Re: [BugDB] Personal Certificate Cache Problems (PR#107)
I'm having a similar problem. I hope I could explain it. Sorry for the long message. I want to require client certificates only under /cgi-bin. So I place this in my httpd.conf Location /cgi-bin SSLVerifyClient require SSLVerifyDepth 1 /Location With this in place, Netscape keeps asking me for my client certificate each time I click Reload on /cgi-bin/printenv, for example. With SSLLogLevel trace, the ssl_engine_log is pretty large, but I think is useful to include it here. Pointing Navigator to https://my.server:8443/cgi-bin/printenv for the first time, the following appers in the log. [19/Feb/1999 10:36:46] [info] Connection to child 1 established (server thor.intranet.bancorio.com.ar:8443) [19/Feb/1999 10:36:46] [trace] Seeding PRNG with 1032 bytes of entropy [19/Feb/1999 10:36:46] [trace] SSLeay: Handshake: start [19/Feb/1999 10:36:46] [trace] SSLeay: Loop: before SSL initalisation [19/Feb/1999 10:36:46] [trace] Inter-Process Session Cache: request=GET status=FOUND id=644607CD6BB682E78127BF233CB9E0227034FF42B6CE33FDEB949368D24F3905 (session reuse) [19/Feb/1999 10:36:46] [trace] SSLeay: Loop: SSLv3 read client hello A [19/Feb/1999 10:36:46] [trace] SSLeay: Loop: SSLv3 write server hello A [19/Feb/1999 10:36:46] [trace] SSLeay: Loop: SSLv3 write change cipher spec A [19/Feb/1999 10:36:46] [trace] SSLeay: Loop: SSLv3 write finished A [19/Feb/1999 10:36:46] [trace] SSLeay: Loop: SSLv3 flush data [19/Feb/1999 10:36:46] [trace] SSLeay: Loop: SSLv3 read finished A [19/Feb/1999 10:36:46] [trace] SSLeay: Handshake: done [19/Feb/1999 10:36:46] [info] Connection: Client IP: 172.18.230.12, Protocol: SSLv3, Cipher: RC4-MD5 (128/128 bits) [19/Feb/1999 10:36:46] [info] Requesting connection re-negotiation [19/Feb/1999 10:36:46] [trace] SSLeay: Handshake: start [19/Feb/1999 10:36:46] [trace] SSLeay: Loop: SSL renegotiate ciphers [19/Feb/1999 10:36:46] [trace] SSLeay: Loop: SSLv3 write hello request A [19/Feb/1999 10:36:46] [trace] SSLeay: Loop: SSLv3 flush data [19/Feb/1999 10:36:46] [info] Awaiting re-negotiation handshake [19/Feb/1999 10:36:46] [trace] SSLeay: Handshake: start [19/Feb/1999 10:36:46] [trace] SSLeay: Loop: before accept initalisation [19/Feb/1999 10:36:46] [trace] SSLeay: Loop: SSLv3 read client hello A [19/Feb/1999 10:36:46] [trace] SSLeay: Loop: SSLv3 write server hello A [19/Feb/1999 10:36:46] [trace] SSLeay: Loop: SSLv3 write certificate A [19/Feb/1999 10:36:46] [trace] SSLeay: Loop: SSLv3 write certificate request A [19/Feb/1999 10:36:46] [trace] SSLeay: Loop: SSLv3 write server done A [19/Feb/1999 10:36:46] [trace] SSLeay: Loop: SSLv3 flush data Here Netscape is asking me for a certificate, when I click Continue in the "Select a certificate" the following appears: [19/Feb/1999 10:40:11] [trace] Certificate Verification: depth: 1, subject: /C=AR/O=Banco Rio de la Plata S.A./CN=Autoridad de Certificacion RioEDI, issuer: /C=AR/O=Banco Rio de la Plata S.A./CN=Autoridad de Certificacion RioEDI [19/Feb/1999 10:40:11] [trace] Certificate Verification: depth: 0, subject: /C=AR/O=Banco Rio de la Plata S.A./UID=pinela/CN=Dario [EMAIL PROTECTED], issuer: /C=AR/O=Banco Rio de la Plata S.A./CN=Autoridad de Certificacion RioEDI [19/Feb/1999 10:40:11] [trace] SSLeay: Loop: SSLv3 read client certificate A [19/Feb/1999 10:40:11] [trace] SSLeay: Loop: SSLv3 read client key exchange A [19/Feb/1999 10:40:11] [trace] SSLeay: Loop: SSLv3 read certificate verify A [19/Feb/1999 10:40:11] [trace] SSLeay: Loop: SSLv3 read finished A [19/Feb/1999 10:40:11] [trace] SSLeay: Loop: SSLv3 write change cipher spec A [19/Feb/1999 10:40:11] [trace] SSLeay: Loop: SSLv3 write finished A [19/Feb/1999 10:40:11] [trace] SSLeay: Loop: SSLv3 flush data [19/Feb/1999 10:40:11] [trace] Inter-Process Session Cache: request=SET id=5080C88552F24FA5D2F292412066E77B319DFC0BEE61D568303990A48A50370C timeout=2795s (session caching) [19/Feb/1999 10:40:11] [trace] SSLeay: Handshake: done [19/Feb/1999 10:40:11] [info] Connection: Client IP: 172.18.230.12, Protocol: SSLv3, Cipher: RC4-MD5 (128/128 bits) [19/Feb/1999 10:40:11] [info] Connection to child 1 closed (server thor.intranet.bancorio.com.ar:8443) When I click reload, the following happens: [19/Feb/1999 10:41:06] [info] Connection to child 0 established (server thor.intranet.bancorio.com.ar:8443) [19/Feb/1999 10:41:06] [trace] Seeding PRNG with 1032 bytes of entropy [19/Feb/1999 10:41:06] [trace] SSLeay: Handshake: start [19/Feb/1999 10:41:06] [trace] SSLeay: Loop: before SSL initalisation [19/Feb/1999 10:41:06] [trace] Inter-Process Session Cache: request=GET status=FOUND id=5080C88552F24FA5D2F292412066E77B319DFC0BEE61D568303990A48A50370C (session reuse) [19/Feb/1999 10:41:06] [trace] SSLeay: Loop: SSLv3 read client hello A [19/Feb/1999 10:41:06] [trace] SSLeay: Loop: SSLv3 write server hello A [19/Feb/1999 10:41:06] [trace] SSLeay: Loop: SSLv3 write change cipher spec A [19/Feb/1999 10:41:06] [trace] SSLeay: Loop: SSLv3 write finished A [19/Feb/1999 10:41:06] [trace] SSLeay:
Re: [BugDB] Personal Certificate Cache Problems (PR#107)
On Fri, Feb 19, 1999, [EMAIL PROTECTED] wrote: [...] Wait! That's still not clear enough, sorry. Do you mean that after 3) Apache asks for the client cert on _every_ request? I think no, so what makes you actually think that your sessions are no longer cached after 3)? Or in other Thats the problem, after 3) Apache asks for the client cert on every request. Ops, then this is some sort of a bug. But perhaps it's the same as described in the other reply on this thread? Is your client authentication configured on a per-directory basis? words: After you restarted Apache how did you discovered that your sessions are now _again_ cached? Usually (I assume you've an enabled session cache: SSLSessionCache!) restarting Apache should make no real difference according to cached sessions. After Apache restarted, client certificate is asked at begining and when we reach timeout. SSLSessionCache is enabled. Hmmm that's crazy. I currently cannot image what happens for you, except that storing the session keys into the DBM file might fail. There are no error messages in the mod_ssl logfile? Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: [BugDB] Personal Certificate Cache Problems (PR#107)
