tech-security archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: TLS renegociation

On Sun, Jul 04, 2010 at 08:34:36PM +0200, Emmanuel Dreyfus wrote:
> It used to work with Firefox, I would like to get client cert
> authentication working again. Even without regnegociation, since, as I
> understood, it is how it should work if client cert is requested
> <VirtualHost>-wide.

The problem is that if you have more than one VirtualHost on the same
network address, Apache may allow the initial handshake to succeed
without requiring a client certificate, then try to force a reneg
once the hostname in the request is known, when it discovers the
VirtualHost in question did in fact want a certificate.

What could be done -- and maybe Apache is flexible enough to do it, I
don't know -- is record the details of the presented client certificate
awt initial negotiation time, then check them against what's required
per-VirtualHost when the hostname is known from the request.  But aside
from that, I'm not sure what else can work besides requiring client
certificates always; and it's been too long since I configured Apache
that way to remember exactly how to do that so it won't try to cause a


Home | Main Index | Thread Index | Old Index