On October 15, 2012 6:11 , VP <rpeyy...@gmail.com> wrote:
I am still continuing my search to find other solutions to fix my
issue. I have a question. Lets say even if my SSLVerifyClient in is
Location block called "secure". Would the SSL Renegotiation still
trigger if the user types in direct URL the very first time? Like
calling:
https://www.something.com/secure
Instead of:
https://www.something.com and then clicking on hyperlink on the
homepage which will take the user to https://www.something.com/secure
I am not an expert, but according to what I understand: yes, in the
scenario you describe, renegotiation would still be triggered. The
reason is that when the client establishes the initial SSL connection,
it has not yet sent the HTTP request. The server does not know what URI
path the client will be accessing, it only knows that there are some URI
paths for which certificates are required and some for which
certificates are not required, so it negotiates the connection without
client side certificates. (Keep in mind that "SSLVerifyClient" does not
work reliably with all clients -- so I'm assuming you have
"SSLVerifyClient require" set for the /secure Location). After the SSL
session is established, the client sends the HTTP GET request for
/secure. The server sees that a client certificate is required, that no
client certificate was previously provided (because the SSL session was
established with "SSLVerifyClient none"), and the server triggers
renegotiation.
The only sure way around this problem that I know about is to specify
"SSLVerifyClient require" in the virtual host context or global server
context so that it applies to al URI and filesystem paths. The server
will then require a client certificate in the initial SSL negotiation
for all connections, and renegotiation should never be triggered.
--
Mark Montague
m...@catseye.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org