Mailing List Archive: Apache: Bugs

[Bug 48215] Renegotiation with SSLVerifyDepth 0 requires multiple client authentication

Index | Next | Previous | View Threaded

bugzilla at apache

Nov 18, 2009, 9:33 AM

Post #1 of 5 (573 views)
Permalink

[Bug 48215] Renegotiation with SSLVerifyDepth 0 requires multiple client authentication

https://issues.apache.org/bugzilla/show_bug.cgi?id=48215

jmdesp [at] gmail changed:

What |Removed |Added
----------------------------------------------------------------------------
See Also| |https://issues.apache.org/b
| |ugzilla/show_bug.cgi?id=482
| |28
Blocks| |48228
Summary|Renegocation requires |Renegotiation with
|multiple client |SSLVerifyDepth 0 requires
|authentication |multiple client
| |authentication

--- Comment #4 from jmdesp [at] gmail 2009-11-18 09:33:21 UTC ---
This said this modification does not fix the other problem with mod_autoindex
that Torsten Foertsch signaled.
It somehow does significantly reduces the number of renegociations, I get only
2 renegociation whilst there must have been around 10 before (with 10 files and
SSLVerifyDepth 0 within the directory context).

I opened bug 48228 for this issue.

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe [at] httpd
For additional commands, e-mail: bugs-help [at] httpd

bugzilla at apache

Nov 19, 2009, 12:12 AM

Post #2 of 5 (546 views)
Permalink

[Bug 48215] Renegotiation with SSLVerifyDepth 0 requires multiple client authentication [In reply to]

https://issues.apache.org/bugzilla/show_bug.cgi?id=48215

--- Comment #5 from Joe Orton <jorton [at] redhat> 2009-11-19 00:12:40 UTC ---
Yup, I suggest a workaround because I don't (yet) have a patch - it's clearly a
bug which can and should be fixed.

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe [at] httpd
For additional commands, e-mail: bugs-help [at] httpd

bugzilla at apache

Nov 22, 2009, 4:56 AM

Post #3 of 5 (529 views)
Permalink

[Bug 48215] Renegotiation with SSLVerifyDepth 0 requires multiple client authentication [In reply to]

https://issues.apache.org/bugzilla/show_bug.cgi?id=48215

Kaspar Brand <asfbugz [at] velox> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |asfbugz [at] velox

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe [at] httpd
For additional commands, e-mail: bugs-help [at] httpd

bugzilla at apache

Nov 22, 2009, 4:56 AM

Post #4 of 5 (532 views)
Permalink

[Bug 48215] Renegotiation with SSLVerifyDepth 0 requires multiple client authentication [In reply to]

https://issues.apache.org/bugzilla/show_bug.cgi?id=48215

--- Comment #6 from Kaspar Brand <asfbugz [at] velox> 2009-11-22 04:56:24 UTC ---
Created an attachment (id=24583)
--> (https://issues.apache.org/bugzilla/attachment.cgi?id=24583)
Proposed fix

(In reply to comment #5)
> it's clearly a bug which can and should be fixed.

I guess I inadvertently introduced this bug when adding support for handling
SNI configurations. The attached patch should adress this issue, I believe.

BTW, note that when I was testing a similar configuration with OpenSSL
1.0.0-beta4 and a checkout of OpenSSL_0_9_8-stable, I noticed that these two
OpenSSL checkins:

http://cvs.openssl.org/chngview?cn=18318
http://cvs.openssl.org/chngview?cn=18320

actually necessitate a backport of either r787722 or r788715, otherwise the
renegotiation will stall. I would recommend to include these with 2.2.15.

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe [at] httpd
For additional commands, e-mail: bugs-help [at] httpd

bugzilla at apache

Nov 26, 2009, 2:53 AM

Post #5 of 5 (486 views)
Permalink

[Bug 48215] Renegotiation with SSLVerifyDepth 0 requires multiple client authentication [In reply to]

https://issues.apache.org/bugzilla/show_bug.cgi?id=48215

--- Comment #7 from Joe Orton <jorton [at] redhat> 2009-11-26 02:53:14 UTC ---
Thanks Kaspar!

So that OpenSSL change is effectively breaking backwards compat? What a PITA.

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe [at] httpd
For additional commands, e-mail: bugs-help [at] httpd

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads