Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Apache: Bugs

[Bug 48215] Renegocation requires multiple client authentication

  

 
Apache bugs RSS feed   Index | Next | Previous | View Threaded


bugzilla at apache

Nov 17, 2009, 10:59 AM

Post #1 of 5 (485 views)
Permalink
[Bug 48215] Renegocation requires multiple client authentication
https://issues.apache.org/bugzilla/show_bug.cgi?id=48215

jmdesp [at] gmail changed:

What |Removed |Added
----------------------------------------------------------------------------
Summary|Renegocation requires |Renegocation requires
|multiple client |multiple client
|authentification |authentication

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe [at] httpd
For additional commands, e-mail: bugs-help [at] httpd


bugzilla at apache

Nov 17, 2009, 11:01 AM

Post #2 of 5 (458 views)
Permalink
[Bug 48215] Renegocation requires multiple client authentication [In reply to]
https://issues.apache.org/bugzilla/show_bug.cgi?id=48215

--- Comment #1 from jmdesp [at] gmail 2009-11-17 11:01:43 UTC ---
Created an attachment (id=24553)
--> (https://issues.apache.org/bugzilla/attachment.cgi?id=24553)
A complete package of file, for reproduction, with a full capture of the
problem

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe [at] httpd
For additional commands, e-mail: bugs-help [at] httpd


bugzilla at apache

Nov 18, 2009, 5:40 AM

Post #3 of 5 (449 views)
Permalink
[Bug 48215] Renegocation requires multiple client authentication [In reply to]
https://issues.apache.org/bugzilla/show_bug.cgi?id=48215

Joe Orton <jorton [at] redhat> changed:

What |Removed |Added
----------------------------------------------------------------------------
Attachment #24552|application/octet-stream |text/plain
mime type| |

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe [at] httpd
For additional commands, e-mail: bugs-help [at] httpd


bugzilla at apache

Nov 18, 2009, 5:51 AM

Post #4 of 5 (478 views)
Permalink
[Bug 48215] Renegocation requires multiple client authentication [In reply to]
https://issues.apache.org/bugzilla/show_bug.cgi?id=48215

--- Comment #2 from Joe Orton <jorton [at] redhat> 2009-11-18 05:51:41 UTC ---
This is a bug in the handling of "SSLVerifyDepth 0" in per-dir context.
mod_ssl is forcing a renegotiation each time because it doesn't cache the
verify_depth as zero correctly:

[Tue Nov 17 19:54:25 2009] [debug] ssl_engine_kernel.c(423): [client
172.30.25.84] Reduced client verification depth will force renegotiation,
referer: https://172.30.24.37/

to fix this either of:

a) configure client cert CA verification properly, and remove or increase the
SSLVerifyDepth setting, or

b) move the SSLVerifyDepth setting to vhost context, outside the <Location>
block

should work.

--

In ssl_hook_Access, the code uses sslconn->verify_depth as the "current" verify
depth only if non-zero, otherwise falling back to the vhost's verify depth.

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe [at] httpd
For additional commands, e-mail: bugs-help [at] httpd


bugzilla at apache

Nov 18, 2009, 8:26 AM

Post #5 of 5 (447 views)
Permalink
[Bug 48215] Renegocation requires multiple client authentication [In reply to]
https://issues.apache.org/bugzilla/show_bug.cgi?id=48215

--- Comment #3 from jmdesp [at] gmail 2009-11-18 08:26:00 UTC ---
I confirm that using the following configuration works around the problem :

<VirtualHost *:443>
SSLEngine On
SSLCertificateFile "${path}/apache/conf/authentication.cer"
SSLCertificateKeyFile "${path}/apache/conf/authentication.key"
SSLVerifyDepth 0
<Location /authentication/>
SSLVerifyClient optional_no_ca
</Location>
DocumentRoot "${path}/www"
</VirtualHost>

Unfortunately, the source of the problem is far from obvious, so I think the
work around is not enough.

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe [at] httpd
For additional commands, e-mail: bugs-help [at] httpd

Apache bugs RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.