Communication is fine for initial session negotiation, and for SSL session resumption while the key remains in the cache. However, if the key has expired and we try to pass a new SSL Session ID to the client, the client response is rejected by the server.
The error the client is receiving is a handshake error 40 (0x28). The error description generated in the Apache error log is: Library Error: 336117909 error:1408C095:lib(20):func(140):reason(149) lib 20: SSL Library func 140: EC_F_EC_GROUP_GET_FINISHED reason 149: SSL_R_DIGEST_CHECK_FAILED
..and is generated after the server receives the client response to the ServerHello with certificate. The client response consists of a: - ClientKeyExchange - ChangeCipherSpec - EncryptedHandshake
For this packet in question.
This does *not* happen against a 0.9.6-based mod_ssl of the same version of Apache.
Has anyone seen this specific error before in an implementation? (SSL_R_DIGEST_CHECK_FAILED)?
Any information would be appreciated. We're frankly scratching our heads as to where this problem is coming from.
-- Ken Snider
______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
