Hi all,
I post this message to show a problem I've had with
Linux RedHat 6.0
Apache 1.3.9
OpenSSL 0.9.4
ModSSL 2.4.6
but I never saw it on the list nor on the FAQ.
When I access to some location with
SSLClientVerify require
directive, the browser continue to ask me a certificate for every object
loaded from the
location (html frames, images.....).
The log file [trace] state "Changed client verification type will force
full renegotiation.......
But this was changed only for the first access request.
I mean, if the directory is the same, next access requests have the same
verification type.
Take a look at the source code:
In pkg.sslmod/ssl_engine_kernel.c function ssl_hook_Access, in the
per-directory stuff
there is a check between nVerify and nVerifyOld to test if the directory
configuration is
changed in order to decide if it is the case to force a (full-quick)
renegotiation or not.
If the full renegotiation is forced, then, a default value for the
ssl->verify_mode is set and
the nVerifyOld tecnic is gone because there is no way to retrieve the
real old verification mode.
If I try to force the quick renegotiation option with the
SSLOptions .... +OptRenegotiate
directive, the quick renegotiation fails as I've already posted, with
the message
"Cannot find peer certificate chain".
To solve the problem I've added a verify_mode field in the SSL_SESSION
structure
and patched my source code with a function that update the session cache
entry with the changed
value of verify_mode.
Unfortunately, I haven't the full patch description here because I make
things
without take note and now I'm trying to rebuild the work.
However, I will post it as soon as possible
because I wish someone to tell me if this is a good solution or not.
Please, if you notice that the problem or the solution is another, reply
to the list.
Thank you in advance for your help
Paolo Di Martino
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
