SSL Handshake Re-negotiation

Fri, 26 May 2006 17:02:08 -0700 

I have a Apache server that is configured to authenticate clients for a
certain URL while the other clients are not authenticated. Here's  how
my vhost.conf file looks like
 
<VirtualHost _default_:443>
 
#  General setup for the virtual host
DocumentRoot "C:/Program Files/Myserver/myfiles"
ServerName Myserver.server.com:443
ServerAdmin [EMAIL PROTECTED]
ErrorDocument 401 /loginerror.htm
ErrorLog logs/error.log
TransferLog logs/access.log
 

SSLEngine on
 
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
 
SSLCertificateFile conf/ssl/my.crt
 
SSLCertificateKeyFile conf/ssl/my.key
 
SSLCertificateChainFile conf/ssl/my.crt
 
SSLCACertificateFile conf/ssl/root.crt
 
<Location /myServlet/FileServlet>
SSLVerifyClient require
SSLVerifyDepth  1
</Location>
 
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
<Directory "cgi-bin">
    SSLOptions +StdEnvVars
</Directory>
 

SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
 
CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
 
</VirtualHost> 

Now when a client is trying to get a file from /myServlet/FileServlet/
location I expect the server to send a request to obtain the client
certificate, while if the client is attempting to get a file from other
locations no client authentication should be performed.

The behavior I am seeing is when the client comes in to the secure
location with a  HTTPS GET request, SSL handshake occurs without the
server requesting for certificate, then I see that the HTTP GET request
coming through to HTTP layer and then the server initiates another SSL
handshake(re-negotiation) during which the server is requesting for the
client certificate.

My client is NOT a browser, it's a HTTPS client in C developed by
someone else to support few basic HTTP commands. Now my question is, is
this the standard behavior or should the server be requesting the
certificate in the first SSL handshake process??

If this is not the standard way of handling then is their something in
the apache configuration that I am missing.

Can someone please help me out.
TIA

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users@modssl.org
Automated List Manager                            [EMAIL PROTECTED]

Reply via email to