SSL Handshake Re-negotiation
This is a discussion on SSL Handshake Re-negotiation within the Modssl Users forums, part of the Web Server and Related Forums category; I have a Apache server that is configured to authenticate clients for a certain URL while the other clients are ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
05-27-2006
|
|||
|
|||
SSL Handshake Re-negotiation
I have a Apache server that is configured to authenticate clients for a
certain URL while the other clients are not authenticated. Here's how my vhost.conf file looks like =20 <VirtualHost _default_:443> =20 # General setup for the virtual host DocumentRoot "C:/Program Files/Myserver/myfiles" ServerName Myserver.server.com:443 ServerAdmin admin@server.com ErrorDocument 401 /loginerror.htm ErrorLog logs/error.log TransferLog logs/access.log =20 SSLEngine on =20 SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSL v2:+EXP:+eNULL =20 SSLCertificateFile conf/ssl/my.crt =20 SSLCertificateKeyFile conf/ssl/my.key =20 SSLCertificateChainFile conf/ssl/my.crt =20 SSLCACertificateFile conf/ssl/root.crt =20 <Location /myServlet/FileServlet> SSLVerifyClient require SSLVerifyDepth 1 </Location> =20 <Files ~ "\.(cgi|shtml|phtml|php3?)$"> SSLOptions +StdEnvVars </Files> <Directory "cgi-bin"> SSLOptions +StdEnvVars </Directory> =20 SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 =20 CustomLog logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" =20 </VirtualHost>=20 Now when a client is trying to get a file from /myServlet/FileServlet/ location I expect the server to send a request to obtain the client certificate, while if the client is attempting to get a file from other locations no client authentication should be performed. The behavior I am seeing is when the client comes in to the secure location with a HTTPS GET request, SSL handshake occurs without the server requesting for certificate, then I see that the HTTP GET request coming through to HTTP layer and then the server initiates another SSL handshake(re-negotiation) during which the server is requesting for the client certificate. My client is NOT a browser, it's a HTTPS client in C developed by someone else to support few basic HTTP commands. Now my question is, is this the standard behavior or should the server be requesting the certificate in the first SSL handshake process?? If this is not the standard way of handling then is their something in the apache configuration that I am missing. Can someone please help me out. TIA __________________________________________________ ____________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager majordomo@modssl.org 
|
Linear Mode
