DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=24725>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=24725 SSL Re-negotiation in conjunction with POST method not supported Summary: SSL Re-negotiation in conjunction with POST method not supported Product: Apache httpd-2.0 Version: 2.0.48 Platform: All OS/Version: All Status: NEW Severity: Normal Priority: Other Component: mod_ssl AssignedTo: bugs@httpd.apache.org ReportedBy: [EMAIL PROTECTED] Comments in httpd-2.0.48/modules/ssl/ssl_engine_kernel.c indicate that the POST data rescue kludge has not yet been ported from 1.3.x to 2.0.x. Is there any progress? I have a secure site with most content and forms available to anonymous users, but a particular database app is for staff only, authenticated by X.509 certs (.htaccess says "SSLVerifyClient require" and a test for our C.A.), and naturally it's a POST form (to keep prolix and subpoena-able stuff out of the access_log). As a workaround, in ssl.conf at global level I changed "SSLVerifyClient none" to "optional", so if there were a cert it would be presented initially, not requiring renegotiation and trashing the POST data. But everyone gets asked for a cert, even though most content is still delivered even if they don't give it. That's not the way it should work. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
