DO NOT REPLY [Bug 44858] New: Systematic SSL session renegociation, client cert, Firefox >= 2.0.13

Wed, 23 Apr 2008 06:30:20 -0700 

https://issues.apache.org/bugzilla/show_bug.cgi?id=44858

           Summary: Systematic SSL session renegociation, client cert,
                    Firefox >= 2.0.13
           Product: Apache httpd-2
           Version: 2.2.8
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: major
          Priority: P2
         Component: mod_ssl
        AssignedTo: [email protected]
        ReportedBy: [EMAIL PROTECTED]


Not quite sure if it's a bug or one hell of a feature :-)

There are two "zones" on our SSL-ized server :

SSLPassPhraseDialog     builtin
SSLSessionCache         "shm:/apache/logs/ssl_scache(512000)"
SSLSessionCacheTimeout  300
SSLMutex                "file:/apache/logs/ssl_mutex"

<VirtualHost _default_:443>
#
# The regular, simple SSL server
#

DocumentRoot "/apache/htdocs"
ServerName some.thing.org:443

SSLEngine on
SSLCertificateFile    "/apache/conf/ssl/server.crt"
SSLCertificateKeyFile "/apache/conf/ssl/server.key"
SSLCACertificateFile  "/apache/conf/ssl/ca.crt"

Alias /manual /apache/manual

# And a sub-tree with Client Cert verification
#
<Directory "/apache/manual">
    Options Indexes
    AllowOverride None
    Order allow,deny
    Allow from all

    SSLRequireSSL
    SSLVerifyClient require
    SSLVerifyDepth 1
</Directory>
</VirtualHost>

Since Firefox 2.0.13, the default config of the browser regarding client
certificates is "Ask everytime" (that's because of
https://bugzilla.mozilla.org/show_bug.cgi?id=295922).

And that's where we get badly hit. When requesting server:443/manual/something,
we ALWAYS get an SSL renegociation :

[info] Initial (No.1) HTTPS request received for child 2 (server
some.thing.org:443)
[debug] ssl_engine_kernel.c(426): Changed client verification (0 to 3) type
will force renegotiation
[info] Requesting connection re-negotiation

The "(0 to 3)" in the second message means "verify_old is 0 (NONE), verify is 3
(PEER_STRICT)", probably because when URL-parsing we went from / (no client
cert verification) to /manual (SSLVerifyClient Require). That's just a guess.

The end result is that, for every request (except keepalive), the browser asks
"Which client certificate do you want to use ?", making the user-experience
quite hellish.


-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to