Hello,
Question:
Software:
Apache 1=2E3=2E29
ModSSL 2=2E8=2E16
OpenSSL 0=2E9=2E7c
OS Sun Solaris 8
Clients
IE 5=2E5 and IE 6=2E0
Client Certificates stored on hardware token with 10 minute timeout for =
private key=2E If a user does not use the private key for 10 minutes, then=
he/she has to re-enter PIN to access private key stored on smart card=2E =
If I set Apache to not require client authentication then I am
able to reuse a SSL session ID when connecting via HTTPS=2E I ran the
following test with openssl:
openssl s_client -connect localhost:443 -state -reconnect
The results basically inform you that session caching is working properly =
and openssl connects to Apache using the same session ID 5 times=2E
If I modify the httpd=2Econf file to require client authentication, I get =
a
failure with the above openssl command and when connecting using a
certificate=2E I get REQUEST=3DSET STATUS=3DBAD when OpenSSL is trying to =
write the session id to the DBM cache file on the local system=2E OpenSSL =
then attempts to REQUEST=3DGET and that fails when it tries to use the
session ID it was unable to write earlier=2E
If I remove the require client auth in the httpd=2Econf file, the logging =
is
correct and the openssl command does not fail=2E
The problem is that I have users that may take longer than 10 minutes
(Access to private key on smart card timeout after 10 minutes) to complete=
a form on a web page=2E If a user accesses the server via the browser, he/=
she
selects a certificate to present, authenticates to smart card with pin and=
is then allowed access to the web page=2E If he/she sits there with the =
browser open for 12 minutes or so and click on a link -- failure=2E Page n=
ot
found failure=2E I look at the debug logs of SSL and see that
OpenSSL was trying to reuse the first session key and it failed=2E As a =
result, the complete handshake starts over again, but the user is not
prompted to enter PIN=2E Apache does not get a user cert and failure takes=
place=2E
The ironic thing is that if I wait 12 minutes, enter PIN for smart card =
prior to clicking on a link, then all works fine=2E OpenSSL does not reuse=
the session key, but the repeat of the handshake works=2E
How am I able to configure Apache to reuse the session key when client aut=
h
is enabled? Am I missing something?
Thanks
------------------------------------------------------------ --------
mail2web - Check your email from the web at
http://mail2web=2Ecom/ =2E
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users [at] modssl.org
Automated List Manager majordomo [at] modssl.org
