Hi, I apologise for cross-posting - I'm really not sure which component is at fault, looks like mod_ssl but possibly mod_jk. BTW, is there a list (or some other venue) dedicated to mod_jk?
My environment is Apache 1.3.22, mod_ssl 2.8.5, OpenSSL 0.9.6b, tomcat 4.0.3. I have a servlet mounted like this JkMount /app/servlet/* ajp13 JkMount /app/*.jsp ajp13 <Location "/app/"> SSLVerifyClient require SSLVerifyDepth 4 </Location> When SSLVerifyClient is set to 'none' all works fine, but when I set it as above, to 'require', it seems that the SSL connection is repetedly renegotiated. The mod_jk log stop at this line (I edited out log entry headers for clarity): Attempting to map URI '/app/servlet/ApplicationProxyServlet' jk_uri_worker_map_t::map_uri_to_worker, Found a context match ajp13 -> /app/servlet/ whilst the ssl engine log shows this Connection to child 3 established (server www-sps.sps.fms.treas.gov:443, client 164.95.119.43) Seeding PRNG with 1160 bytes of entropy OpenSSL: Handshake: start OpenSSL: Loop: before/accept initialization Inter-Process Session Cache: request=GET status=FOUND id=7A2A7121DDC60F144CA9F233A19E7BD7D88F0DCA06AEB588165EB9F01CA276DE (session reuse) OpenSSL: Loop: SSLv3 read client hello A OpenSSL: Loop: SSLv3 write server hello A OpenSSL: Loop: SSLv3 write change cipher spec A OpenSSL: Loop: SSLv3 write finished A OpenSSL: Loop: SSLv3 flush data OpenSSL: Loop: SSLv3 read finished A OpenSSL: Handshake: done Connection: Client IP: 164.95.119.43, Protocol: SSLv3, Cipher: EXP1024-RC4-SHA (56/128 bits) Initial (No.1) HTTPS request received for child 3 (server www-sps.sps.fms.treas.gov:443) OpenSSL: Write: SSL negotiation finished successfully Connection to child 3 closed with standard shutdown (server www-sps.sps.fms.treas.gov:443, client 164.95.119.43) Connection to child 4 established (server www-sps.sps.fms.treas.gov:443, client 164.95.119.43) Seeding PRNG with 1160 bytes of entropy OpenSSL: Handshake: start OpenSSL: Loop: before/accept initialization [Connection to child 5 established (server www-sps.sps.fms.treas.gov:443, client 164.95.119.43) Seeding PRNG with 1160 bytes of entropy OpenSSL: Handshake: start OpenSSL: Loop: before/accept initialization OpenSSL: Loop: SSLv3 read client hello A OpenSSL: Loop: SSLv3 write server hello A OpenSSL: Loop: SSLv3 write certificate A OpenSSL: Loop: SSLv3 write key exchange A OpenSSL: Loop: SSLv3 write server done A OpenSSL: Loop: SSLv3 flush data OpenSSL: Loop: SSLv3 read client key exchange A OpenSSL: Loop: SSLv3 read finished A OpenSSL: Loop: SSLv3 write change cipher spec A OpenSSL: Loop: SSLv3 write finished A OpenSSL: Loop: SSLv3 flush data .... In contrast, when SSLVerifyClient is 'none', mod_jk log shows Attempting to map URI '/app/servlet/ApplicationProxyServlet' jk_uri_worker_map_t::map_uri_to_worker, Found a context match ajp13 -> /app/servlet/ Into wc_get_worker_for_name ajp13 wc_get_worker_for_name, done found a worker Into jk_worker_t::get_endpoint In jk_endpoint_t::ajp_get_endpoint, time elapsed since last request = 534 seconds Into jk_endpoint_t::service Into ajp_marshal_into_msgb ajp_marshal_into_msgb - Done sending to ajp13 #261 ajp_send_request 2: request body to send 4708 - request body to resend 0 sending to ajp13 #4714 received from ajp13 #3 sending to ajp13 #4 received from ajp13 #3 sending to ajp13 #4 received from ajp13 #49 ajp_unmarshal_response: status = 200 ajp_unmarshal_response: Number of headers is = 2 ajp_unmarshal_response: Header[0] [Content-Type] = [application/octet-stream] ajp_unmarshal_response: Header[1] [Content-Length] = [17776] received from ajp13 #1028 received from ajp13 #1028 received from ajp13 #1028 received from ajp13 #1028 received from ajp13 #1028 received from ajp13 #1028 received from ajp13 #1028 received from ajp13 #1028 received from ajp13 #1028 ... and the SSL engine log shows Connection to child 1 established (server www-sps.sps.fms.treas.gov:443, client 164.95.119.43) Seeding PRNG with 1160 bytes of entropy OpenSSL: Handshake: start OpenSSL: Loop: before/accept initialization OpenSSL: Loop: SSLv3 read client hello A OpenSSL: Loop: SSLv3 write server hello A OpenSSL: Loop: SSLv3 write certificate A OpenSSL: Loop: SSLv3 write key exchange A OpenSSL: Loop: SSLv3 write server done A OpenSSL: Loop: SSLv3 flush data OpenSSL: Loop: SSLv3 read client key exchange A OpenSSL: Loop: SSLv3 read finished A OpenSSL: Loop: SSLv3 write change cipher spec A OpenSSL: Loop: SSLv3 write finished A OpenSSL: Loop: SSLv3 flush data Inter-Process Session Cache: request=SET status=OK id=7D883EF0B18F9E84BC57C4F02C6E34ADF6FF049BB7091F16B303B79AC906832B timeout=295s (session caching) OpenSSL: Handshake: done Connection: Client IP: 164.95.119.43, Protocol: TLSv1, Cipher: EDH-RSA-DES-CBC3-SHA (168/168 bits) Initial (No.1) HTTPS request received for child 1 (server www-sps.sps.fms.treas.gov:443) OpenSSL: Write: SSL negotiation finished successfully Connection to child 1 closed with standard shutdown (server www-sps.sps.fms.treas.gov:443, client 164.95.119.43) Connection to child 5 established (server www-sps.sps.fms.treas.gov:443, client 164.95.119.43) Seeding PRNG with 1160 bytes of entropy OpenSSL: Handshake: start OpenSSL: Loop: before/accept initialization Inter-Process Session Cache: request=GET status=FOUND id=DD717A9F7EB2C33D51E1E33C01CB26E57BFD08D4666799528508521CE66F4334 (session reuse) OpenSSL: Loop: SSLv3 read client hello A OpenSSL: Loop: SSLv3 write server hello A OpenSSL: Loop: SSLv3 write change cipher spec A OpenSSL: Loop: SSLv3 write finished A OpenSSL: Loop: SSLv3 flush data OpenSSL: Loop: SSLv3 read finished A OpenSSL: Handshake: done Connection: Client IP: 164.95.119.43, Protocol: SSLv3, Cipher: EXP1024-RC4-SHA (56/128 bits) Initial (No.1) HTTPS request received for child 5 (server www-sps.sps.fms.treas.gov:443) I've spent a couple of days trying to figure this out and have not made any progress. Can anyone help out? TIA. -a -- Aaron Stromas | "Tik-tik-tik!!!... ja, Pantani is weg..." [EMAIL PROTECTED] | BRTN commentator +1 (301) 493 4933 | L'Alpe d'Huez http://www.izoard.com | 1995 Tour de France --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]