I'm having a similar problem. I hope I could explain it. Sorry for the long message.
I want to require client certificates only under /cgi-bin. So I place this in my
httpd.conf
<Location /cgi-bin>
SSLVerifyClient require
SSLVerifyDepth 1
</Location>
With this in place, Netscape keeps asking me for my client certificate each time I
click Reload on /cgi-bin/printenv, for example.
With SSLLogLevel trace, the ssl_engine_log is pretty large, but I think is useful to
include it here.
Pointing Navigator to https://my.server:8443/cgi-bin/printenv for the first time, the
following appers in the log.
[19/Feb/1999 10:36:46] [info] Connection to child 1 established (server
thor.intranet.bancorio.com.ar:8443)
[19/Feb/1999 10:36:46] [trace] Seeding PRNG with 1032 bytes of entropy
[19/Feb/1999 10:36:46] [trace] SSLeay: Handshake: start
[19/Feb/1999 10:36:46] [trace] SSLeay: Loop: before SSL initalisation
[19/Feb/1999 10:36:46] [trace] Inter-Process Session Cache: request=GET status=FOUND
id=644607CD6BB682E78127BF233CB9E0227034FF42B6CE33FDEB949368D24F3905 (session reuse)
[19/Feb/1999 10:36:46] [trace] SSLeay: Loop: SSLv3 read client hello A
[19/Feb/1999 10:36:46] [trace] SSLeay: Loop: SSLv3 write server hello A
[19/Feb/1999 10:36:46] [trace] SSLeay: Loop: SSLv3 write change cipher spec A
[19/Feb/1999 10:36:46] [trace] SSLeay: Loop: SSLv3 write finished A
[19/Feb/1999 10:36:46] [trace] SSLeay: Loop: SSLv3 flush data
[19/Feb/1999 10:36:46] [trace] SSLeay: Loop: SSLv3 read finished A
[19/Feb/1999 10:36:46] [trace] SSLeay: Handshake: done
[19/Feb/1999 10:36:46] [info] Connection: Client IP: 172.18.230.12, Protocol: SSLv3,
Cipher: RC4-MD5 (128/128 bits)
[19/Feb/1999 10:36:46] [info] Requesting connection re-negotiation
[19/Feb/1999 10:36:46] [trace] SSLeay: Handshake: start
[19/Feb/1999 10:36:46] [trace] SSLeay: Loop: SSL renegotiate ciphers
[19/Feb/1999 10:36:46] [trace] SSLeay: Loop: SSLv3 write hello request A
[19/Feb/1999 10:36:46] [trace] SSLeay: Loop: SSLv3 flush data
[19/Feb/1999 10:36:46] [info] Awaiting re-negotiation handshake
[19/Feb/1999 10:36:46] [trace] SSLeay: Handshake: start
[19/Feb/1999 10:36:46] [trace] SSLeay: Loop: before accept initalisation
[19/Feb/1999 10:36:46] [trace] SSLeay: Loop: SSLv3 read client hello A
[19/Feb/1999 10:36:46] [trace] SSLeay: Loop: SSLv3 write server hello A
[19/Feb/1999 10:36:46] [trace] SSLeay: Loop: SSLv3 write certificate A
[19/Feb/1999 10:36:46] [trace] SSLeay: Loop: SSLv3 write certificate request A
[19/Feb/1999 10:36:46] [trace] SSLeay: Loop: SSLv3 write server done A
[19/Feb/1999 10:36:46] [trace] SSLeay: Loop: SSLv3 flush data
Here Netscape is asking me for a certificate, when I click Continue in the "Select a
certificate" the following appears:
[19/Feb/1999 10:40:11] [trace] Certificate Verification: depth: 1, subject:
/C=AR/O=Banco Rio de la Plata S.A./CN=Autoridad de Certificacion RioEDI, issuer:
/C=AR/O=Banco Rio de la Plata S.A./CN=Autoridad de Certificacion RioEDI
[19/Feb/1999 10:40:11] [trace] Certificate Verification: depth: 0, subject:
/C=AR/O=Banco Rio de la Plata S.A./UID=pinela/CN=Dario
[EMAIL PROTECTED], issuer: /C=AR/O=Banco Rio de la Plata
S.A./CN=Autoridad de Certificacion RioEDI
[19/Feb/1999 10:40:11] [trace] SSLeay: Loop: SSLv3 read client certificate A
[19/Feb/1999 10:40:11] [trace] SSLeay: Loop: SSLv3 read client key exchange A
