Re: TLS renegotiation disabling : mod_ssl and OpenSSL 0.9.8l

Jean-Marc Desperrier wrote: > Dr Stephen Henson wrote: >> Jean-Marc Desperrier wrote: >>> Joe Orton wrote: Please file a bug and attach all of: a) error_log output at "LogLevel debug" for that case b) the config snipping that you're using for /authentication c) the mod_ssl

Re: TLS renegotiation disabling : mod_ssl and OpenSSL 0.9.8l

On 11/18/2009 08:32 PM, Jean-Marc Desperrier wrote: > Stefan Fritsch wrote: >> I cannot reproduce the problems. With an openssl that rejects all >> renegotiations, both reconnections after ssl session timeout and >> connections to a host with sslverifyclient optional work fine (with >> openssl s_

Re: TLS renegotiation disabling : mod_ssl and OpenSSL 0.9.8l

Stefan Fritsch wrote: I cannot reproduce the problems. With an openssl that rejects all renegotiations, both reconnections after ssl session timeout and connections to a host with sslverifyclient optional work fine (with openssl s_client). I have now succeeded in reproducing at least partially

Re: TLS renegotiation disabling : mod_ssl and OpenSSL 0.9.8l

Torsten Foertsch wrote: If your/authentication/ is a resource that generates a directory listing via mod_autoindex then apache issues a subrequest for each directory entry. This is not what I was testing, but you are *very right* that there is also that problem. I'll open a bug for it, maybe

Re: TLS renegotiation disabling : mod_ssl and OpenSSL 0.9.8l

Dr Stephen Henson wrote: Jean-Marc Desperrier wrote: Joe Orton wrote: Please file a bug and attach all of: a) error_log output at "LogLevel debug" for that case b) the config snipping that you're using for /authentication c) the mod_ssl configuration This is now done in bug https://issues.ap

Re: TLS renegotiation disabling : mod_ssl and OpenSSL 0.9.8l

Jean-Marc Desperrier wrote: > Joe Orton wrote: >> Please file a bug and attach all of: >> >> a) error_log output at "LogLevel debug" for that case >> b) the config snipping that you're using for /authentication >> c) the mod_ssl configuration > > This is now done in bug > https://issues.apache.org

Re: TLS renegotiation disabling : mod_ssl and OpenSSL 0.9.8l

Joe Orton wrote: Please file a bug and attach all of: a) error_log output at "LogLevel debug" for that case b) the config snipping that you're using for /authentication c) the mod_ssl configuration This is now done in bug https://issues.apache.org/bugzilla/show_bug.cgi?id=48215 error.log mi

Re: TLS renegotiation disabling : mod_ssl and OpenSSL 0.9.8l

Rainer Jung wrote: In the presence of the session ticket extension, session IDs observed on the server are no longer a good measurement for session reuse. Nice remark, except it's not that, it's really broken. With "session tickets off" (confirmed by the absence of the session ticket extensio

Re: TLS renegotiation disabling : mod_ssl and OpenSSL 0.9.8l

On 16.11.2009 20:21, Jean-Marc Desperrier wrote: > Jean-Marc Desperrier wrote: > An interesting point is that firefox is *not* reusing the ssl session in > that case, for some reason it sends a SessionID of 0 after the "Hello > Request" from the server. I'll forward that to the NSS team, because if

Re: TLS renegotiation disabling : mod_ssl and OpenSSL 0.9.8l

On Mon, Nov 16, 2009 at 08:21:20PM +0100, Jean-Marc Desperrier wrote: > Ok, so in fact I have one apache instance available locally with a > problem of this kind. It's configured to not require client > authentication by defaut, but to require it on the /authentication url > > So what happens t

Re: TLS renegotiation disabling : mod_ssl and OpenSSL 0.9.8l

On Mon 16 Nov 2009, Jean-Marc Desperrier wrote: > Here's the wireshark captured exchange between the client and server, > note that "Hello Request" always *immediatly* follows the end of the > renegotiation. This is with Apache 2.2.11/Openssl 0.9.8i (not a > > production server) : > > 217   19:30:5

Re: TLS renegotiation disabling : mod_ssl and OpenSSL 0.9.8l

Jean-Marc Desperrier wrote: Everyone who uses client certificate authentication knows that they are many apache configurations around that will force the user to repeatedly reauthenticate himself for apparently no good reason. It's hard to believe the explanation is only that all of the concerne

Re: TLS renegotiation disabling : mod_ssl and OpenSSL 0.9.8l

Stefan Fritsch wrote: On Tuesday 10 November 2009, Jean-Marc Desperrier wrote: [ Apache + openssl 0.9.8l = TLS renegotiation fully disabled ] First there's the short SSLSessionCacheTimeout problem : https://issues.apache.org/bugzilla/show_bug.cgi?id=39243#c23 [...] If they actually are renegotia

Re: TLS renegotiation disabling : mod_ssl and OpenSSL 0.9.8l

Hi, On Tuesday 10 November 2009, Jean-Marc Desperrier wrote: > So when Apache is compiled with openssl 0.9.8l, TLS renegotiation > will be fully disabled. > > But the problem with that if that some comments of the discussion > inside https://issues.apache.org/bugzilla/show_bug.cgi?id=39243 > a

TLS renegotiation disabling : mod_ssl and OpenSSL 0.9.8l

Hi, So when Apache is compiled with openssl 0.9.8l, TLS renegotiation will be fully disabled. But the problem with that if that some comments of the discussion inside https://issues.apache.org/bugzilla/show_bug.cgi?id=39243 are true, this change will unexpectedly break very badly a *lot* of