- Mensagem original - De: [EMAIL PROTECTED] [SMTP:[EMAIL PROTECTED]] Enviada em: Friday, February 19, 1999 2:10 PM Para: [EMAIL PROTECTED] Assunto: Re: [BugDB] Personal Certificate Cache Problems (PR#107) On Fri, Feb 19, 1999, [EMAIL PROTECTED] wrote: [...] Wait! That's still not clear enough, sorry. Do you mean that after 3) Apache asks for the client cert on _every_ request? I think no, so what makes you actually think that your sessions are no longer cached after 3)? Or in other Thats the problem, after 3) Apache asks for the client cert on every request. Ops, then this is some sort of a bug. But perhaps it's the same as described in the other reply on this thread? Is your client authentication configured on a per-directory basis? My client authentication is not configured on a per-directory basis. I could try mod_ssl 2.1.8 to see if this error has something to do with per-directory authentication adition. words: After you restarted Apache how did you discovered that your sessions are now _again_ cached? Usually (I assume you've an enabled session cache: SSLSessionCache!) restarting Apache should make no real difference according to cached sessions. After Apache restarted, client certificate is asked at begining and when we reach timeout. SSLSessionCache is enabled. Hmmm that's crazy. I currently cannot image what happens for you, except that storing the session keys into the DBM file might fail. There are no error messages in the mod_ssl logfile? Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com Why session keys storage fail for Netscape and not for MSIE ? I don't know if this helps, but i'm sending to you the differences in ssl_engine_log between MSIE connections and Netscape connections. José Carlos Leite Log with MSIE connections [19/Feb/1999 15:10:12] [info] Connection to child 2 established (server 195.138 .0.81:8443) [19/Feb/1999 15:10:12] [info] Connection: Client IP: 195.138.6.212, Protocol: S SLv3, Cipher: EXP-RC4-MD5 (40/128 bits) [19/Feb/1999 15:10:32] [info] Connection to child 2 closed (server 195.138.0.81 :8443) [19/Feb/1999 15:11:06] [info] Connection to child 0 established (server 195.138 .0.81:8443) [19/Feb/1999 15:11:07] [info] Connection: Client IP: 195.138.6.212, Protocol: S SLv3, Cipher: EXP-RC4-MD5 (40/128 bits) [19/Feb/1999 15:11:24] [info] Connection to child 0 closed (server 195.138.0.81 :8443) [19/Feb/1999 15:11:32] [info] Connection to child 9 established (server 195.138 .0.81:8443) [19/Feb/1999 15:11:32] [info] Connection: Client IP: 195.138.6.212, Protocol: S SLv3, Cipher: EXP-RC4-MD5 (40/128 bits) [19/Feb/1999 15:12:28] [info] Connection to child 9 closed (server 195.138.0.81 :8443) [19/Feb/1999 15:12:36] [info] Connection to child 7 closed (server 195.138.0.81 :8443) Log with Netscape connections [19/Feb/1999 15:19:27] [info] Connection to child 1 established (server 195.138 .0.81:8443) [19/Feb/1999 15:19:52] [info] SSL handshake stopped: connection was closed [19/Feb/1999 15:19:52] [info] Connection to child 1 closed (server 195.138.0.81 :8443) [19/Feb/1999 15:19:54] [info] Connection to child 8 established (server 195.138 .0.81:8443) [19/Feb/1999 15:19:59] [info] Connection: Client IP: 195.138.6.212, Protocol: S SLv3, Cipher: