Maarten Litmaath wrote:
Hi Stephen,
I can't see how anything could cause an issue with 85 CAs. The attached
descriptions imply it might be a mod_ssl issue (not reproducible with
s_server).
There is a bit more information now in our ticket:
https://savannah.cern.ch/bugs/?48458
Romain Wartel wrote:
> So 4 conditions need to be met to reproduce the bug:
> - More than ~85 root CAs installed (the exact number varies)
> - The host certificate has been issued by the CERN CA
> - OpenSSL is configured to check the client side certificate
> (optional or required)
> - Both the CERN-Root CA and the CERN-TCA CA have to be installed
However, Lassi A. Tuura then wrote:
> There is only one known condition triggering the problem,
> as quoted earlier in this thread: SSL re-negotiation response >= 12kB
> leads to failure to flush the data to socket leading to server and
> client to wait indefinitely for each other.
>
> There's any number of ways to trim or expand the SSL response size
> to cross that threshold.
The CERN CA has the second biggest size of all ~90 CAs currently
supported by IGTF, which might explain why only CERN services are
affected at this time. OTOH, it does not look very different from
others in the top 10:
1e12d831.0 2594
1d879c6c.0 2204
9ff26ea4.0 2143
55994d72.0 2029
9dd23746.0 1996
0a2bac92.0 1976
f5ead794.0 1919
03aa0ecb.0 1907
6fee79b0.0 1903
fe102e03.0 1900
Then again, we may need to add the size of the CERN _Root_ CA:
d254cc30.0 1350
But there are other such chained CAs that do not cause problems...
I'd suggest trying OpenSSL 0.9.8k as well though because some code
changes might have an effect in that area.
Steve Traylen wrote:
> it hangs the same , remove a few cas and it works.
>
> # rpm -q httpd mod_ssl openssl fedora-release
> httpd-2.2.11-8.x86_64
> mod_ssl-2.2.11-8.x86_64
> openssl-0.9.8k-4.fc11.x86_64
> fedora-release-11-1.noarch
Might it be worth trying 1.0.0 as well?
Thanks,
Maarten
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
In the past we can download a file with CA certificates (
ca-bundle.crt.tar.gz ) from mod_ssl site. Now file is removed but it
contain more then 90 certificates (PEM format concatenated together).
I could confirm that problem is not in the number of certificates in
file or hash-dir as I test regularly with various OpenSSL versions
starting from 0.9.6.
May be problem is in 64-bit OpenSSL (fedora?) build ?
Roumen
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