[19/Feb/1999 10:40:11] [trace] SSLeay: Loop: SSLv3 read certificate verify A
[19/Feb/1999 10:40:11] [trace] SSLeay: Loop: SSLv3 read finished A
[19/Feb/1999 10:40:11] [trace] SSLeay: Loop: SSLv3 write change cipher spec A
[19/Feb/1999 10:40:11] [trace] SSLeay: Loop: SSLv3 write finished A
[19/Feb/1999 10:40:11] [trace] SSLeay: Loop: SSLv3 flush data
[19/Feb/1999 10:40:11] [trace] Inter-Process Session Cache: request=SET
id=5080C88552F24FA5D2F292412066E77B319DFC0BEE61D568303990A48A50370C timeout=2795s
(session caching)
[19/Feb/1999 10:40:11] [trace] SSLeay: Handshake: done
[19/Feb/1999 10:40:11] [info] Connection: Client IP: 172.18.230.12, Protocol: SSLv3,
Cipher: RC4-MD5 (128/128 bits)
[19/Feb/1999 10:40:11] [info] Connection to child 1 closed (server
thor.intranet.bancorio.com.ar:8443)
When I click reload, the following happens:
[19/Feb/1999 10:41:06] [info] Connection to child 0 established (server
thor.intranet.bancorio.com.ar:8443)
[19/Feb/1999 10:41:06] [trace] Seeding PRNG with 1032 bytes of entropy
[19/Feb/1999 10:41:06] [trace] SSLeay: Handshake: start
[19/Feb/1999 10:41:06] [trace] SSLeay: Loop: before SSL initalisation
[19/Feb/1999 10:41:06] [trace] Inter-Process Session Cache: request=GET status=FOUND
id=5080C88552F24FA5D2F292412066E77B319DFC0BEE61D568303990A48A50370C (session reuse)
[19/Feb/1999 10:41:06] [trace] SSLeay: Loop: SSLv3 read client hello A
[19/Feb/1999 10:41:06] [trace] SSLeay: Loop: SSLv3 write server hello A
[19/Feb/1999 10:41:06] [trace] SSLeay: Loop: SSLv3 write change cipher spec A
[19/Feb/1999 10:41:06] [trace] SSLeay: Loop: SSLv3 write finished A
[19/Feb/1999 10:41:06] [trace] SSLeay: Loop: SSLv3 flush data
[19/Feb/1999 10:41:06] [trace] SSLeay: Loop: SSLv3 read finished A
[19/Feb/1999 10:41:06] [trace] SSLeay: Handshake: done
[19/Feb/1999 10:41:06] [info] Connection: Client IP: 172.18.230.12, Protocol: SSLv3,
Cipher: RC4-MD5 (128/128 bits)
[19/Feb/1999 10:41:06] [info] Requesting connection re-negotiation
[19/Feb/1999 10:41:06] [trace] SSLeay: Handshake: start
[19/Feb/1999 10:41:06] [trace] SSLeay: Loop: SSL renegotiate ciphers
[19/Feb/1999 10:41:06] [trace] SSLeay: Loop: SSLv3 write hello request A
[19/Feb/1999 10:41:06] [trace] SSLeay: Loop: SSLv3 flush data
[19/Feb/1999 10:41:06] [info] Awaiting re-negotiation handshake
[19/Feb/1999 10:41:06] [trace] SSLeay: Handshake: start
[19/Feb/1999 10:41:06] [trace] SSLeay: Loop: before accept initalisation
[19/Feb/1999 10:41:06] [trace] SSLeay: Loop: SSLv3 read client hello A
[19/Feb/1999 10:41:06] [trace] SSLeay: Loop: SSLv3 write server hello A
[19/Feb/1999 10:41:06] [trace] SSLeay: Loop: SSLv3 write certificate A
[19/Feb/1999 10:41:06] [trace] SSLeay: Loop: SSLv3 write certificate request A
[19/Feb/1999 10:41:06] [trace] SSLeay: Loop: SSLv3 write server done A
[19/Feb/1999 10:41:06] [trace] SSLeay: Loop: SSLv3 flush data
and Netscape ask me once again for the certificate with the "Select a certificate"
dialog box. Clicking Continue:
[19/Feb/1999 10:43:04] [trace] Certificate Verification: depth: 1, subject:
/C=AR/O=Banco Rio de la Plata S.A./CN=Autoridad de Certificacion RioEDI, issuer:
/C=AR/O=Banco Rio de la Plata S.A./CN=Autoridad de Certificacion RioEDI
[19/Feb/1999 10:43:04] [trace] Certificate Verification: depth: 0, subject:
/C=AR/O=Banco Rio de la Plata S.A./UID=pinela/CN=Dario
[EMAIL PROTECTED], issuer: /C=AR/O=Banco Rio de la Plata
