https://issues.apache.org/bugzilla/show_bug.cgi?id=47055
Summary: SSLVerifyClient + Directory doesn't use cache sessions
Product: Apache httpd-2
Version: 2.2.11
Platform: HP
OS/Version: Linux
Status: NEW
Severity: critical
Priority: P2
Component: mod_ssl
AssignedTo: [email protected]
ReportedBy: [email protected]
1. Simple httpd.conf:
LoadModule ssl_module modules/mod_ssl.so
<skip>
SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect file:/dev/urandom 512
SSLSessionCache shmcb:log/ssl_scache(512000)
SSLMutex default
<skip>
<VirtualHost 172.25.16.86:8443>
ServerAdmin [email protected]
ServerName redhat1-mp.parks.lv
DocumentRoot "/mihailp1/www-secure"
SSLEngine on
SSLCertificateKeyFile "/root/redhat1-mp-ca/redhat1-mp.key"
SSLCertificateFile "/root/redhat1-mp-ca/redhat1-mp.crt"
SSLCACertificateFile "/root/redhat1-mp-ca/redhat1-mp-ca.crt"
<Directory /mihailp1/www-secure/s>
SSLVerifyDepth 3
SSLVerifyClient require
SSLOptions +OptRenegotiate
</Directory>
ErrorLog "logs/secure-error_log"
CustomLog "logs/secure-access_log" common
</VirtualHost>
2. Simple user's auth, cert imported to browser.
3. If i access url: https://redhat1-mp.parks.lv:8443/s/test.txt
browser opens pop-window to select which cert to use.
The problem is browser opens pop-windows for every request, it doesn't use
cache. So, i see only SET requests:
[Mon Apr 20 14:59:36 2009] [debug] ssl_engine_kernel.c(1598): Inter-Process
Session Cache: request=SET status=OK
id=DA696786BAFAD9ED6DF78942C7B98C3771A4614DF693ED9DF7EB10B619419ABC
timeout=299s (session caching)
The problem appear from openssl.0.9.8f, there is the CHANGELOG:
*) In the SSL/TLS server implementation, be strict about session ID
context matching (which matters if an application uses a single
external cache for different purposes). Previously,
out-of-context reuse was forbidden only if SSL_VERIFY_PEER was
set. This did ensure strict client verification, but meant that,
with applications using a single external cache for quite
different requirements, clients could circumvent ciphersuite
restrictions for a given session ID context by starting a session
in a different context.
[Bodo Moeller]
4. Check the diff between 0.9.8e and 0.9.8f for
ssl_sess.c:ssl_get_prev_session(). If i copy this function from 0.9.8e version
apache works as before.
5. It doesn't use SSL_CTX_set_session_id_context() in
ssl_engine_init.c:ssl_init_ctx_session_cache(), but it didn't help.
6. I have setuped test environment and can easily test and patch set.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
