On 20/02/2010 03:25, Eddy Nigg wrote:
Apache performs a renegotiation when none is needed when configuring
client authentication at a particular location, is there a logical
explanation for that? Or even considered correct implementation?
Yes, there's a logical explanation and Apache is doing nothing wrong here.
The parameters of the SSL session, including SSL client authentication,
are negotiated before the server sees any data from the client, so
before the SSL server has any idea which location will be accessed.
The best Apache can do at this moment is to use the parameters that are
set for the root of the virtual server concerned. After negotiation is
complete, the client sends the GET/POST request, the server sees which
location is actually accessed, and has to do a full renegotiation if
there's a difference in the parameter for that location.
Where Apache is failing is in that it will quite often do a
renegotiation when you access successively two locations which
parameters are compatible, or even identical. So the best is too set the
parameters at the root, and not overwrite them anywhere.
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
