I have an Apache-2.3 (HEAD revision) server with SSL, and was testing a configuration with SSLVerifyClient require switched on.
As long as the SSLCACertificateFile file contained only the cert of my own CA, everything was fine: * if the client had no cert, the error [Thu Sep 22 15:27:39 2005] [info] SSL Library Error: 336105671 error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate No CAs known to server for verification? was logged correctly (even though the client would display a cyptic error code -12227 or similar). * if the client had a cert, the request would succeed and the log said [Thu Sep 22 15:32:50 2005] [info] Initial (No.1) HTTPS request received for child 0 (server www.example.com:8443) Now I added the certificates from curl's ca-bundle.crt to the SSLCACertificateFile (in total 4403 lines). After that, every connection attempt would simply "hang" indefinitely [Thu Sep 22 15:36:00 2005] [debug] ssl_engine_kernel.c(1181): [client 172.25.124.236] handing out temporary 1024 bit DH key [Thu Sep 22 15:36:01 2005] [debug] ssl_engine_kernel.c(1798): OpenSSL: Loop: SSLv3 write key exchange A [Thu Sep 22 15:36:01 2005] [debug] ssl_engine_kernel.c(1798): OpenSSL: Loop: SSLv3 write certificate request A [Thu Sep 22 15:36:01 2005] [debug] ssl_engine_kernel.c(1798): OpenSSL: Loop: SSLv3 flush data -and then nothing- (or when traced with strace: % strace /usr/local/apache2/bin/httpd -X ... write(10, "[Thu Sep 22 15:36:01 2005] [debu"..., 94) = 94 poll(<> and at the client side: % strace openssl s_client -CAfile ssl.crt/ca-bundle.crt -cert ssl.crt/server.crt -key ssl.key/server.key -connect mch00bcm:8443 ... read(3, "\26\3\1#\32", 5) = 5 read(3, "\r\0#\22\4\3\4\1\2#\v\0a0_1\v0\t\6\3U\4\6\23\2US1\0270"..., 8986) = 3428 read(3, <> ) -- so at this point, BOTH CLIENT AND SERVER try to read!!! How can that be? Should the SSL protocol not protect against a deadlock? When I cancel the client, I see the log entry [Thu Sep 22 15:40:17 2005] [debug] ssl_engine_io.c(1601): OpenSSL: I/O error, 5 bytes expected to read on BIO#822f898 [mem: 8236f18] which means that Apache sits in its BIO callback function, which calls BIO_get_callback_arg(). Reducing the sheer size of the SSLCACertificateFile by removing comments does not change the problem (down to ~1200 lines). Reducing it by deleting half of the curl ca-bundle certs (either the 1st or 2nd half) does indeed help. After that, Apache no longer deadlocks on the certificate exchange. Is that a known problem? Is i fixed in openssl-0.9.8? I observed it on both FreeBSD and Debian, both running Apache/2.3.0-dev (Unix) mod_ssl/2.3.0-dev OpenSSL/0.9.7d Martin -- <[EMAIL PROTECTED]> | Fujitsu Siemens Fon: +49-89-636-46021, FAX: +49-89-636-48332 | 81730 Munich, Germany
