Your openSSL libs are a bit old - there have been many important code updates since 0.9.6b. In particular, the most recent update (0.9.6h) fixed race condition bugs that were causing intermittent failures. Try an upgrade first, I would advise...
Rgds, Owen Boyle >-----Original Message----- >From: Jan-Piet Mens [mailto:[EMAIL PROTECTED]] >Sent: Dienstag, 17. Dezember 2002 16:07 >To: [EMAIL PROTECTED] >Subject: POST with mod_ssl intermittently fails with a 405 > > >Hello, > >I've got an self-built Apache on a RedHat 7.3 Linux box with >Apache/2.0.43, >mod_ssl/2.0.43, OpenSSL/0.9.6b, PHP/4.2.3 and mod_authzldap 0.22 > >Every so often a PHP page is called with a POST request to >send data to the >server. The whole server area is protected via the following >settings in >ssl.conf: > ><Directory /var/www/html/ca> > Options Indexes FollowSymLinks ExecCGI > DirectoryIndex index.php index.cgi > SSLOptions FakeBasicAuth ExportCertData CompatEnvVars >StrictRequire StdEnvVars OptRenegotiate > > SSLRequireSSL > SSLVerifyClient require > SSLVerifyDepth 4 > SSLRequire ( \ > %{SSL_CIPHER} !~ m/^(EXP|NULL)/ and \ > %{SSL_CLIENT_I_DN_CN} eq "my CA" ) > > AuthzLDAPEngine on > AuthzLDAPAuthoritative on > AuthzLDAPServer localhost:389 > AuthzLDAPBindDN "cn=manager,dc=mydomain,dc=com" > AuthzLDAPBindPassword "terriblysecret" > AuthzLDAPUseCertificate on > AuthzLDAPSetAuthorization on > AuthzLDAPUseSerial on > AuthzLDAPMapBase >ou=AuthzLDAPCertmap,dc=mydomain,dc=com > AuthzLDAPMapScope subtree > AuthzLDAPLogLevel warn > AuthzLDAPCacheConnection off > AuthzLDAPCacheSize 0 > AuthName AuthzLDAP > AuthType Basic ></Directory> > >and with the following require in .htaccess of the same directory: > > require user "CN=Jan-Piet [EMAIL PROTECTED]" > >GET operations always work perfectly (BTW almost all resources >are .PHP). >Once in a while a POST method is attempted which then >sometimes fails (not >always). When it has failed, subsequent GET methods on >different pages do >not work either. After a certain time which always differs, >the GET will work >and the following POST also. > >I've tried changing SSLSessionCache to `shm' and SSLMutex to >`sem' thinking >it had something to do with it, but to no avail. The value of >SSLSessionCacheTimeout >doesn't seem to matter either. > >At the time of the failure, the logs have this in them: > >error_log: > [Tue Dec 17 15:38:21 2002] [notice] Apache/2.0.43 >(Unix) mod_ssl/2.0.43 OpenSSL/0.9.6b PHP/4.2.3 configured -- >resuming normal operations > [Tue Dec 17 15:48:08 2002] [error] SSL Re-negotiation >in conjunction with POST method not supported! > hint: try SSLOptions +OptRenegotiate > >access_log: > 10.0.0.1 - - [17/Dec/2002:15:48:08 +0100] "POST >/ca/ra/upd.php HTTP/1.1" 405 312 > 10.0.0.1 - - [17/Dec/2002:15:48:28 +0100] "GET >/ca/ra/req.php HTTP/1.1" 403 292 > 10.0.0.1 - CN=Jan-Piet [EMAIL PROTECTED] >[17/Dec/2002:15:49:21 +0100] "GET /ca/ra/req.php HTTP/1.1" 200 4936 > >ssl_request_log: > [17/Dec/2002:15:48:08 +0100] 10.0.0.1 TLSv1 RC4-MD5 >"POST /ca/ra/upd.php HTTP/1.1" 312 s_dn="-", issuer="-" > >The clients are a mixture of Mozilla 1.2 and Internet Explorer 6.0 all >with a client cert issued by my CA. The issue affects both >clients (Netscape >4.5 shows the same) > >Can someone help me resolve this, please ? > >Thank you very much. >Regards, > -JP > >______________________________________________________________________ >Apache Interface to OpenSSL (mod_ssl) www.modssl.org >User Support Mailing List [EMAIL PROTECTED] >Automated List Manager [EMAIL PROTECTED] > This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
