I've tried looking for obvious answers in FAQ's, upgraded to recent versions
of all components (apache-1.3.14, mod_ssl-2.7.1, openssl-0.9.6), and ended
up hand-interpreting the byte stream recorded in ssl_engine_log (with debug
logging enabled). The problem I'm trying to overcome is easily re-created:
First, prove everything works:
1. setup web-server to request SSL Client Authentication
2. use IE (5.0 for me) to access the web-server
3. when IE pops up box asking which cert to use, select good one & click OK.
4. web-server verifies SSL handshake and invokes CGI with environment
setup correctly.
Second, do something that "should" work, but doesn't with IE:
1. <same as above>
2. <same as above>
3. when IE pops up box asking which cert to use, click cancel.
4. "bad stuff" appears in browser window.
5. press "Back" button, and then re-submit same request as in #2
6. instead of #3 happening again, the pop-up box is skipped and #4 happens.
I thought at first that IE was simply not communicating with the web-server
in #5, but after looking at the ssl_engine_log, it was clear that it was. I then
suspected that the web server was maintaining state information. So, I did
steps 1-4, killed the server, removed the dbm cache file, restarted the web
server, and proceeded with steps 5-6.
Same results.
Looking more closely at the ssl_engine_log, it became clear that IE itself
was attempting to continue using the SSL session_id gotten during steps 1-4
(the only way I've found to force IE to stop using that session_id is to exit the
IE program and start all over -- not at all an appealing "solution" for those
handling user support).
Using an old session_id apparently isn't a problem until the web-server notices
that the requested URL needs SSL Client Authentication. At that point, the
logs indicate that the web-server feels that:
"Changed client verification type will force renegotiation"
and thus
"Requesting connection re-negotiation"
"Performing full renegotiation: complete handshake protocol"
....
"Awaiting re-negotiation handshake"
....
"Re-negotiation handshake failed: Not accepted by client!?"
Advice and/or leads on how to:
(preferred) change to web-server so that IE will cause the
certificate-select box to come up in step 6.
or
(bad) determine that IE itself is buggy and MS will need to
issue a new version/bug fix
or
(worst) understand that what I'm looking for is impossible.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
