[prev in list] [next in list] [prev in thread] [next in thread]
List: apache-httpd-bugs
Subject: DO NOT REPLY [Bug 47055] New: SSLVerifyClient + Directory doesn't
From: bugzilla () apache ! org
Date: 2009-04-20 12:10:24
Message-ID: bug-47055-7868 () https ! issues ! apache ! org/bugzilla/
[Download RAW message or body]
https://issues.apache.org/bugzilla/show_bug.cgi?id=47055
Summary: SSLVerifyClient + Directory doesn't use cache sessions
Product: Apache httpd-2
Version: 2.2.11
Platform: HP
OS/Version: Linux
Status: NEW
Severity: critical
Priority: P2
Component: mod_ssl
AssignedTo: bugs@httpd.apache.org
ReportedBy: mike.pechkin@gmail.com
1. Simple httpd.conf:
LoadModule ssl_module modules/mod_ssl.so
<skip>
SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect file:/dev/urandom 512
SSLSessionCache shmcb:log/ssl_scache(512000)
SSLMutex default
<skip>
<VirtualHost 172.25.16.86:8443>
ServerAdmin kuku@parks.lv
ServerName redhat1-mp.parks.lv
DocumentRoot "/mihailp1/www-secure"
SSLEngine on
SSLCertificateKeyFile "/root/redhat1-mp-ca/redhat1-mp.key"
SSLCertificateFile "/root/redhat1-mp-ca/redhat1-mp.crt"
SSLCACertificateFile "/root/redhat1-mp-ca/redhat1-mp-ca.crt"
<Directory /mihailp1/www-secure/s>
SSLVerifyDepth 3
SSLVerifyClient require
SSLOptions +OptRenegotiate
</Directory>
ErrorLog "logs/secure-error_log"
CustomLog "logs/secure-access_log" common
</VirtualHost>
2. Simple user's auth, cert imported to browser.
3. If i access url: https://redhat1-mp.parks.lv:8443/s/test.txt
browser opens pop-window to select which cert to use.
The problem is browser opens pop-windows for every request, it doesn't use
cache. So, i see only SET requests:
[Mon Apr 20 14:59:36 2009] [debug] ssl_engine_kernel.c(1598): Inter-Process
Session Cache: request=SET status=OK
id=DA696786BAFAD9ED6DF78942C7B98C3771A4614DF693ED9DF7EB10B619419ABC
timeout=299s (session caching)
The problem appear from openssl.0.9.8f, there is the CHANGELOG:
*) In the SSL/TLS server implementation, be strict about session ID
context matching (which matters if an application uses a single
external cache for different purposes). Previously,
out-of-context reuse was forbidden only if SSL_VERIFY_PEER was
set. This did ensure strict client verification, but meant that,
with applications using a single external cache for quite
different requirements, clients could circumvent ciphersuite
restrictions for a given session ID context by starting a session
in a different context.
[Bodo Moeller]
4. Check the diff between 0.9.8e and 0.9.8f for
ssl_sess.c:ssl_get_prev_session(). If i copy this function from 0.9.8e version
apache works as before.
5. It doesn't use SSL_CTX_set_session_id_context() in
ssl_engine_init.c:ssl_init_ctx_session_cache(), but it didn't help.
6. I have setuped test environment and can easily test and patch set.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic