Dear all
I'm using the following components:
* apache 1.3.29
* mod_ssl 2.8.16-1.3.29
* openssl 0.9.7d
* mm 1.3.0
* Solaris 8
I've configured: SSLSessionCache
shmcb:/opt/slt/ses/apache/run/ssl_scache(512000)
The problem only occures if we use client certs. If we do multiple requests
on the same ssl session then I get an error the *first time* the request is
handled by the *same* apache child that has stored the SSL session ID in
the cache. All other childs can acces the cache without problems.
trace output in ssl_engine_log (debug level does not provide better info):
[21/Apr/2004 09:48:18 01201] [trace] OpenSSL: Handshake: start
[21/Apr/2004 09:48:18 01201] [trace] OpenSSL: Loop: before/accept
initialization
[21/Apr/2004 09:48:18 01201] [trace] OpenSSL: Loop: SSLv3 read client hello
A
[21/Apr/2004 09:48:18 01201] [trace] OpenSSL: Loop: SSLv3 write server
hello A
[21/Apr/2004 09:48:18 01201] [trace] OpenSSL: Loop: SSLv3 write change
cipher spec A
[21/Apr/2004 09:48:18 01201] [trace] OpenSSL: Loop: SSLv3 write finished A
[21/Apr/2004 09:48:18 01201] [trace] OpenSSL: Loop: SSLv3 flush data
[21/Apr/2004 09:48:18 01201] [trace] OpenSSL: Loop: SSLv3 read finished A
[21/Apr/2004 09:48:18 01201] [trace] OpenSSL: Handshake: done
[21/Apr/2004 09:48:18 01201] [info] Connection: Client IP: 192.168.167.99,
Protocol: TLSv1, Cipher: RC4-MD5 (128/128 bits)
[21/Apr/2004 09:48:18 01201] [info] Initial (No.1) HTTPS request received
for child 0 (server airlock_baumi.ergon.ch:4442)
[21/Apr/2004 09:48:18 01201] [trace] Changed client verification type will
force quick renegotiation
[21/Apr/2004 09:48:18 01201] [info] Requesting connection re-negotiation
[21/Apr/2004 09:48:18 01201] [trace] Performing quick renegotiation: just
re-verifying the peer
[21/Apr/2004 09:48:18 01201] [error] Cannot find peer certificate chain
[21/Apr/2004 09:48:18 01201] [trace] OpenSSL: Write: SSL negotiation
finished successfully
[21/Apr/2004 09:48:18 01201] [info] Connection to child 0 closed with
standard shutdown (server airlock_baumi.ergon.ch:4442, client
192.168.167.99)
I wonder about the "Cannot find peer certificate chain" and then the "SSL
negotiation finished successfully". hmmm.
If we use dbm instead of shmcb then this problem does not occure.
I had a look at the source code.
ssl_engine_kernel.c, line 963:
ssl_log(r->server, SSL_LOG_TRACE,
"Performing quick renegotiation: just re-verifying the
peer");
certstack = SSL_get_peer_cert_chain(ssl);
cert = SSL_get_peer_certificate(ssl);
if (certstack == NULL && cert != NULL) {
/* client certificate is in the SSL session cache, but
there is no chain, since ssl3_get_client_certificate()
sk_X509_shift()'ed the peer certificate out of the
chain. So we put it back here for the purpose of quick
renegotiation. */
certstack = sk_new_null();
sk_X509_push(certstack, cert);
}
if (certstack == NULL || sk_X509_num(certstack) == 0) {
ssl_log(r->server, SSL_LOG_ERROR, "Cannot find peer
certificate chain");
return FORBIDDEN;
}
If I omit the check on certstack == NULL with the following change:
if (cert != NULL) {
/* client certificate is in the SSL session cache, but
there is no chain, since ssl3_get_client_certificate()
sk_X509_shift()'ed the peer certificate out of the
chain. So we put it back here for the purpose of quick
renegotiation. */
certstack = sk_new_null();
sk_X509_push(certstack, cert);
}
then the error does not occure.
Since there was no change in ssl_engine_kernel.c in version 2.8.17-1.3.31
I do not expect that this behaviour has changed. Of course I will do the
tests
again with updated apache and mod_ssl.
My question is now:
Does anybody know about a problem in this area?
What are the side-effects of my code change?
You can see the details also here: http://cvs.ossp.org/tktview?tn=46
thanks for any ideas and replies
Erwin Huber
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
