bugzilla at apache
Nov 17, 2009, 10:59 AM
Post #1 of 1
(209 views)
Permalink
|
|
[Bug 48215] New: Renegocation requires multiple client authentification
|
|
https://issues.apache.org/bugzilla/show_bug.cgi?id=48215
Summary: Renegocation requires multiple client authentification
Product: Apache httpd-2
Version: 2.2.13
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: mod_ssl
AssignedTo: bugs [at] httpd
ReportedBy: jmdesp [at] gmail
Created an attachment (id=24552)
--> (https://issues.apache.org/bugzilla/attachment.cgi?id=24552)
The error log with LogLevel debug
After connecting to an URL without client authentication, connection to an URL
that requires it start a SSL renegociation several times instead of only once.
The exact number of renegociation depends on some unknown factor.
I have a full repro procedure from scratch where it will be 2 times, but also a
server locally where it is 6 times.
I'll attach :
- an http.conf that repro the problem
- the self-signed certificate and private key of the server
- the content of error.log after an instance of this problem
- a .cap file of the exchange between the client and the server
- the decoding of the exchange with tshark -V -o "ssl.keys_list:
172.30.24.37,443,http,apache/conf/authentication.key"
Full repro procedure based on EasyPHP 5.3.0 ( Apache/2.2.13 (Win32) -
OpenSSL/0.9.8k ) :
- download and install EasyPHP 5.3.0 (
- edit it's default httpd.conf
Listen *:443
LoadModule ssl_module modules/mod_ssl.so
SSLSessionCache "shmcb:${path}/apache/logs/ssl_scache(512000)"
SSLSessionCacheTimeout 3000
SSLCipherSuite AES+RSA+SHA1
NameVirtualHost *:443
<VirtualHost *:443>
SSLEngine On
SSLCertificateFile "${path}/apache/conf/authentication.cer"
SSLCertificateKeyFile "${path}/apache/conf/authentication.key"
<Location /authentication/>
SSLVerifyClient optional_no_ca
SSLVerifyDepth 0
</Location>
DocumentRoot "${path}/www"
</VirtualHost>
- create a index.html file in /www
<html><head><title> authentication test </title></head>
<body>authentication test<hr>
<a href="/authentication" >authentication link</a>
</body></html>
- create /www/authentication
- copy index.html inside /www/authentication
- connect firefox to /
- follow the link on the page to /authentication
- You'll need a client certificate (a sample p12 is included in the repro
files)
- Have the "remember certificate" option unchecked
- Apache will immediately request authentication a second time
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe [at] httpd
For additional commands, e-mail: bugs-help [at] httpd
|