S.A./CN=Autoridad de Certificacion RioEDI
[19/Feb/1999 10:43:04] [trace] SSLeay: Loop: SSLv3 read client certificate A
[19/Feb/1999 10:43:04] [trace] SSLeay: Loop: SSLv3 read client key exchange A
[19/Feb/1999 10:43:04] [trace] SSLeay: Loop: SSLv3 read certificate verify A
[19/Feb/1999 10:43:04] [trace] SSLeay: Loop: SSLv3 read finished A
[19/Feb/1999 10:43:04] [trace] SSLeay: Loop: SSLv3 write change cipher spec A
[19/Feb/1999 10:43:04] [trace] SSLeay: Loop: SSLv3 write finished A
[19/Feb/1999 10:43:04] [trace] SSLeay: Loop: SSLv3 flush data
[19/Feb/1999 10:43:04] [trace] Inter-Process Session Cache: request=SET
id=BD98AC9532676299CAB4BCD5CD40119D93AAAC6A8C6D2E0039A4FB8A3B0CA15C timeout=2882s
(session caching)
[19/Feb/1999 10:43:04] [trace] SSLeay: Handshake: done
[19/Feb/1999 10:43:04] [info] Connection: Client IP: 172.18.230.12, Protocol: SSLv3,
Cipher: RC4-MD5 (128/128 bits)
[19/Feb/1999 10:43:05] [info] Connection to child 0 closed (server
thor.intranet.bancorio.com.ar:8443)
This happens again and again....
I bet the problem is in the re-negotiation stuff....
Regards, Alfredo
"Ralf S. Engelschall" wrote:
> > > > The apache web server is configured to require client certificates
> > > > to access.
> > > >
> > > > The first time i access apache with Netscape 4.08, i have to indicate
> > > > only the first which client certificate i will use until timeout
> > > > expires.
> > > >
> > > > Then, when i close the netscape browser and start again, the apache asks
> > > > the client certificate always.
> > >
> > > Sure, Apache asks for a new certificate whenever the client cannot resume the
> > > SSL session by giving a still valid session id. And as it looks Netscape
> > > reasonably doesn't cache SSL sessions over restart time.
> >
> > I don?t explain well. After the second restart, the Netscape couldn?t cache
> > SSL sessions in the same session.
> >
> > > > In the MSIE 4.x everything is working fine.
> > >
> > > You mean MSIE caches the session ids over restarts. This means it has to write
> > > them down to disk. And this can perhaps even considered as a security problem.
> >
> > MSIE doesn?t cache the session ids over restarts. I mean that it caches
> > sessions ids in the same session.
> >
> > > > Do you know what could be the problem ?? I'm i doing something wrong in
> > > > the apache configuration ?
> > >
> > > No, neither you, nor Apache nor Netscape does anything wrong. It's the way it
> > > should be: As long as the browser is running it can hold the established
> > > session id in core. When it's restarted a new session has to established and
> > > when you require client authentication a new authentication has to be
> > > performed.
> > >
> > > What's wrong is IMHO Microsoft...
> >
> > I'm asking you again, what i'm doing wrong ?
>
> Sorry, but seems like it's still not clear what exactly is your situation and
> problem. Please explain it once more in more detail: At which times does it
> work, at which time the browser restarts occurs and at which time it then no
> longer work, i.e. when exactly is the authentication redone while you excpect
> it not to be done?
> Ralf S. Engelschall
> [EMAIL PROTECTED]
> www.engelschall.com
> ______________________________________________________________________
> Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
> Official Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
