Hello, In a host where client certificate is optional and in some directories requirement. Server is SNI, and this configuration works fine before SNI.
> <VirtualHost *:443 > > SSLVerifyClient optional > <Location "/certrequirement"> > SSLVerifyClient require </Location> ... I use SNI client (firefox) with client certificate that works on optional locations but do not in certrequirement location. > [info] Initial (No.1) HTTPS request received for child 5 (server > www.1pc.es:443) > [debug] ssl_engine_kernel.c(487): [client 192.168.1.40] Changed client > verification type will force renegotiation, referer: http: > [info] [client 192.168.1.40] Requesting connection re-negotiation, referer: > http://www.1pc.es/ > [debug] ssl_engine_kernel.c(724): [client 192.168.1.40] Performing full > renegotiation: complete handshake protocol, referer: http > [debug] ssl_engine_kernel.c(1861): OpenSSL: Handshake: start > [debug] ssl_engine_kernel.c(1869): OpenSSL: Loop: SSL renegotiate ciphers > [debug] ssl_engine_kernel.c(1869): OpenSSL: Loop: SSLv3 write hello request A > [debug] ssl_engine_kernel.c(1869): OpenSSL: Loop: SSLv3 flush data > [debug] ssl_engine_kernel.c(1869): OpenSSL: Loop: SSLv3 write hello request C > [info] [client 192.168.1.40] Awaiting re-negotiation handshake, referer: > http://www.1pc.es/ > [debug] ssl_engine_kernel.c(1861): OpenSSL: Handshake: start > [debug] ssl_engine_kernel.c(1869): OpenSSL: Loop: before accept initialization > [debug] ssl_engine_io.c(1873): OpenSSL: read 5/5 bytes from BIO#7f4325589ef0 > [mem: 7f4325577083] (BIO dump follows) > [debug] ssl_engine_kernel.c(1874): OpenSSL: Read: SSLv3 read client hello B > [debug] ssl_engine_kernel.c(1893): OpenSSL: Exit: failed in SSLv3 read client > hello B > [error] [client 192.168.1.40] Re-negotiation handshake failed: Not accepted > by client!?, referer: http://www.1pc.es/ > openssl-1.0.0-0.13.beta4.fc12.x86_64 > httpd-2.2.14-1.fc12.x86_64 > mod_ssl-2.2.14-1.fc12.x86_64 Anyone knows where is the problem? Why do not work in required, and do the job in optional? -- http://www.1pc.es/ ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager majord...@modssl.org