Apache Session Reuse with Client Authentication -- Smart Card

Apache Session Reuse with Client Authentication -- Smart Card

am 02.04.2004 17:51:07 von rlabbe

Hello,=20

Question:=20

Software:=20
Apache 1329=20
ModSSL 2816=20
OpenSSL 097c=20
OS Sun Solaris 8=20
Clients=20
IE 55 and IE 60=20

Client Certificates stored on hardware token with 10 minute timeout for=20=

private key If a user does not use the private key for 10 minutes, then=
=20
he/she has to re-enter PIN to access private key stored on smart card. =



If I set Apache to not require client authentication then I am=20
able to reuse a SSL session ID when connecting via HTTPS I ran the=20
following test with openssl:=20

openssl s_client -connect localhost:443 -state -reconnect=20

The results basically inform you that session caching is working properly=20=

and openssl connects to Apache using the same session ID 5 times.

If I modify the httpdconf file to require client authentication, I get =
a=20
failure with the above openssl command and when connecting using a=20
certificate I get REQUEST=3DSET STATUS=3DBAD when OpenSSL is trying to=20=

write the session id to the DBM cache file on the local system OpenSSL=20=

then attempts to REQUEST=3DGET and that fails when it tries to use the=20
session ID it was unable to write earlier.

If I remove the require client auth in the httpdconf file, the logging =
is=20
correct and the openssl command does not fail.

The problem is that I have users that may take longer than 10 minutes=20
(Access to private key on smart card timeout after 10 minutes) to complete=
=20
a form on a web page If a user accesses the server via the browser, he/=
she=20
selects a certificate to present, authenticates to smart card with pin and=
=20
is then allowed access to the web page If he/she sits there with the=20=

browser open for 12 minutes or so and click on a link -- failure Page n=
ot=20
found failure I look at the debug logs of SSL and see that=20
OpenSSL was trying to reuse the first session key and it failed As a=20=

result, the complete handshake starts over again, but the user is not=20
prompted to enter PIN Apache does not get a user cert and failure takes=
=20
place.

The ironic thing is that if I wait 12 minutes, enter PIN for smart card=20=

prior to clicking on a link, then all works fine OpenSSL does not reuse=
=20
the session key, but the repeat of the handshake works.

How am I able to configure Apache to reuse the session key when client aut=
h=20
is enabled? Am I missing something?=20

Thanks=20


------------------------------------------------------------ --------
mail2web - Check your email from the web at
http://mail2webcom/


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org