hi,
Is it a bug ?
This is scenarion for CentOS 5.3 (apache 2.2.3 + openssl-0.9.8e)
1. Simple httpd.conf (nothing special) + ssl part, selfsigned certs + CA:
SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect file:/dev/urandom 512
SSLSessionCache shmcb:/var/cache/mod_ssl/ssl_scache(512000)
# try default too
SSLMutex default
<VirtualHost 172.25.16.86:8443>
...
SSLEngine on
<Location />
SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
</Location>
SSLCertificateKeyFile "/root/mihailp1-ca/mihailp1.key"
SSLCertificateFile "/root/mihailp1-ca/mihailp1.crt"
SSLCACertificateFile "/root/mihailp1-ca/mihailp1-ca.crt"
SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM
<LocationMatch ^/nike(.*)>
SSLVerifyClient require
SSLVerifyDepth 3
SSLOptions +OptRenegotiate
</LocationMatch>
....
</VirtualHost>
2. I've installed a user's cert, it works:
# openssl verify -CAfile mihailp1-ca.crt browser.crt
browser.crt: OK
3. Interesting part starts here.
[Wed Apr 15 13:24:57 2009] [debug] ssl_engine_kernel.c(1598): Inter-Process
Session Cache: request=SET status=OK
id=16EA972E4C09B2D7B7B788ABB2273BF3A0E3856A161CA98F62C083B2AF45A8AF
timeout=300s (session caching)
4. I see only "...request=SET..." requests and firefox open pop-up window
(User Identification request) to click OK. This is boring for 10k users.
It doesn't use session cache.
5. If i use apache + openssl 0.9.7 it works as before without pop-up window,
it uses the same certs and configs at the same time.
6. the problem in httpd is ssl_engine_kernel.c:
if ((dc->nOptions & SSL_OPT_OPTRENEGOTIATE) &&
(verify_old == SSL_VERIFY_NONE) &&
((peercert = SSL_get_peer_certificate(ssl)) != NULL))
{
renegotiate_quick = TRUE;
X509_free(peercert);
}
7. SSL_get_peer_certificate in 0.9.8 returns NULL, openssl 0.9.7 returns not
NULL and variable renegotiate_quick sets TRUE and it will do *quick*
renegotiation.
Help.
--mpech
