Hi Kaspar,
I applied your 'mod_ssl-disable_tls_tickets.diff' and
'mod_ssl-log_ssloptions.diff' to apache-2.2.12
and initiated the 'failing svn import operation'.
<snip from error_log while this fails>
[Mon Oct 26 15:48:21 2009] [warn] [client 10.2.0.88]
ssl_init_ssl_connection: options=0x1114fff
[Mon Oct 26 15:48:22 2009] [warn] [client 10.2.0.88]
ssl_init_ssl_connection: options=0x1114fff
[Mon Oct 26 15:48:22 2009] [warn] [client 10.2.0.88]
ssl_init_ssl_connection: options=0x1114fff
</snip>
The tcpdump for this failure is at,
http://www.livecipher.com/tlsext_dump/tlsext.dmp.4
With regards
Kamesh Jayachandran
On 10/25/2009 09:21 PM, Kaspar Brand wrote:
Dr Stephen Henson wrote:
Disabling tickets using SSL_OP_NO_TICKET server side SHOULD work too (does in my
tests) so I've no idea why that wouldn't in the OPs setup unless the patch
doesn't set it in all contexts. Try placing it right after any call to
SSL_CTX_new().
I'm still a bit puzzled as to why my previously posted patch does not
turn off TLS session tickets... there's only one place in mod_ssl where
a new context is created, and in my tests, SSL_OP_NO_TICKET was reliably
applied (i.e., I didn't see any session tickets on the wire). Maybe
there's another issue if tickets are turned off?
Kamesh, could you apply the attached patch, for diagnostic purposes (in
addition to mod_ssl-disable_tls_tickets.diff), and let us know what
"options=" values you see in your ErrorLog? Note that you don't have to
increase Apache's LogLevel, the options for any new SSL connection will
be logged with "warn" already. Also, it would be helpful to have another
capture (with mod_ssl patched like this) where the svn client still
fails with a "parse tlsext" error. Thanks.
Kaspar
