This fact is the very reason why the vilified "remember client 
certificate" option is there in Firefox 3.5 (wasn't there in 3.0), 
there's a large number of bugs opened on the subject in their bugzilla :

I'll try to find out more about this, with so many users reporting that 
problem, there should be a way to get some more detailed info about what 
causes it, if it's related with erroneous renegotiation or not.

View raw message