Re: GSID, mod_ssl and Apache...

Wed, 24 Mar 1999 02:25:27 -0500 

On Tue, Mar 23, 1999, Patrik Carlsson wrote:

> Ralf S. Engelschall wrote:
> 
> > Don't look at Microsoft papers when you want to understand anything, please.
> > Instead look inside the SSLv3 spec or the TLSv1 RFC.  Yes, the stuff is called
> > renegotation of parameters and is nothing more than a new SSL handshake, of
> > course. The interesting point is just that an SSL handshake can occur at any
> > time and not only at startup of a new connection ;-)
> 
> I've some experience with another web server and IE clients. IE seems to
> renegotiate very often which is, maybe good when looking at security, but
> performance suffers and if you plan to use the SSL session id for logging or
> just tracking sessions, you can just forget it... ;-(

Then this is a client problem! The server cannot do anything here. At least
Netscape is very smart and remembers that he is reconnecting to a server with
a GlobalID cert and then _immediately_ starts with a strong cipher and never
does the stepup again (at least not until it's restarted or the server cert
changes). But I've not tried this with IE. But its Microsoft, what have you
expected...

> A couple of weeks ago I managed to tag my CA certificate according to your
> instructions in the README.GlobalID document - which is really a very good
> and well written document! But it didn't work when I put the pieces together using
> Apache/1.3.4 and mod_ssl/2.1.8. It went quite fast and I should try it again this
> easter, but do you (or any one else) have any other tips/experiences which isn't
> mentioned in the documents?

No, I've written down all details I had about this topic and it worked fine
for me with some with my mod_ssl 2.1.x and Netscape 4.05 (at this time).  I
recommend you to enable "SSLLogLevel debug" and look what's going on.

                                       Ralf S. Engelschall
                                       [EMAIL PROTECTED]
                                       www.engelschall.com
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl)   www.engelschall.com/sw/mod_ssl/
Official Support Mailing List               [EMAIL PROTECTED]
Automated List Manager                       [EMAIL PROTECTED]

Reply via email to