httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jean-Marc Desperrier <>
Subject Re: TLS renegotiation disabling : mod_ssl and OpenSSL 0.9.8l
Date Wed, 18 Nov 2009 19:32:13 GMT
Stefan Fritsch wrote:
> I cannot reproduce the problems. With an openssl that rejects all
> renegotiations, both reconnections after ssl session timeout and
> connections to a host with sslverifyclient optional work fine (with
> openssl s_client).

I have now succeeded in reproducing at least partially the 
"SSLVerifyClient optional" problem, though what I'm testing in not 
exactly the same as you.

I'm testing that with a server where the vhost context has 
"SSLVerifyClient None" and a /authentication directory has 
"SSLVerifyClient optional", requests that alternate between these two 
directory will repeatedly require authentication even when you have 
already authenticated yourself inside the same SSL session.

The setup is the same as in , with 
SSLVerifyDepth 0 moved to vhost context in order to work around the 
initial bug 48215 problem.

I just needs the following change in the reproduction steps to reproduce 
from firefox :
- load /
- load /authentification
- just click enter to accept authentication
- press back to return to /
- press F5 to force reload
- load /authentification
- press F5 to force reload
- authentication is requested again by a server initiated renegotiation

Doing this fast enough (less than 4 or 5 seconds between each step), 
Firefox doesn't close the TCP connexion, so it happens inside the same 
already authenticated ssl session, with no ssl session resume involved.

I think that in bug 48228, when I describe that reloading the page 
causes renegotiation, it's the same bug.

So I don't know if Joe prefers that I open another bug for this, or 
wants to handle this in bug 48228.

I have validated that the behavior is the same when the client doesn't 
provide a certificate after the renegotiation. It's not really 
surprising but it's interesting in the light of the case of people 
having set "SSLVerifyClient optional" by error, and not actually using 
client certificates.

View raw message