EXP-RC4-MD5 (40/128 bits) [19/Feb/1999 15:20:07] [info] Connection to child 4 established (server 195.138 .0.81:8443) [19/Feb/1999 15:20:07] [info] Connection to child 3 established (server 195.138 .0.81:8443) [19/Feb/1999 15:20:07] [info] Connection to child 5 established (server 195.138 .0.81:8443) [19/Feb/1999 15:20:09] [info] Connection to child 8 closed (server 195.138.0.81 :8443) [19/Feb/1999 15:20:10] [info] Connection to child 6 established (server 195.138 .0.81:8443) [19/Feb/1999 15:20:13] [info] Connection: Client IP: 195.138.6.212, Protocol: S SLv3, Cipher: EXP-RC4-MD5 (40/128 bits) [19/Feb/1999 15:20:14] [info] Connection: Client IP: 195.138.6.212, Protocol: S SLv3, Cipher: EXP-RC4-MD5 (40/128 bits) [19/Feb/1999 15:20:15] [info] Connection: Client IP: 195.138.6.212, Protocol: S SLv3, Cipher: EXP-RC4-MD5 (40/128 bits) [19/Feb/1999 15:20:15] [info] Connection: Client IP: 195.138.6.212, Protocol: S SLv3, Cipher: EXP-RC4-MD5 (40/128 bits) [19/Feb/1999 15:20:32] [info] Connection to child 3 closed (server 195.138.0.81 :8443) [19/Feb/1999 15:20:32] [info] Connection to child 4 closed (server 195.138.0.81 :8443) [19/Feb/1999 15:20:32] [info] Connection to child 6 closed (server 195.138.0.81 :8443) [19/Feb/1999 15:20:34] [info] Connection to child 5 closed (server 195.138.0.81 :8443) [19/Feb/1999 15:20:39] [info] Connection to child 2 established (server 195.138 .0.81:8443) [19/Feb/1999 15:20:47] [info] Connection: Client IP: 195.138.6.212, Protocol: S SLv3, Cipher: EXP-RC4-MD5
RE: [BugDB] Personal Certificate Cache Problems (PR#107)
- Mensagem original - De: [EMAIL PROTECTED] [SMTP:[EMAIL PROTECTED]] Enviada em: Friday, February 19, 1999 4:38 PM Para: [EMAIL PROTECTED] Assunto: RE: [BugDB] Personal Certificate Cache Problems (PR#107) - Mensagem original - De: [EMAIL PROTECTED] [SMTP:owner-sw-mod-ssl@engels chall.com] Enviada em: Friday, February 19, 1999 2:10 PM Para: [EMAIL PROTECTED] Assunto: Re: [BugDB] Personal Certificate Cache Problems (PR#107) On Fri, Feb 19, 1999, [EMAIL PROTECTED] wrote: [...] Wait! That's still not clear enough, sorry. Do you mean that after 3) Apache asks for the client cert on _every_ request? I think no, so what ma kes you actually think that your sessions are no longer cached after 3)? Or in other Thats the problem, after 3) Apache asks for the client cert on every request. Ops, then this is some sort of a bug. But perhaps it's the same as desc ribed in the other reply on this thread? Is your client authentication config ured on a per-directory basis? My client authentication is not configured on a per-directory basis. I could try mod_ssl 2.1.8 to see if this error has something to do with p er-directory authentication adition. With mod_ssl 2.1.8 everything is working fine. MSIE and Netscape. José Carlos Leite __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: [BugDB] Personal Certificate Cache Problems (PR#107)
- Mensagem original - De: jose carlos Enviada em: Friday, February 19, 1999 4:57 PM Para: '[EMAIL PROTECTED]' Assunto: RE: [BugDB] Personal Certificate Cache Problems (PR#107) - Mensagem original - De: [EMAIL PROTECTED] [SMTP:[EMAIL PROTECTED]] Enviada em: Friday, February 19, 1999 4:38 PM Para: [EMAIL PROTECTED] Assunto: RE: [BugDB] Personal Certificate Cache Problems (PR#107) - Mensagem original - De: [EMAIL PROTECTED] [SMTP:owner-sw-mod-ssl@engels chall.com] Enviada em: Friday, February 19, 1999 2:10 PM Para: [EMAIL PROTECTED] Assunto: Re: [BugDB] Personal Certificate Cache Problems (PR#107) On Fri, Feb 19, 1999, [EMAIL PROTECTED] wrote: [...] Wait! That's still not clear enough, sorry. Do you mean that after 3) Apache asks for the client cert on _every_ request? I think no, so what ma kes you actually think that your sessions are no longer cached after 3)? Or in other Thats the problem, after 3) Apache asks for the client cert on every request. Ops, then this is some sort of a bug. But perhaps it's the same as desc ribed in the other reply on this thread? Is your client authentication config ured on a per-directory basis? My client authentication is not configured on a per-directory basis. I could try mod_ssl 2.1.8 to see if this error has something to do with p er-directory authentication adition. With mod_ssl 2.1.8 everything is working fine. MSIE and Netscape. José Carlos Leite Sorry, my mistake i tested only the first time. In the second time that i accessed the system it asked for my client certificate in every request. José Carlos Leite __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: [BugDB] Personal Certificate Cache Problems (PR#107)
I don't know if this detailed log helps. Look at id 8EFF9FF9FE371731A20EE860E66594986C01DD70ECC2678A40C707E0EA0C5C5B . Why is declared as MISSED when in 1 minute before this id was found ? Why this works fine MSIE 4.x ? SSCacheTimeout=300 Thank you in advance José Carlos Leite [19/Feb/1999 17:30:40] [info] Init: 1st startup round (still not detached) [19/Feb/1999 17:30:40] [info] Init: Initializing OpenSSL library [19/Feb/1999 17:30:40] [info] Init: Loading certificate private key of SSL-aware server 195.138.0.81:8443 [19/Feb/1999 17:30:40] [trace] Init: (195.138.0.81:8443) unencrypted private key - pass phrase not required [19/Feb/1999 17:30:40] [info] Init: 2nd startup round (already detached) [19/Feb/1999 17:30:40] [info] Init: Initializing OpenSSL library [19/Feb/1999 17:30:40] [info] Init: Generating temporary (512 bit) RSA private key [19/Feb/1999 17:30:45] [info] Init: Initializing (virtual) servers for SSL [19/Feb/1999 17:30:45] [info] Init: Configuring server 195.138.0.81:8443 for SSL protocol [19/Feb/1999 17:30:45] [trace] Init: (195.138.0.81:8443) Creating new SSL context [19/Feb/1999 17:30:45] [trace] Init: (195.138.0.81:8443) Configuring permitted SSL ciphers [19/Feb/1999 17:30:45] [trace] Init: (195.138.0.81:8443) Configuring client authentication [19/Feb/1999 17:30:45] [trace] CA certificate: /C=PT/ST=LISBOA/L=LISBOA/O=Catalogo Electre [EMAIL PROTECTED] [19/Feb/1999 17:30:45] [trace] CA certificate: /C=PT/ST=LISBOA/L=LISBOA/O=Catalogo Electronico de [EMAIL PROTECTED] [19/Feb/1999 17:30:45] [trace] CA certificate: [EMAIL PROTECTED] [19/Feb/1999 17:30:45] [trace] CA certificate: /C=ES/ST=Madrid/O=ACE/OU=Clase 1/CN=ACE Clientes1 [19/Feb/1999 17:30:45] [trace] Init: (195.138.0.81:8443) Configuring server certificate [19/Feb/1999 17:30:45] [trace] Init: (195.138.0.81:8443) Configuring server private key [19/Feb/1999 17:30:54] [info] Connection to child 0 established (server 195.138.0.81:8443) [19/Feb/1999 17:30:54] [trace] OpenSSL: Handshake: start [19/Feb/1999 17:30:54] [trace] OpenSSL: Loop: before SSL initialization [19/Feb/1999 17:30:54] [trace] OpenSSL: Loop: SSLv3 read client hello A [19/Feb/1999 17:30:54] [trace] OpenSSL: Loop: SSLv3 write server hello A [19/Feb/1999 17:30:54] [trace] OpenSSL: Loop: SSLv3 write certificate A [19/Feb/1999 17:30:54] [trace] OpenSSL: Loop: SSLv3 write key exchange A [19/Feb/1999 17:30:54] [trace] OpenSSL: Loop: SSLv3 write certificate request A [19/Feb/1999 17:30:54] [trace] OpenSSL: Loop: SSLv3 write server done A [19/Feb/1999 17:30:54] [trace] OpenSSL: Loop: SSLv3 flush data [19/Feb/1999 17:31:09] [trace] OpenSSL: Read: SSLv3 read client certificate A [19/Feb/1999 17:31:09] [trace] OpenSSL: Exit: failed in SSLv3 read client certificate A [19/Feb/1999 17:31:09] [info] SSL handshake stopped: connection was closed [19/Feb/1999 17:31:09] [info] Connection to child 0 closed (server 195.138.0.81:8443) [19/Feb/1999 17:31:17] [info] Connection to child 1 established (server 195.138.0.81:8443) [19/Feb/1999 17:31:17] [trace] OpenSSL: Handshake: start [19/Feb/1999 17:31:17] [trace] OpenSSL: Loop: before SSL initialization [19/Feb/1999 17:31:17] [trace] OpenSSL: Loop: SSLv3 read client hello A [19/Feb/1999 17:31:17] [trace] OpenSSL: Loop: SSLv3 write server hello A [19/Feb/1999 17:31:17] [trace] OpenSSL: Loop: SSLv3 write certificate A [19/Feb/1999 17:31:17] [trace] OpenSSL: Loop: SSLv3 write key exchange A [19/Feb/1999 17:31:17] [trace] OpenSSL: Loop: SSLv3 write certificate request A [19/Feb/1999 17:31:17] [trace] OpenSSL: Loop: SSLv3 write server done A [19/Feb/1999 17:31:17] [trace] OpenSSL: Loop: SSLv3 flush data [19/Feb/1999 17:31:22] [trace] Certificate Verification: depth: 1, subject: /C=PT/ST=LISBOA/L=LISBOA/O=Catalogo Electronico de [EMAIL PROTECTED], issuer: /C=PT/ST=LISBOA/L=LISBOA/O=Catalogo Electronico de [EMAIL PROTECTED] [19/Feb/1999 17:31:22] [trace] Certificate Verification: depth: 0, subject: /C=PT/ST=LISBOA/L=LISBOA/O=Catalogo Electronico de Produtos/OU=Catalogo Electronico de [EMAIL PROTECTED], issuer: /C=PT/ST=LISBOA/L=LISBOA/O=Catalogo Electronico de [EMAIL PROTECTED] [19/Feb/1999 17:31:22] [trace] OpenSSL: Loop: SSLv3 read client certificate A [19/Feb/1999 17:31:23] [trace] OpenSSL: Loop: SSLv3 read client key exchange A [19/Feb/1999 17:31:23] [trace] OpenSSL: Loop: SSLv3 read certificate verify A [19/Feb/1999 17:31:23] [trace] OpenSSL: Loop: SSLv3 read finished A [19/Feb/1999 17:31:23] [trace] OpenSSL: Loop: SSLv3 write change cipher spec A [19/Feb/1999 17:31:23] [trace] OpenSSL: Loop: SSLv3 write finished A [19/Feb/1999 17:31:23] [trace] OpenSSL: Loop: SSLv3 flush data [19/Feb/1999 17:31:23] [trace] Inter-Process Session Cache: request=SET id=AD1830BB23D5F664FBE629CD61771BBA6975CD3B5F53313F074CB6EFA263DE37 timeout=294s (session caching) [19/Feb/1999 17:31:23] [trace] OpenSSL: Handshake: done [19/Feb/1999 17:31:23] [info] Connection: Client IP: 195.138.6.212, Protocol: SSLv3, Cipher:
