Re: TLS renegociation

To: Emmanuel Dreyfus <manu%netbsd.org@localhost>
Subject: Re: TLS renegociation
From: Thor Lancelot Simon <tls%panix.com@localhost>
Date: Mon, 5 Jul 2010 21:03:56 -0400

On Sun, Jul 04, 2010 at 08:34:36PM +0200, Emmanuel Dreyfus wrote:
> 
> It used to work with Firefox, I would like to get client cert
> authentication working again. Even without regnegociation, since, as I
> understood, it is how it should work if client cert is requested
> <VirtualHost>-wide.

The problem is that if you have more than one VirtualHost on the same
network address, Apache may allow the initial handshake to succeed
without requiring a client certificate, then try to force a reneg
once the hostname in the request is known, when it discovers the
VirtualHost in question did in fact want a certificate.

What could be done -- and maybe Apache is flexible enough to do it, I
don't know -- is record the details of the presented client certificate
awt initial negotiation time, then check them against what's required
per-VirtualHost when the hostname is known from the request.  But aside
from that, I'm not sure what else can work besides requiring client
certificates always; and it's been too long since I configured Apache
that way to remember exactly how to do that so it won't try to cause a
renegotiation..

Thor

References:
- Re: TLS renegociation
  - From: Thor Lancelot Simon
- Re: TLS renegociation
  - From: Emmanuel Dreyfus

Prev by Date: Re: TLS renegociation
Next by Date: Fresh Marketing Database - Building Industry
Previous by Thread: Re: TLS renegociation
Next by Thread: Fresh Marketing Database - Building Industry
Indexes:

Home | Main Index | Thread Index | Old Index