Suggest SSLSessionCacheTimeout and Cache sizes?
Does anyone have any information on shmcb cache sizings? Specifically, how many bytes per request are taken up in shm for each cache entry? I'd like to make sure my shm size is sufficient for the Cache Timeouts I want to use. Secondly, is there any reason why the SSLSessionCacheTimeout can't be arbitrarily large (say, an hour)? And at what size (or number of entries) does the cache size begin to seriously hamper lookups within the cache itself? Thanks for any assistance with the above. -- Ken Snider __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
SSL_R_DIGEST_CHECK_FAILED
We have a 0.9.6-based client talking to a 0.9.7a-based mod_ssl server. Communication is fine for initial session negotiation, and for SSL session resumption while the key remains in the cache. However, if the key has expired and we try to pass a new SSL Session ID to the client, the client response is rejected by the server. The error the client is receiving is a handshake error 40 (0x28). The error description generated in the Apache error log is: Library Error: 336117909 error:1408C095:lib(20):func(140):reason(149) lib 20: SSL Library func 140: EC_F_EC_GROUP_GET_FINISHED reason 149: SSL_R_DIGEST_CHECK_FAILED ..and is generated after the server receives the client response to the ServerHello with certificate. The client response consists of a: - ClientKeyExchange - ChangeCipherSpec - EncryptedHandshake For this packet in question. This does *not* happen against a 0.9.6-based mod_ssl of the same version of Apache. Has anyone seen this specific error before in an implementation? (SSL_R_DIGEST_CHECK_FAILED)? Any information would be appreciated. We're frankly scratching our heads as to where this problem is coming from. -- Ken Snider __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
