mod_ssl: SSL handshake is done on every request

--_0663514b-eb33-4770-bb8a-be392e49b0c6_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable


Dear=2C

I am running Apache 2.2.14.=20
I also applied the patch to enforce SSL renegotiation from server only.

Testing the proposed solution in SSL mutual authentication context=2C the f=
ull renegotiation is done once but I noticed that the handshake is done for=
every request.
The test web page is made of 30 request/responses and we can see from the L=
OG that 30 handshakes are done even though session is found in cache.

Below=2C extract of the LOG files:

' ssl_engine_kernel.c: Performing full renegotiation: complete handshake pr=
otocol
' ssl_engine_kernel.c: OpenSSL: Handshake: start
' ssl_engine_kernel.c: OpenSSL: Loop: SSL renegotiate ciphers
' ssl_engine_kernel.c: OpenSSL: Loop: SSLv3 write hello request A
' ssl_engine_kernel.c: OpenSSL: Loop: SSLv3 flush data
' ssl_engine_kernel.c: OpenSSL: Loop: SSLv3 write hello request C
....
' ssl_engine_kernel.c: Inter-Process Session Cache: request=3DSET status=3D=
OK id=3DD893868C1224CF057AFE1C604B7C7725E23E92F22CB6EE338997038 F95533213 ti=
meout=3D3600s (session caching)
' ssl_engine_kernel.c: OpenSSL: Handshake: done
....
' ssl_engine_kernel.c: OpenSSL: Handshake: start
' ssl_engine_kernel.c: OpenSSL: Loop: before/accept initialization
....
' ssl_engine_kernel.c: Inter-Process Session Cache: request=3DGET status=3D=
FOUND id=3DD893868C1224CF057AFE1C604B7C7725E23E92F22CB6EE338997038 F95533213=
(session reuse)
' ssl_engine_kernel.c: OpenSSL: Loop: SSLv3 read client hello A
' ssl_engine_kernel.c: OpenSSL: Loop: SSLv3 write server hello A
' ssl_engine_kernel.c: OpenSSL: Loop: SSLv3 write certificate A
' ssl_engine_kernel.c: OpenSSL: Loop: SSLv3 write server done A
....
' ssl_engine_kernel.c: OpenSSL: Handshake: start
' ssl_engine_kernel.c: OpenSSL: Loop: before/accept initialization
....
' ssl_engine_kernel.c: Inter-Process Session Cache: request=3DGET status=3D=
FOUND id=3DD893868C1224CF057AFE1C604B7C7725E23E92F22CB6EE338997038 F95533213=
(session reuse)
' ssl_engine_kernel.c: OpenSSL: Loop: SSLv3 read client hello A
' ssl_engine_kernel.c: OpenSSL: Loop: SSLv3 write server hello A
' ssl_engine_kernel.c: OpenSSL: Loop: SSLv3 write certificate A
' ssl_engine_kernel.c: OpenSSL: Loop: SSLv3 write server done A
....

- What is the reason of the handshake for every request?
- What is the purpose of the cache?
- Is the new handshake conveyed under the existing ssl session?
- How to avoid theses handshakes if not required?

Thanks.

Regards=2C

Ben.

=20
____________________________________________________________ _____
Windows Live: Friends get your Flickr=2C Yelp=2C and Digg updates when they=
e-mail you.
http://www.microsoft.com/middleeast/windows/windowslive/see- it-in-action/so=
cial-network-basics.aspx?ocid=3DPID23461::T:WLMTAGL:ON:WL:en -xm:SI_SB_3:092=
010=

--_0663514b-eb33-4770-bb8a-be392e49b0c6_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable






Dear=2C

I am running Apache 2.2.14.
I also applied the patch to =
enforce SSL renegotiation from server only.

Testing the proposed sol=
ution in SSL mutual authentication context=2C the full renegotiation is don=
e once but I noticed that the handshake is done for every request.
The t=
est web page is made of 30 request/responses and we can see from the LOG th=
at 30 handshakes are done even though session is found in cache.

Bel=
ow=2C extract of the LOG files:

' ssl_engine_kernel.c: Performing fu=
ll renegotiation: complete handshake protocol
' ssl_engine_kernel.c: Ope=
nSSL: Handshake: start
' ssl_engine_kernel.c: OpenSSL: Loop: SSL renegot=
iate ciphers
' ssl_engine_kernel.c: OpenSSL: Loop: SSLv3 write hello req=
uest A
' ssl_engine_kernel.c: OpenSSL: Loop: SSLv3 flush data
' ssl_e=
ngine_kernel.c: OpenSSL: Loop: SSLv3 write hello request C
...
' ssl_=
engine_kernel.c: Inter-Process Session Cache: request=3DSET status=3DOK id=
=3DD893868C1224CF057AFE1C604B7C7725E23E92F22CB6EE338997038F9 5533213 timeout=
=3D3600s (session caching)
' ssl_engine_kernel.c: OpenSSL: Handshake: do=
ne
...
' ssl_engine_kernel.c: OpenSSL: Handshake: start
' ssl_engi=
ne_kernel.c: OpenSSL: Loop: before/accept initialization
...
' ssl_en=
gine_kernel.c: Inter-Process Session Cache: request=3DGET status=3DFOUND id=
=3DD893868C1224CF057AFE1C604B7C7725E23E92F22CB6EE338997038F9 5533213 (sessio=
n reuse)
' ssl_engine_kernel.c: OpenSSL: Loop: SSLv3 read client hello A=

' ssl_engine_kernel.c: OpenSSL: Loop: SSLv3 write server hello A
' s=
sl_engine_kernel.c: OpenSSL: Loop: SSLv3 write certificate A
' ssl_engin=
e_kernel.c: OpenSSL: Loop: SSLv3 write server done A
...
' ssl_engine=
_kernel.c: OpenSSL: Handshake: start
' ssl_engine_kernel.c: OpenSSL: Loo=
p: before/accept initialization
...
' ssl_engine_kernel.c: Inter-Proc=
ess Session Cache: request=3DGET status=3DFOUND id=3DD893868C1224CF057AFE1C=
604B7C7725E23E92F22CB6EE338997038F95533213 (session reuse)
' ssl_engine_=
kernel.c: OpenSSL: Loop: SSLv3 read client hello A
' ssl_engine_kernel.c=
: OpenSSL: Loop: SSLv3 write server hello A
' ssl_engine_kernel.c: OpenS=
SL: Loop: SSLv3 write certificate A
' ssl_engine_kernel.c: OpenSSL: Loop=
: SSLv3 write server done A
...

- What is the reason of the hands=
hake for every request?
- What is the purpose of the cache?
- Is the =
new handshake conveyed under the existing ssl session?
- How to avoid th=
eses handshakes if not required?

Thanks.

Regards=2C

Be=
n.