Paolo Di Martino wrote:
> Hi all,
>
> I post this message to show a problem I've had with
>
> Linux RedHat 6.0
> Apache 1.3.9
> OpenSSL 0.9.4
> ModSSL 2.4.6
>
> but I never saw it on the list nor on the FAQ.
>
> When I access to some location with
>
> SSLClientVerify require
>
> directive, the browser continue to ask me a certificate for every
object
> loaded from the
> location (html frames, images.....).
>
> The log file [trace] state "Changed client verification type will
force
> full renegotiation.......
> But this was changed only for the first access request.
> I mean, if the directory is the same, next access requests have the
same
> verification type.
>
> Take a look at the source code:
> In pkg.sslmod/ssl_engine_kernel.c function ssl_hook_Access, in the
> per-directory stuff
> there is a check between nVerify and nVerifyOld to test if the
directory
> configuration is
> changed in order to decide if it is the case to force a (full-quick)
> renegotiation or not.
>
> If the full renegotiation is forced, then, a default value for the
> ssl->verify_mode is set and
> the nVerifyOld tecnic is gone because there is no way to retrieve the
> real old verification mode.
>
> If I try to force the quick renegotiation option with the
>
> SSLOptions .... +OptRenegotiate
>
> directive, the quick renegotiation fails as I've already posted, with
> the message
>
> "Cannot find peer certificate chain".
>
> To solve the problem I've added a verify_mode field in the SSL_SESSION
> structure
> and patched my source code with a function that update the session
cache
> entry with the changed
> value of verify_mode.
>
> Unfortunately, I haven't the full patch description here because I
make
> things
> without take note and now I'm trying to rebuild the work.
> However, I will post it as soon as possible
> because I wish someone to tell me if this is a good solution or not.
>
> Please, if you notice that the problem or the solution is another,
reply
> to the list.
>
> Thank you in advance for your help
>
> Paolo Di Martino
1) The subject isn't appropriate: it should be "New connections make
always nVerify != nVerifyOld"
2) The real problem was:
a) After downloaded an Html page from the server, the connections
isalways closed (untill here i guess it's ok)
b) Opening a new connection sets the nVerify on default value,
loosingthe previous connection saved value
c) so I need to find a location where to save and _update_ this
valuefor the entire Session.
My first think is to take care of it inside the SSL_Session_cache.
But to do this I changed some OpenSSL source files too.
Maybe I should talk with them too?
Is this wrong?
Can you address me to another solution?
Patch follows
Index: ssl.h
file: openssl-0.9.4/ssl/ssl.h
Version openssl: 0.9.4
@@ -255,3 +255,4 @@
long time;
+ int real_verify_mode;
int compress_meth; /* Need to lookup the method */
Index: ssl_asn1.c
file: openssl-0.9.4/ssl/ssl_asn1.c
Version openssl: 0.9.4
@@ -75,2 +75,3 @@
ASN1_INTEGER timeout;
+ ASN1_INTEGER real_verify_mode;
} SSL_SESSION_ASN1;
@@ -82,3 +82,3 @@
unsigned char buf[4],ibuf1[LSIZE2],ibuf2[LSIZE2];
- unsigned char ibuf3[LSIZE2],ibuf4[LSIZE2];
+ unsigned char ibuf3[LSIZE2],ibuf4[LSIZE2],ibuf5[LSIZE2];
long l;
@@ -158,2 + 158,8
+ a.real_verify_mode.length=LSIZE2;
+ a.real_verify_mode.type=V_ASN1_INTEGER;
+ a.real_verify_mode.data=ibuf5;
+ ASN1_INTEGER_set(&(a.real_verify_mode),in->real_verify_mode);
+
M_ASN1_I2D_len(&(a.version), i2d_ASN1_INTEGER);
@@ -172,3 +172,4
M_ASN1_I2D_len_EXP_opt(&a.session_id_context,i2d_ASN1_OCTET_STRING,4,v4);
+ M_ASN1_I2D_len(&(a.real_verify_mode), i2d_ASN1_INTEGER);
M_ASN1_I2D_seq_total();
@@ -189,3 +189,4
M_ASN1_I2D_put_EXP_opt(&a.session_id_context,i2d_ASN1_OCTET_STRING,4,
v4);
+ M_ASN1_I2D_put(&(a.real_verify_mode), i2d_ASN1_INTEGER);
M_ASN1_I2D_finish();
@@ -198,2 +198,3
int version,ssl_version=0,i;
+ int real_verify_mode;
long id;
@@ -323,3 + 323,8
ret->sid_ctx_length=0;
+ M_ASN1_D2I_get(aip,d2i_ASN1_INTEGER);
+ real_verify_mode=(int)ASN1_INTEGER_get(aip);
+ ret->real_verify_mode=real_verify_mode;
+ if (ai.data != NULL) { Free(ai.data); ai.data=NULL;
ai.length=0; }
+
M_ASN1_D2I_Finish(a,SSL_SESSION_free,SSL_F_D2I_SSL_SESSION);
Index: ssl_engine_kernel.c
file: mod_ssl-2.4.6-1.3.9/pkg.sslmod/ssl_engine_kernel.c
Version mod_ssl: 2.4.6
@@ -823,6 +823,6 @@
if (dc->nVerifyClient != SSL_CVERIFY_UNSET) {
/* remember old state */
- nVerifyOld = SSL_get_verify_mode(ssl);
+ nVerifyOld = ssl->session->real_verify_mode;
/* configure new state */
nVerify = SSL_VERIFY_NONE;
@@ -1075,3 +1075,7 @@
#endif
+ if(dc->nVerifyClient!=SSL_CVERIFY_UNSET){
+ ssl->session->real_verify_mode=nVerify;
+ ssl_UpdateSessionCacheEntry(ssl,ssl->session);
+ }
return rc;
}
@@ -1691,1 +1691,42
+int ssl_UpdateSessionCacheEntry(SSL *ssl, SSL_SESSION *pNew)
+{
+ conn_rec *conn;
+ server_rec *s;
+ SSLSrvConfigRec *sc;
+ long t;
+ BOOL rc;
+
+ /*
+ * Get Apache context back through OpenSSL context
+ */
+ conn = (conn_rec *)SSL_get_app_data(ssl);
+ s = conn->server;
+ sc = mySrvConfig(s);
+
+ ssl_scache_remove(s,pNew);
+
+ /*
+ * Store the SSL_SESSION in the inter-process cache with the
+ * same expire time, so it expires automatically there, too.
+ */
+ t = (SSL_get_time(pNew) + sc->nSessionCacheTimeout);
+ rc = ssl_scache_store(s, pNew, t);
+
+ /*
+ * Log this cache operation
+ */
+ ssl_log(s, SSL_LOG_TRACE, "Inter-Process Session Cache: "
+ "request=SET status=%s id=%s timeout=%ds (session caching)
+",
+ rc == TRUE ? "OK" : "BAD",
+ ssl_scache_id2sz(pNew->session_id,
pNew->session_id_length),
+ t-time(NULL));
+
+ /*
+ * return 0 which means to OpenSSL that the pNew is still
+ * valid and was not freed by us with SSL_SESSION_free().
+ */
+ return 0;
+}
+
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
