Jean-Marc Desperrier wrote:
Everyone who uses client certificate authentication knows that they are
many apache configurations around that will force the user to repeatedly
reauthenticate himself for apparently no good reason.
It's hard to believe the explanation is only that all of the concerned
sites forgot to activate the "session resume" option.
SSLVerifyClient and SSLSessionCacheTimeout forcing unnecessary
renegotiation did seem like a very plausible alternative explanation.
[...]
I'll try to find out more about this, with so many users reporting that
problem, there should be a way to get some more detailed info about what
causes it, if it's related with erroneous renegotiation or not.
Ok, so in fact I have one apache instance available locally with a
problem of this kind. It's configured to not require client
authentication by defaut, but to require it on the /authentication url
So what happens truly is that after firefox does a request to
/authentication, mod_ssl does renegociation 6 times in a row for
apparently no reason.
An interesting point is that firefox is *not* reusing the ssl session in
that case, for some reason it sends a SessionID of 0 after the "Hello
Request" from the server. I'll forward that to the NSS team, because if
that behavior continues, it will be no use to implement the IETF draft
for secure renegociation, it will fail all the same.
In that specific case, there's not much useful to learn, we get several
re-authentication where only one was needed, but after that it's OK, no
more needless renegociation requests. But I hear that in some
configuration there's a reauthentication everytime the user requires a
resource. I'll check if I can find more, if it's not just a case of
SSLSessionCache not being enabled.
Here's the wireshark captured exchange between the client and server,
note that "Hello Request" always *immediatly* follows the end of the
renegotiation. This is with Apache 2.2.11/Openssl 0.9.8i (not a
production server) :
217 19:30:50.745606 client_ip server_ip HTTP GET
/authentication/ HTTP/1.1
218 19:30:50.747473 server_ip client_ip TLSv1 Hello Request
219 19:30:50.747896 client_ip server_ip TLSv1 Client Hello
220 19:30:50.749114 server_ip client_ip TLSv1 Server Hello,
Certificate, Certificate Request, Server Hello Done
257 19:30:59.267340 client_ip server_ip TLSv1 Certificate,
Client Key Exchange, Certificate Verify, Change Cipher Spec, Finished
259 19:30:59.288262 server_ip client_ip TLSv1 Change Cipher
Spec, Finished
260 19:30:59.289066 server_ip client_ip TLSv1 Hello Request
262 19:30:59.289511 client_ip server_ip TLSv1 Client Hello
263 19:30:59.290741 server_ip client_ip TLSv1 Server Hello,
Certificate, Certificate Request, Server Hello Done
282 19:31:07.747697 client_ip server_ip TLSv1 Certificate,
Client Key Exchange, Certificate Verify, Change Cipher Spec, Finished
284 19:31:07.768765 server_ip client_ip TLSv1 Change Cipher
Spec, Finished
285 19:31:07.769681 server_ip client_ip TLSv1 Hello Request
287 19:31:07.770128 client_ip server_ip TLSv1 Client Hello
288 19:31:07.771261 server_ip client_ip TLSv1 Server Hello,
Certificate, Certificate Request, Server Hello Done
309 19:31:12.237699 client_ip server_ip TLSv1 Certificate,
Client Key Exchange, Certificate Verify, Change Cipher Spec, Finished
311 19:31:12.258634 server_ip client_ip TLSv1 Change Cipher
Spec, Finished
312 19:31:12.259583 server_ip client_ip TLSv1 Hello Request
314 19:31:12.260044 client_ip server_ip TLSv1 Client Hello
315 19:31:12.261187 server_ip client_ip TLSv1 Server Hello,
Certificate, Certificate Request, Server Hello Done
441 19:31:17.613690 client_ip server_ip TLSv1 Certificate,
Client Key Exchange, Certificate Verify, Change Cipher Spec, Finished
443 19:31:17.634661 server_ip client_ip TLSv1 Change Cipher
Spec, Finished
444 19:31:17.635574 server_ip client_ip TLSv1 Hello Request
446 19:31:17.636005 client_ip server_ip TLSv1 Client Hello
447 19:31:17.638787 server_ip client_ip TLSv1 Server Hello,
Certificate, Certificate Request, Server Hello Done
467 19:31:21.725473 client_ip server_ip TLSv1 Certificate,
Client Key Exchange, Certificate Verify, Change Cipher Spec, Finished
469 19:31:21.746555 server_ip client_ip TLSv1 Change Cipher
Spec, Finished
470 19:31:21.747127 server_ip client_ip TLSv1 Hello Request
472 19:31:21.747552 client_ip server_ip TLSv1 Client Hello
473 19:31:21.748911 server_ip client_ip TLSv1 Server Hello,
Certificate, Certificate Request, Server Hello Done
507 19:31:37.237284 client_ip server_ip TLSv1 Certificate,
Client Key Exchange, Certificate Verify, Change Cipher Spec, Finished
509 19:31:37.258081 server_ip client_ip TLSv1 Change Cipher
Spec, Finished
510 19:31:37.260057 server_ip client_ip HTTP HTTP/1.1 200 OK
(text/html)
