https://issues.apache.org/bugzilla/show_bug.cgi?id=46952
--- Comment #14 from [email protected] 2010-05-13 16:25:51 EDT --- Does anyone have an update on this issue? We hit this exact issue on both firefox and IE when using SSLVerifyClient on a particular location directive. It is reproducable every time. Shrinking the CA Size to < 200k helped for the most part, but there are still cases where we get the renegotiation error. We are running a slightly customized build of Apache 2.2.15 and OpenSSL 0.9.8.k The issue can be reproduced easily with the binaries on httpd.apache.org with the OpenSSL they ship as well. Basically here is the issue. ca-bundle.crt is 253k with a hundred or so CA's in it (generated from Mozilla certdata.txt) 1. User connects to https://server/logonx509 via IE or Firefox 2. URL is protected using this directive: <location logonx509> SSLOptions +StdEnvVars +ExportCertData SSLRequireSSL SSLVerifyClient require SSLVerifyDepth 10 RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}e" </location> 3. Firefox connects will prompt for smartcard pin, authenticate then fail on re-negotiation. 4. IE connects will prompt for smartcard pin, authenticate then fail on re-negotiation. Shrinking CA size will greatly help, but not always. Typical error in our apache ssl error logs is: Thu May 13 10:53:49 2010] [debug] ssl_engine_io.c(1893): OpenSSL: I/O error, 5 bytes expected to read on BIO#7d7d480 [mem: 7dd72e8] [Thu May 13 10:53:49 2010] [debug] ssl_engine_kernel.c(1903): OpenSSL: Exit: error in SSLv3 read client certificate A [Thu May 13 10:53:49 2010] [error] [client x.x.x.x] Re-negotiation handshake failed: Not accepted by client!?, referer: https://x.x.x.x/sessionmanager/login.jsp?back=https%3a%2f%2fx.x.x.x%2fem I've reviewed this thread in depth and am not sure it resolves all of the issues. Any help appreciated here. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
