On Mon 16 Nov 2009, Jean-Marc Desperrier wrote: > Here's the wireshark captured exchange between the client and server, > note that "Hello Request" always *immediatly* follows the end of the > renegotiation. This is with Apache 2.2.11/Openssl 0.9.8i (not a > > production server) : > > 217 19:30:50.745606 client_ip server_ip HTTP GET > > /authentication/ HTTP/1.1 > > 218 19:30:50.747473 server_ip client_ip TLSv1 Hello > > Request > > 219 19:30:50.747896 client_ip server_ip TLSv1 Clien > >t Hello > > 220 19:30:50.749114 server_ip client_ip TLSv1 Serve > >r Hello, Certificate, Certificate Request, Server Hello Done > > 257 19:30:59.267340 client_ip server_ip TLSv1 Certi > >ficate, Client Key Exchange, Certificate Verify, Change Cipher Spec, > > Finished > > 259 19:30:59.288262 server_ip client_ip TLSv1 Chang > >e Cipher Spec, Finished > > 260 19:30:59.289066 server_ip client_ip TLSv1 Hello > > Request > > 262 19:30:59.289511 client_ip server_ip TLSv1 Clien > >t Hello ... > > 510 19:31:37.260057 server_ip client_ip HTTP HTTP/ > >1.1 200 OK (text/html)
I have noticed something similar. Don't know if it applies to you. If your /authentication/ is a resource that generates a directory listing via mod_autoindex then apache issues a subrequest for each directory entry. Now, if only /authentication/ requires a client certificate but the VHost or base server does not then each entry leads to a renegotiation. Correct me if I am wrong but that is how I have explained the behavior for me. Torsten -- Need professional mod_perl support? Just hire me: torsten.foert...@gmx.net
