Dear all
I'm using the following components:
* apache 1.3.29 * mod_ssl 2.8.16-1.3.29 * openssl 0.9.7d * mm 1.3.0 * Solaris 8
I've configured: SSLSessionCache shmcb:/opt/slt/ses/apache/run/ssl_scache(512000)
The problem only occures if we use client certs. If we do multiple requests on the same ssl session then I get an error the *first time* the request is handled by the *same* apache child that has stored the SSL session ID in the cache. All other childs can acces the cache without problems.
trace output in ssl_engine_log (debug level does not provide better info):
[21/Apr/2004 09:48:18 01201] [trace] OpenSSL: Handshake: start
[21/Apr/2004 09:48:18 01201] [trace] OpenSSL: Loop: before/accept initialization
[21/Apr/2004 09:48:18 01201] [trace] OpenSSL: Loop: SSLv3 read client hello A
[21/Apr/2004 09:48:18 01201] [trace] OpenSSL: Loop: SSLv3 write server hello A
[21/Apr/2004 09:48:18 01201] [trace] OpenSSL: Loop: SSLv3 write change cipher spec A
[21/Apr/2004 09:48:18 01201] [trace] OpenSSL: Loop: SSLv3 write finished A
[21/Apr/2004 09:48:18 01201] [trace] OpenSSL: Loop: SSLv3 flush data
[21/Apr/2004 09:48:18 01201] [trace] OpenSSL: Loop: SSLv3 read finished A
[21/Apr/2004 09:48:18 01201] [trace] OpenSSL: Handshake: done
[21/Apr/2004 09:48:18 01201] [info] Connection: Client IP: 192.168.167.99, Protocol: TLSv1, Cipher: RC4-MD5 (128/128 bits)
[21/Apr/2004 09:48:18 01201] [info] Initial (No.1) HTTPS request received for child 0 (server airlock_baumi.ergon.ch:4442)
[21/Apr/2004 09:48:18 01201] [trace] Changed client verification type will force quick renegotiation
[21/Apr/2004 09:48:18 01201] [info] Requesting connection re-negotiation
[21/Apr/2004 09:48:18 01201] [trace] Performing quick renegotiation: just re-verifying the peer
[21/Apr/2004 09:48:18 01201] [error] Cannot find peer certificate chain
[21/Apr/2004 09:48:18 01201] [trace] OpenSSL: Write: SSL negotiation finished successfully
[21/Apr/2004 09:48:18 01201] [info] Connection to child 0 closed with standard shutdown (server airlock_baumi.ergon.ch:4442, client 192.168.167.99)
I wonder about the "Cannot find peer certificate chain" and then the "SSL negotiation finished successfully". hmmm.
If we use dbm instead of shmcb then this problem does not occure.
I had a look at the source code. ssl_engine_kernel.c, line 963:
ssl_log(r->server, SSL_LOG_TRACE,
"Performing quick renegotiation: just re-verifying the peer");
certstack = SSL_get_peer_cert_chain(ssl);
cert = SSL_get_peer_certificate(ssl);
if (certstack == NULL && cert != NULL) {
/* client certificate is in the SSL session cache, but
there is no chain, since ssl3_get_client_certificate()
sk_X509_shift()'ed the peer certificate out of the
chain. So we put it back here for the purpose of quick
renegotiation. */
certstack = sk_new_null();
sk_X509_push(certstack, cert);
}
if (certstack == NULL || sk_X509_num(certstack) == 0) {
ssl_log(r->server, SSL_LOG_ERROR, "Cannot find peer certificate chain");
return FORBIDDEN;
}
If I omit the check on certstack == NULL with the following change:
if (cert != NULL) {
/* client certificate is in the SSL session cache, but
there is no chain, since ssl3_get_client_certificate()
sk_X509_shift()'ed the peer certificate out of the
chain. So we put it back here for the purpose of quick
renegotiation. */
certstack = sk_new_null();
sk_X509_push(certstack, cert);
}then the error does not occure.
Since there was no change in ssl_engine_kernel.c in version 2.8.17-1.3.31
I do not expect that this behaviour has changed. Of course I will do the tests
again with updated apache and mod_ssl.
My question is now: Does anybody know about a problem in this area? What are the side-effects of my code change?
You can see the details also here: http://cvs.ossp.org/tktview?tn=46
thanks for any ideas and replies Erwin Huber
______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
