SSL Handshake Re-negotiation
am 27.05.2006 02:01:39 von KRISHNAMURTHY SUDHAKAR-FSK031I have a Apache server that is configured to authenticate clients for a
certain URL while the other clients are not authenticated. Here's how
my vhost.conf file looks like
=20
=20
# General setup for the virtual host
DocumentRoot "C:/Program Files/Myserver/myfiles"
ServerName Myserver.server.com:443
ServerAdmin admin@server.com
ErrorDocument 401 /loginerror.htm
ErrorLog logs/error.log
TransferLog logs/access.log
=20
SSLEngine on
=20
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+e NULL
=20
SSLCertificateFile conf/ssl/my.crt
=20
SSLCertificateKeyFile conf/ssl/my.key
=20
SSLCertificateChainFile conf/ssl/my.crt
=20
SSLCACertificateFile conf/ssl/root.crt
=20
SSLVerifyClient require
SSLVerifyDepth 1
=20
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars
=20
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
=20
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
=20
Now when a client is trying to get a file from /myServlet/FileServlet/
location I expect the server to send a request to obtain the client
certificate, while if the client is attempting to get a file from other
locations no client authentication should be performed.
The behavior I am seeing is when the client comes in to the secure
location with a HTTPS GET request, SSL handshake occurs without the
server requesting for certificate, then I see that the HTTP GET request
coming through to HTTP layer and then the server initiates another SSL
handshake(re-negotiation) during which the server is requesting for the
client certificate.
My client is NOT a browser, it's a HTTPS client in C developed by
someone else to support few basic HTTP commands. Now my question is, is
this the standard behavior or should the server be requesting the
certificate in the first SSL handshake process??
If this is not the standard way of handling then is their something in
the apache configuration that I am missing.
Can someone please help me out.
TIA
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org