httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike Pechkin <mike.pech...@gmail.com>
Subject [users@httpd] SSLVerifyClient in apache + openssl
Date Wed, 15 Apr 2009 10:57:32 GMT
hi,

Is it a bug ?

This is scenarion for CentOS 5.3 (apache 2.2.3 + openssl-0.9.8e)
1. Simple httpd.conf (nothing special) + ssl part, selfsigned certs + CA:

SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect file:/dev/urandom 512
SSLSessionCache shmcb:/var/cache/mod_ssl/ssl_scache(512000)
# try default too
SSLMutex default

<VirtualHost 172.25.16.86:8443>
    ...
    SSLEngine on
    <Location />
        SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
    </Location>
    SSLCertificateKeyFile "/root/mihailp1-ca/mihailp1.key"
    SSLCertificateFile  "/root/mihailp1-ca/mihailp1.crt"
    SSLCACertificateFile "/root/mihailp1-ca/mihailp1-ca.crt"
    SSLProtocol all -SSLv2
    SSLCipherSuite HIGH:MEDIUM

    <LocationMatch ^/nike(.*)>
        SSLVerifyClient require
        SSLVerifyDepth 3
        SSLOptions +OptRenegotiate
    </LocationMatch>
    ....
</VirtualHost>

2. I've installed a user's cert, it works:
# openssl verify -CAfile mihailp1-ca.crt browser.crt
browser.crt: OK


3. Interesting part starts here.
[Wed Apr 15 13:24:57 2009] [debug] ssl_engine_kernel.c(1598): Inter-Process
Session Cache: request=SET status=OK
id=16EA972E4C09B2D7B7B788ABB2273BF3A0E3856A161CA98F62C083B2AF45A8AF
timeout=300s (session caching)

4. I see only "...request=SET..." requests and firefox open pop-up window
(User Identification request) to click OK. This is boring for 10k users.
It doesn't use session cache.

5. If i use apache + openssl 0.9.7 it works as before without pop-up window,
it uses the same certs and configs at the same time.

6. the problem in httpd is ssl_engine_kernel.c:

                if ((dc->nOptions & SSL_OPT_OPTRENEGOTIATE) &&
                    (verify_old == SSL_VERIFY_NONE) &&
                    ((peercert = SSL_get_peer_certificate(ssl)) != NULL))
                {
                    renegotiate_quick = TRUE;
                    X509_free(peercert);
                }
7. SSL_get_peer_certificate in 0.9.8 returns NULL, openssl 0.9.7 returns not
NULL and variable renegotiate_quick sets TRUE and it will do *quick*
renegotiation.

Help.

--mpech

Mime
View raw message