Re: TLS renegotiation disabling : mod_ssl and OpenSSL 0.9.8l

Dr Stephen Henson wrote: Jean-Marc Desperrier wrote: Joe Orton wrote: Please file a bug and attach all of: a) error_log output at LogLevel debug for that case b) the config snipping that you're using for /authentication c) the mod_ssl configuration This is now done in bug

Re: TLS renegotiation disabling : mod_ssl and OpenSSL 0.9.8l

Torsten Foertsch wrote: If your/authentication/ is a resource that generates a directory listing via mod_autoindex then apache issues a subrequest for each directory entry. This is not what I was testing, but you are *very right* that there is also that problem. I'll open a bug for it, maybe

Re: TLS renegotiation disabling : mod_ssl and OpenSSL 0.9.8l

Stefan Fritsch wrote: I cannot reproduce the problems. With an openssl that rejects all renegotiations, both reconnections after ssl session timeout and connections to a host with sslverifyclient optional work fine (with openssl s_client). I have now succeeded in reproducing at least partially

Re: TLS renegotiation disabling : mod_ssl and OpenSSL 0.9.8l

On 11/18/2009 08:32 PM, Jean-Marc Desperrier wrote: Stefan Fritsch wrote: I cannot reproduce the problems. With an openssl that rejects all renegotiations, both reconnections after ssl session timeout and connections to a host with sslverifyclient optional work fine (with openssl s_client).

Re: TLS renegotiation disabling : mod_ssl and OpenSSL 0.9.8l

Jean-Marc Desperrier wrote: Dr Stephen Henson wrote: Jean-Marc Desperrier wrote: Joe Orton wrote: Please file a bug and attach all of: a) error_log output at LogLevel debug for that case b) the config snipping that you're using for /authentication c) the mod_ssl configuration This is now

Re: TLS renegotiation disabling : mod_ssl and OpenSSL 0.9.8l

Rainer Jung wrote: In the presence of the session ticket extension, session IDs observed on the server are no longer a good measurement for session reuse. Nice remark, except it's not that, it's really broken. With session tickets off (confirmed by the absence of the session ticket extension

Re: TLS renegotiation disabling : mod_ssl and OpenSSL 0.9.8l

Joe Orton wrote: Please file a bug and attach all of: a) error_log output at LogLevel debug for that case b) the config snipping that you're using for /authentication c) the mod_ssl configuration This is now done in bug https://issues.apache.org/bugzilla/show_bug.cgi?id=48215 error.log

Re: TLS renegotiation disabling : mod_ssl and OpenSSL 0.9.8l

Jean-Marc Desperrier wrote: Joe Orton wrote: Please file a bug and attach all of: a) error_log output at LogLevel debug for that case b) the config snipping that you're using for /authentication c) the mod_ssl configuration This is now done in bug

Re: TLS renegotiation disabling : mod_ssl and OpenSSL 0.9.8l

Stefan Fritsch wrote: On Tuesday 10 November 2009, Jean-Marc Desperrier wrote: [ Apache + openssl 0.9.8l = TLS renegotiation fully disabled ] First there's the short SSLSessionCacheTimeout problem : https://issues.apache.org/bugzilla/show_bug.cgi?id=39243#c23 [...] If they actually are

Re: TLS renegotiation disabling : mod_ssl and OpenSSL 0.9.8l

Jean-Marc Desperrier wrote: Everyone who uses client certificate authentication knows that they are many apache configurations around that will force the user to repeatedly reauthenticate himself for apparently no good reason. It's hard to believe the explanation is only that all of the

Re: TLS renegotiation disabling : mod_ssl and OpenSSL 0.9.8l

On Mon 16 Nov 2009, Jean-Marc Desperrier wrote: Here's the wireshark captured exchange between the client and server, note that Hello Request always *immediatly* follows the end of the renegotiation. This is with Apache 2.2.11/Openssl 0.9.8i (not a production server) : 217   19:30:50.745606 

Re: TLS renegotiation disabling : mod_ssl and OpenSSL 0.9.8l

On Mon, Nov 16, 2009 at 08:21:20PM +0100, Jean-Marc Desperrier wrote: Ok, so in fact I have one apache instance available locally with a problem of this kind. It's configured to not require client authentication by defaut, but to require it on the /authentication url So what happens truly

Re: TLS renegotiation disabling : mod_ssl and OpenSSL 0.9.8l

On 16.11.2009 20:21, Jean-Marc Desperrier wrote: Jean-Marc Desperrier wrote: An interesting point is that firefox is *not* reusing the ssl session in that case, for some reason it sends a SessionID of 0 after the Hello Request from the server. I'll forward that to the NSS team, because if

Re: TLS renegotiation disabling : mod_ssl and OpenSSL 0.9.8l

Hi, On Tuesday 10 November 2009, Jean-Marc Desperrier wrote: So when Apache is compiled with openssl 0.9.8l, TLS renegotiation will be fully disabled. But the problem with that if that some comments of the discussion inside https://issues.apache.org/bugzilla/show_bug.cgi?id=39243 are

TLS renegotiation disabling : mod_ssl and OpenSSL 0.9.8l

Hi, So when Apache is compiled with openssl 0.9.8l, TLS renegotiation will be fully disabled. But the problem with that if that some comments of the discussion inside https://issues.apache.org/bugzilla/show_bug.cgi?id=39243 are true, this change will unexpectedly break very badly a *lot* of