On 02/21/2010 03:10 AM, Jean-Marc Desperrier:
On 20/02/2010 03:25, Eddy Nigg wrote:
Apache performs a renegotiation when none is needed when configuring
client authentication at a particular location, is there a logical
explanation for that? Or even considered correct implementation?
Yes, there's a logical explanation and Apache is doing nothing wrong
here.
The parameters of the SSL session, including SSL client
authentication, are negotiated before the server sees any data from
the client, so before the SSL server has any idea which location will
be accessed.
The best Apache can do at this moment is to use the parameters that
are set for the root of the virtual server concerned. After
negotiation is complete, the client sends the GET/POST request, the
server sees which location is actually accessed, and has to do a full
renegotiation if there's a difference in the parameter for that location.
Aha - yes, this makes sense.
Where Apache is failing is in that it will quite often do a
renegotiation when you access successively two locations which
parameters are compatible, or even identical. So the best is too set
the parameters at the root, and not overwrite them anywhere.
OK, done. This seems to work now and no renegotiation happens. Nice
trick and does the job apparently.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
XMPP: start...@startcom.org
Blog: http://blog.startcom.org/
Twitter: http://twitter.com/eddy_nigg
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
