Jeffrey Burgoyne wrote:
>
> apache 1.3.6
> openssl .9.3a
> modssl 2.3.4
>
> Interestingly enough, I found the exact same problem this morning. I'm
> just writing our first cgi to require client certificates, and if the form
> to be submitted is a get to the GET method, all is fine. Set it to post,
> and I get an I/O error on the browser. My ssl_engine_log has the following
> entries :
I had the same Problem and found the following:
It does happen if a dynamic SSL session renegotiation is requested because
a Location has a different SSL configuration than the virtual host.
What happen is that the renegotiation gets not started, that means the
'Server hello' will not be sent, because not all of the reveived bytes gets
consumed by the upper (apache) layer. This does not happen with GET requests,
because there is (normally) no request body, and the header bytes will all
be consumed before the renegotiation gets triggerd.
You can easily see this in the ssl_engine_log if you set the loglevel to
trace.
This is probably not that easy to fix, especially if the body gets transfered
in junked mode. Before a renegotiation can be triggered, the bytes already
in the SSL receive buffer has to be 'transfered' to the apache request
receive buffer.
>
> [22/Jul/1999 05:14:17] [info] Connection to child 6 established (server
> dserver.ic.gc.ca:443)
> [22/Jul/1999 05:14:18] [info] Connection: Client IP: 142.53.67.60,
> Protocol: SSLv3, Cipher: EXP-RC4-MD5 (40/128 bits)
> [22/Jul/1999 05:14:18] [info] Initial (No.1) HTTPS request received for
> child 6 (server dserver.ic.gc.ca:443)
> [22/Jul/1999 05:14:18] [info] Requesting connection re-negotiation
> [22/Jul/1999 05:14:18] [info] Awaiting re-negotiation handshake
> [22/Jul/1999 05:14:18] [error] Re-negotiation handshake failed: Not
> accepted by client!?
> [22/Jul/1999 05:14:18] [error] SSL error on reading data (OpenSSL library
> error follows)
> [22/Jul/1999 05:14:18] [error] OpenSSL: error:140940F5:SSL
> routines:SSL3_READ_BYTES:unexpected record
> [22/Jul/1999 05:14:18] [error] SSL error on writing data (OpenSSL library
> error follows)
> [22/Jul/1999 05:14:18] [error] OpenSSL: error:140940F5:SSL
> routines:SSL3_READ_BYTES:unexpected record
> [22/Jul/1999 05:14:18] [info] Connection to child 6 closed with standard
> shutdown (server dserver.ic.gc.ca:443)
>
> Netscape 4.03 on Linux is what I'm using for a browser. However, it
> appears to work on IE 4.0.
>
> As well, starting with a fresh browser I found that when the methos is set
> to post, the browser never even asks for the user cert.
>
> Perhaps the Netscape browser is having problems with reposting the data
> for the CGI in renegotiation, as the data does not have to be reposted
> when you use a get?
>
> Jeff
>
> On Thu, 22 Jul 1999 [EMAIL PROTECTED] wrote:
>
> > On Wed, Jul 21, 1999, [EMAIL PROTECTED] wrote:
> >
> > > Full_Name: Dario Castagnino
> > > Version: 2.2.4
> > > OS: Linux 2.0.36
> > > Submission from: (NULL) (200.1.228.95)
> > >
> > > We are using Mod_ssl & Open_ssl with Apache server 1.3.4.
> > > We are having problems when we try to use the post method
> > > to communicate to programs via CGI.
> > >
> > > When the browser tries to make the post, it pops a window saying:
> > > an I/O error ocurred during security authorization.
> > > We do not get the error when we use GET method.
> > >
> > > We tried to solve it by changing the executables permissions so that
> > > everybody can execute, read and write on them. After that the error
> > > persisted on some programs , but not all of them. Also on the programs
> > > that worked, it also failed from time to time.
> > >
> > > The error_logs of the apache shows nothing about the problem.
> > > Also if we try the same applications with no ssl (apache without ssl)
> > > there are no problems at all.
> > >
> > > Any help on this will be appreciated
> >
> > Changes with mod_ssl 2.2.5 (04-Mar-1999 to 18-Mar-1999)
> >
> > *) Fixed the POST-problem where kept-alive HTTPS connections hang or
> > resulted in an I/O error inside the browser because the ``SSL close
> > notify'' alert couldn't be sent correctly because of Apache's internal
> > ``lingering close'' handling. EAPI was changed to now correctly call the
> > close_connection module hook also on timeout and linger closes. This
> > EAPI change means you cannot upgrade your libssl.so with --with-apxs to
> > this version. A complete Apache rebuild with the updated EAPI code is
> > necessary.
> > Ralf S. Engelschall
> > [EMAIL PROTECTED]
> > www.engelschall.com
> >
> > ______________________________________________________________________
> > Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> > User Support Mailing List [EMAIL PROTECTED]
> > Automated List Manager [EMAIL PROTECTED]
> >
>
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
--
-------------------------------------------------------------------------------
Matthias Loepfe, AdNovum Informatik AG, Roentgenstr. 22, CH-8005 Zurich
Email: [EMAIL PROTECTED] Voice: +41 1 272 6111 Fax: +41 1 272 6312
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
