On Wed, Mar 03, 1999, Mats Josefsson wrote:
> In an earlier message I wrote:
> >
> > I can't get the mod_ssl session cache to work when I use a client based
> > on iSaSiLk (SSL in Java, from tu-graz). Any tips would be appreciated.
>
> I have investigated further and (with help from Wolfgang Platzer) come
> to the conclusion that the fault is with Apache/mod_ssl. It doesn't send
> the close_notify alert message before closing the connection. This means
> that iSaSiLk will (as specified in the spec) mark the session as
> unresumable
> and it will not try to reuse the session later.
>
> As I said before, our Netcape server does it correctly and thus session
> reuse works.
Hmmm... I cannot see this behaviour:
| rse@en1:/u/rse
| :> openssl s_client -connect en1:8443 -state
| CONNECTED(00000003)
| SSL_connect:before/connect initialization
| SSL_connect:SSLv2/v3 write client hello A
| SSL_connect:SSLv3 read server hello A
| [...]
| GET / HTTP/1.0
|
| HTTP/1.1 200 OK
| Date: Wed, 03 Mar 1999 10:30:06 GMT
| Server: Apache/1.3.4 (Unix) mod_ssl/2.2.4 OpenSSL/0.9.2
| Last-Modified: Sun, 15 Nov 1998 15:19:52 GMT
| [...]
| </BLOCKQUOTE>
| </BODY>
| </HTML>
| read:errno=0
| SSL3 alert write:warning:close notify
| rse@en1:/u/rse
| :>
AFAIK the internals of our s_client the warning clearly indicates that no more
write can be done because the server sent the close notify message. Or I'm
wrong here?
Can you give me an URL of a Netscape server where I can look at the responses
of such a beast in contrast to Apache+mod_ssl? Or at least show me the
difference between a connect with ``s_client -state -debug'' to both the
Apache+mod_ssl and the Netscape server.
I've also checked my source. There is only one location where I force OpenSSL
to not send the message. And yes, it's actually in the standard situation. The
reason for this was, when I remember correctly, that Eric Young a few months
ago in a private conversation said to me that sending out the close notify
message in this situation confuses some IE3 browsers (they _display_ the
message!) and so it's recommended to not send it. I've not checked this again
with the latest browsers, but perhaps we now can change it. You can try it out
yourself: In ssl_engine_kernel.c, function ssl_hook_CloseConnection(), change
SSL_set_shutdown(ssl, SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
to
SSL_set_shutdown(ssl, SSL_RECEIVED_SHUTDOWN);
and try again. Then the close notify should be really sent.
Please give me feedback about your results...
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
