RE: [squid-users] client auth with SSL certificate

[David Hajek]

> However, I have not yet found any browser requiring this, nor 
> have I found any difference in the SSL handshakes.. the 
> Context ID field seems to be blank both with and without this 
> call.  (using OpenSSL 0.9.7a with RedHat patches).
> 
> The patch as such looks valid, except that it was reversed 
> (deleting the lines you have added)..
> 
> Exactly which browser is it you need this for?

The scenario is: Enable client cert auth in https_port directive. Then open
mozilla 1.6/1.7rc1 and
check "Ask every time" when selecting certificate. When you then open page
behind reverse proxy,
you are being asked by Mozilla which certificate you want to use. And this
dialog box appers more then
once per page - I believe it is because Mozilla losts the SSL connection
with server and tries to renegotiate.

When I apply this patch, Mozilla asks me only once when I first connect to
the proxy. 

Without the patch, cache.log is full of this stuff:

2004/04/28 11:31:49| clientNegotiateSSL: Error negotiating SSL connection on
FD 18: error:140D9115:SSL routines:SSL_GET_PREV_SESSION :session id context
uninitialized (1/-1)

I can't see these messages when the patch is applied.

The workaround is to tell Mozilla to select the certificate automatically.
But I'm not sure if this is possible with Explorer.

-David

PS: Here's the correct patch.

--- ssl_support.cc.ORIG 2003-04-20 00:19:45.000000000 +0200
+++ ssl_support.cc      2004-04-28 11:33:51.000000000 +0200
@@ -419,6 +419,7 @@
     SSL_METHOD *method;
     SSL_CTX *sslContext;
     long fl = ssl_parse_flags(flags);
+    const unsigned char sid_ctx = 999; 
 
     ssl_initialize();
 
@@ -466,6 +467,12 @@
                ERR_error_string(ssl_error, NULL));
     }
 
+   /* by David Hajek */
+   if (!SSL_CTX_set_session_id_context(sslContext, &sid_ctx,
sizeof(sid_ctx))){
+               ssl_error = ERR_get_error();
+               fatalf("Failed to set session resumption :
%s\n",ERR_error_string(ssl_error, NULL));
+   } 
+
     SSL_CTX_set_options(sslContext, ssl_parse_options(options));
 
     if (cipher) {
@@ -568,6 +575,9 @@
     if (fl & SSL_FLAG_DONT_VERIFY_DOMAIN)
         SSL_CTX_set_ex_data(sslContext,
ssl_ctx_ex_index_dont_verify_domain, (void *) -1);
 
+
+
+
     return sslContext;
 
 error: