Dr Stephen Henson wrote:
Jean-Marc Desperrier wrote:
Joe Orton wrote:
Please file a bug and attach all of:
a) error_log output at LogLevel debug for that case
b) the config snipping that you're using for /authentication
c) the mod_ssl configuration
This is now done in bug
Torsten Foertsch wrote:
If
your/authentication/ is a resource that generates a directory listing
via mod_autoindex then apache issues a subrequest for each directory
entry.
This is not what I was testing, but you are *very right* that there is
also that problem. I'll open a bug for it, maybe
Stefan Fritsch wrote:
I cannot reproduce the problems. With an openssl that rejects all
renegotiations, both reconnections after ssl session timeout and
connections to a host with sslverifyclient optional work fine (with
openssl s_client).
I have now succeeded in reproducing at least partially
On 11/18/2009 08:32 PM, Jean-Marc Desperrier wrote:
Stefan Fritsch wrote:
I cannot reproduce the problems. With an openssl that rejects all
renegotiations, both reconnections after ssl session timeout and
connections to a host with sslverifyclient optional work fine (with
openssl s_client).
Jean-Marc Desperrier wrote:
Dr Stephen Henson wrote:
Jean-Marc Desperrier wrote:
Joe Orton wrote:
Please file a bug and attach all of:
a) error_log output at LogLevel debug for that case
b) the config snipping that you're using for /authentication
c) the mod_ssl configuration
This is now
Rainer Jung wrote:
In the presence of the
session ticket extension, session IDs observed on the server are no
longer a good measurement for session reuse.
Nice remark, except it's not that, it's really broken. With session
tickets off (confirmed by the absence of the session ticket extension
Joe Orton wrote:
Please file a bug and attach all of:
a) error_log output at LogLevel debug for that case
b) the config snipping that you're using for /authentication
c) the mod_ssl configuration
This is now done in bug
https://issues.apache.org/bugzilla/show_bug.cgi?id=48215
error.log
Jean-Marc Desperrier wrote:
Joe Orton wrote:
Please file a bug and attach all of:
a) error_log output at LogLevel debug for that case
b) the config snipping that you're using for /authentication
c) the mod_ssl configuration
This is now done in bug
Stefan Fritsch wrote:
On Tuesday 10 November 2009, Jean-Marc Desperrier wrote:
[ Apache + openssl 0.9.8l = TLS renegotiation fully disabled ]
First there's the short SSLSessionCacheTimeout problem :
https://issues.apache.org/bugzilla/show_bug.cgi?id=39243#c23
[...] If they actually are
Jean-Marc Desperrier wrote:
Everyone who uses client certificate authentication knows that they are
many apache configurations around that will force the user to repeatedly
reauthenticate himself for apparently no good reason.
It's hard to believe the explanation is only that all of the
On Mon 16 Nov 2009, Jean-Marc Desperrier wrote:
Here's the wireshark captured exchange between the client and server,
note that Hello Request always *immediatly* follows the end of the
renegotiation. This is with Apache 2.2.11/Openssl 0.9.8i (not a
production server) :
217 19:30:50.745606
On Mon, Nov 16, 2009 at 08:21:20PM +0100, Jean-Marc Desperrier wrote:
Ok, so in fact I have one apache instance available locally with a
problem of this kind. It's configured to not require client
authentication by defaut, but to require it on the /authentication url
So what happens truly
On 16.11.2009 20:21, Jean-Marc Desperrier wrote:
Jean-Marc Desperrier wrote:
An interesting point is that firefox is *not* reusing the ssl session in
that case, for some reason it sends a SessionID of 0 after the Hello
Request from the server. I'll forward that to the NSS team, because if
Hi,
On Tuesday 10 November 2009, Jean-Marc Desperrier wrote:
So when Apache is compiled with openssl 0.9.8l, TLS renegotiation
will be fully disabled.
But the problem with that if that some comments of the discussion
inside https://issues.apache.org/bugzilla/show_bug.cgi?id=39243
are
Hi,
So when Apache is compiled with openssl 0.9.8l, TLS renegotiation will
be fully disabled.
But the problem with that if that some comments of the discussion inside
https://issues.apache.org/bugzilla/show_bug.cgi?id=39243 are true, this
change will unexpectedly break very badly a *lot* of
15 matches
Mail list logo