DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=39243>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=39243 ------- Additional Comments From [EMAIL PROTECTED] 2006-07-24 11:37 ------- Will Rowe wrote: > The obvious answer for an 'upload' style operation is to ensure they > never hit your upload page without going through a simpler front > page which first enforces the renegotation. This can be your upload > form page. > Once the session is SSLClientVerify'ed it won't renegotate -again- > so this problem won't occur. This can work for interactive applications, but there are common situations without upload page: an application that wants to submit data to the web server in a SOAP POST request. Note: the above proposal for using an upload page request to renegotiate for the client certificate appears to work only with "SSLVerifyClient none" but not with "SSLVerifyClient optional" at top level. In the last case a renegotiation is performed on the subsequent form POST even when a client certificate is already present. Thus you again run into the 128K limit. This is probably explained by the following code in ssl_engine_kernel.c, which only treats "none" as a special case: /* optimization */ if ((dc->nOptions & SSL_OPT_OPTRENEGOTIATE) && (verify_old == SSL_VERIFY_NONE) && ((peercert = SSL_get_peer_certificate(ssl)) != NULL)) { renegotiate_quick = TRUE; X509_free(peercert); } -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
