Maarten Litmaath wrote: > Hi Stephen, > >> I can't see how anything could cause an issue with 85 CAs. The attached >> descriptions imply it might be a mod_ssl issue (not reproducible with >> s_server). > > There is a bit more information now in our ticket: > > https://savannah.cern.ch/bugs/?48458 > > Romain Wartel wrote: > > > So 4 conditions need to be met to reproduce the bug: > > - More than ~85 root CAs installed (the exact number varies) > > - The host certificate has been issued by the CERN CA > > - OpenSSL is configured to check the client side certificate > > (optional or required) > > - Both the CERN-Root CA and the CERN-TCA CA have to be installed > > However, Lassi A. Tuura then wrote: > > > There is only one known condition triggering the problem, > > as quoted earlier in this thread: SSL re-negotiation response >= 12kB > > leads to failure to flush the data to socket leading to server and > > client to wait indefinitely for each other. > > > > There's any number of ways to trim or expand the SSL response size > > to cross that threshold. > > The CERN CA has the second biggest size of all ~90 CAs currently > supported by IGTF, which might explain why only CERN services are > affected at this time. OTOH, it does not look very different from > others in the top 10: > > 1e12d831.0 2594 > 1d879c6c.0 2204 > 9ff26ea4.0 2143 > 55994d72.0 2029 > 9dd23746.0 1996 > 0a2bac92.0 1976 > f5ead794.0 1919 > 03aa0ecb.0 1907 > 6fee79b0.0 1903 > fe102e03.0 1900 > > Then again, we may need to add the size of the CERN _Root_ CA: > > d254cc30.0 1350 > > But there are other such chained CAs that do not cause problems... > >> I'd suggest trying OpenSSL 0.9.8k as well though because some code >> changes might have an effect in that area. > > Steve Traylen wrote: > > > it hangs the same , remove a few cas and it works. > > > > # rpm -q httpd mod_ssl openssl fedora-release > > httpd-2.2.11-8.x86_64 > > mod_ssl-2.2.11-8.x86_64 > > openssl-0.9.8k-4.fc11.x86_64 > > fedora-release-11-1.noarch > > Might it be worth trying 1.0.0 as well? > Thanks, > Maarten > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List openssl-dev@openssl.org > Automated List Manager majord...@openssl.org >
In the past we can download a file with CA certificates ( ca-bundle.crt.tar.gz ) from mod_ssl site. Now file is removed but it contain more then 90 certificates (PEM format concatenated together). I could confirm that problem is not in the number of certificates in file or hash-dir as I test regularly with various OpenSSL versions starting from 0.9.6. May be problem is in 64-bit OpenSSL (fedora?) build ? Roumen ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
