Hello, Question:
Software: Apache 1.3.29 ModSSL 2.8.16 OpenSSL 0.9.7c OS Sun Solaris 8 Clients IE 5.5 and IE 6.0 Client Certificates stored on hardware token with 10 minute timeout for private key. If a user does not use the private key for 10 minutes, then he/she has to re-enter PIN to access private key stored on smart card. If I set Apache to not require client authentication then I am able to reuse a SSL session ID when connecting via HTTPS. I ran the following test with openssl: openssl s_client -connect localhost:443 -state -reconnect The results basically inform you that session caching is working properly and openssl connects to Apache using the same session ID 5 times. If I modify the httpd.conf file to require client authentication, I get a failure with the above openssl command and when connecting using a certificate. I get REQUEST=SET STATUS=BAD when OpenSSL is trying to write the session id to the DBM cache file on the local system. OpenSSL then attempts to REQUEST=GET and that fails when it tries to use the session ID it was unable to write earlier. If I remove the require client auth in the httpd.conf file, the logging is correct and the openssl command does not fail. The problem is that I have users that may take longer than 10 minutes (Access to private key on smart card timeout after 10 minutes) to complete a form on a web page. If a user accesses the server via the browser, he/she selects a certificate to present, authenticates to smart card with pin and is then allowed access to the web page. If he/she sits there with the browser open for 12 minutes or so and click on a link -- failure. Page not found failure. I look at the debug logs of SSL and see that OpenSSL was trying to reuse the first session key and it failed. As a result, the complete handshake starts over again, but the user is not prompted to enter PIN. Apache does not get a user cert and failure takes place. The ironic thing is that if I wait 12 minutes, enter PIN for smart card prior to clicking on a link, then all works fine. OpenSSL does not reuse the session key, but the repeat of the handshake works. How am I able to configure Apache to reuse the session key when client auth is enabled? Am I missing something? Thanks -------------------------------------------------------------------- mail2web - Check your email from the web at http://mail2web.com/ . ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
