RE: Two-way authentication

Wed, 28 Feb 2001 02:38:21 -0800 

        >> Regarding our trouble with two-way authentication; is seems that
the server
        >> sometimes freezes, or that it sometimes insists on asking for the
user
        >> sertificate (re-negotiation) on every request. There are some
keep-alive
        >> problems as well. I really haven't figured out what causes this,
so it might
        >> be something un-related to the web server, or perhaps it's just
me goofing
        >> it up ;-)

        >This could have something to do with session caching and browser
"features".
        >The "server freezes" is usually seen with Netscape Navigator - but
that is
        >purely browser related, and will happen with all SSL servers
requiring
        >client certs. Having to present the certificate for every request
is usually
        >because session caching is failing - maybe you have SSLSessionCache
none 
        >nstead of one of the shared memory based. If the having to
re-negotiate
        >certs is after 1-2 minutes, then it could be the client that has
timed out
        >he session (an msie feature). For keepalive trouble see the FAQ.

        Thanks. Will look into this.


        >> As for CRL handling; there really should be an OCSP option. Some
CA's
        >> doesn't publish their CRL's, but makes you look it up on their
server. This
        >> means we have to have some sort of 'middle-ware' to do this job.

        >AFAIK there are not that many working implementations of OCSP, but
it has
        >recently been added to openssl, so it wouldn't be too big a job to
have the
        >same in mod_ssl. One thing to note is that using OCSP will add a
significant
        >overhead! 

        Yes. But unfortunatly, we are using Oracle IAS (With Portal). They
have bundled a modified version of mod_ssl (without the source), and we
can't replace it since doing so would mean that we'd loose the support. But
that's our headache, and has nothing to do with mod_ssl.

        >> You seem a little agitated, there. No need to take this
personally (unless
        >> it was you who made the thing, of course ;-)

        >I didn't write mod_ssl, but I like the software and your previous
mail sure 
        >looked like FUD.

        I guess I was just tired of banging my head against the wall. I
sometimes happens in this industry, I've learned.  ;-)

        - Jon




______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]

Reply via email to