Re: TLS renegotiation disabling : mod_ssl and OpenSSL 0.9.8l

Mon, 16 Nov 2009 04:27:03 -0800 

Stefan Fritsch wrote:

On Tuesday 10 November 2009, Jean-Marc Desperrier wrote:

[ Apache + openssl 0.9.8l = TLS renegotiation fully disabled ]
First there's the short SSLSessionCacheTimeout problem :
https://issues.apache.org/bugzilla/show_bug.cgi?id=39243#c23
[...] If they actually are renegotiation caused by SSLSessionCacheTimeout,

>> [...], this means this was

  already broken in some way before, but it used to be of little
  consequences and will now be a huge problem.

Second there's the SSLVerifyClient optional problem :
https://issues.apache.org/bugzilla/show_bug.cgi?id=39243#c21
[...]  what this comment report is that simply having SSLVerifyClient
 optional set, [...], will cause renegotiation to happen
 and therefore sites to break when TLS renegotiation is disabled.


I cannot reproduce the problems. With an openssl that rejects all
renegotiations, both reconnections after ssl session timeout and
connections to a host with sslverifyclient optional work fine (with
openssl s_client).


Thank you for your interest on that problem.
One thing still : Everyone who uses client certificate authentication knows that they are many apache configurations around that will force the user to repeatedly reauthenticate himself for apparently no good reason.
It's hard to believe the explanation is only that all of the concerned sites forgot to activate the "session resume" option. SSLVerifyClient and SSLSessionCacheTimeout forcing unnecessary renegotiation did seem like a very plausible alternative explanation.
This fact is the very reason why the vilified "remember client certificate" option is there in Firefox 3.5 (wasn't there in 3.0), there's a large number of bugs opened on the subject in their bugzilla : 
https://bugzilla.mozilla.org/show_bug.cgi?id=510820
https://bugzilla.mozilla.org/show_bug.cgi?id=453802
https://bugzilla.mozilla.org/show_bug.cgi?id=428744
https://bugzilla.mozilla.org/show_bug.cgi?id=474445
https://bugzilla.mozilla.org/show_bug.cgi?id=395399
https://bugzilla.mozilla.org/show_bug.cgi?id=32010
I'll try to find out more about this, with so many users reporting that problem, there should be a way to get some more detailed info about what causes it, if it's related with erroneous renegotiation or not.

Reply via email to