httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jean-Marc Desperrier <jmd...@free.fr>
Subject Re: TLS renegotiation disabling : mod_ssl and OpenSSL 0.9.8l
Date Mon, 16 Nov 2009 19:21:20 GMT
Jean-Marc Desperrier wrote:
> Everyone who uses client certificate authentication knows that they are
> many apache configurations around that will force the user to repeatedly
> reauthenticate himself for apparently no good reason.
>
> It's hard to believe the explanation is only that all of the concerned
> sites forgot to activate the "session resume" option.
> SSLVerifyClient and SSLSessionCacheTimeout forcing unnecessary
> renegotiation did seem like a very plausible alternative explanation.
> [...]
>
> I'll try to find out more about this, with so many users reporting that
> problem, there should be a way to get some more detailed info about what
> causes it, if it's related with erroneous renegotiation or not.

Ok, so in fact I have one apache instance available locally with a 
problem of this kind. It's configured to not require client 
authentication by defaut, but to require it on the /authentication url

So what happens truly is that after firefox does a request to 
/authentication, mod_ssl does renegociation 6 times in a row for 
apparently no reason.

An interesting point is that firefox is *not* reusing the ssl session in 
that case, for some reason it sends a SessionID of 0 after the "Hello 
Request" from the server. I'll forward that to the NSS team, because if 
that behavior continues, it will be no use to implement the IETF draft 
for secure renegociation, it will fail all the same.

In that specific case, there's not much useful to learn, we get several 
re-authentication where only one was needed, but after that it's OK, no 
more needless renegociation requests. But I hear that in some 
configuration there's a reauthentication everytime the user requires a 
resource. I'll check if I can find more, if it's not just a case of 
SSLSessionCache not being enabled.

Here's the wireshark captured exchange between the client and server, 
note that "Hello Request" always *immediatly* follows the end of the 
renegotiation. This is with Apache 2.2.11/Openssl 0.9.8i (not a 
production server) :
> 217	19:30:50.745606	client_ip	server_ip	HTTP	GET /authentication/ HTTP/1.1
> 218	19:30:50.747473	server_ip	client_ip	TLSv1	Hello Request
> 219	19:30:50.747896	client_ip	server_ip	TLSv1	Client Hello
> 220	19:30:50.749114	server_ip	client_ip	TLSv1	Server Hello, Certificate, Certificate
Request, Server Hello Done
> 257	19:30:59.267340	client_ip	server_ip	TLSv1	Certificate, Client Key Exchange, Certificate
Verify, Change Cipher Spec, Finished
> 259	19:30:59.288262	server_ip	client_ip	TLSv1	Change Cipher Spec, Finished
> 260	19:30:59.289066	server_ip	client_ip	TLSv1	Hello Request
> 262	19:30:59.289511	client_ip	server_ip	TLSv1	Client Hello
> 263	19:30:59.290741	server_ip	client_ip	TLSv1	Server Hello, Certificate, Certificate
Request, Server Hello Done
> 282	19:31:07.747697	client_ip	server_ip	TLSv1	Certificate, Client Key Exchange, Certificate
Verify, Change Cipher Spec, Finished
> 284	19:31:07.768765	server_ip	client_ip	TLSv1	Change Cipher Spec, Finished
> 285	19:31:07.769681	server_ip	client_ip	TLSv1	Hello Request
> 287	19:31:07.770128	client_ip	server_ip	TLSv1	Client Hello
> 288	19:31:07.771261	server_ip	client_ip	TLSv1	Server Hello, Certificate, Certificate
Request, Server Hello Done
> 309	19:31:12.237699	client_ip	server_ip	TLSv1	Certificate, Client Key Exchange, Certificate
Verify, Change Cipher Spec, Finished
> 311	19:31:12.258634	server_ip	client_ip	TLSv1	Change Cipher Spec, Finished
> 312	19:31:12.259583	server_ip	client_ip	TLSv1	Hello Request
> 314	19:31:12.260044	client_ip	server_ip	TLSv1	Client Hello
> 315	19:31:12.261187	server_ip	client_ip	TLSv1	Server Hello, Certificate, Certificate
Request, Server Hello Done
> 441	19:31:17.613690	client_ip	server_ip	TLSv1	Certificate, Client Key Exchange, Certificate
Verify, Change Cipher Spec, Finished
> 443	19:31:17.634661	server_ip	client_ip	TLSv1	Change Cipher Spec, Finished
> 444	19:31:17.635574	server_ip	client_ip	TLSv1	Hello Request
> 446	19:31:17.636005	client_ip	server_ip	TLSv1	Client Hello
> 447	19:31:17.638787	server_ip	client_ip	TLSv1	Server Hello, Certificate, Certificate
Request, Server Hello Done
> 467	19:31:21.725473	client_ip	server_ip	TLSv1	Certificate, Client Key Exchange, Certificate
Verify, Change Cipher Spec, Finished
> 469	19:31:21.746555	server_ip	client_ip	TLSv1	Change Cipher Spec, Finished
> 470	19:31:21.747127	server_ip	client_ip	TLSv1	Hello Request
> 472	19:31:21.747552	client_ip	server_ip	TLSv1	Client Hello
> 473	19:31:21.748911	server_ip	client_ip	TLSv1	Server Hello, Certificate, Certificate
Request, Server Hello Done
> 507	19:31:37.237284	client_ip	server_ip	TLSv1	Certificate, Client Key Exchange, Certificate
Verify, Change Cipher Spec, Finished
> 509	19:31:37.258081	server_ip	client_ip	TLSv1	Change Cipher Spec, Finished
> 510	19:31:37.260057	server_ip	client_ip	HTTP	HTTP/1.1 200 OK  (text/html)



Mime
View raw message