Closed Bug 326198 Opened 19 years ago Closed 19 years ago

tstclnt hangs during hand shake with apache/mod_ssl when server requests full renegotiation

Categories

(NSS :: Libraries, defect)

3.11.1
defect
Not set
normal

Tracking

(Not tracked)

RESOLVED INVALID

People

(Reporter: alvolkov.bgs, Assigned: alvolkov.bgs)

Details

Attachments

(3 files)

This problem is related to SSLv2 protocol only. SSLv3/TLS works fine. The following set up fails: apache is configured with mod_ssl and requires client cert only when it accesses specific directory, so that the server start full hand shake. From server and client logs, it looks like client misses the request and waits. Server reports failure to read client hello B only after client is interrupted from console. Both side logs are attached.
Attached file apache mod_ssl log
Attached file ssltap output
Comments: 1. The apache log above is not from the same test run as hte nss ssl library trace output. The apache log shows the server requesting client authenication and the client sending a cert. The nss log does not show any client auth. 2. In the apache log attached above (first attachment), despite the fact that the server requested client auth in the first handshake and the client did do a succesful client auth, the server decides that it needs to do a second handshake to perform a client auth. The server should have known that the client auth was already done, and used the client auth info it already had. 3. SSL2 is incapable of doing a second handshake on a connection after the first handshake is done. So, the server must not attempt to perform a second handshake on the connection after the first handshake is done. The apache log shows that the server called a function to perform a second handshake on the connection. The function whose job it is to send a handshake request sent nothing. Then the server waited for a response from the client to (non-existent) handshake request. At that point, you had both the client and the server each waiting for the other. The client has sent its http request and is waiting for an http response. The server thinks it has sent a rehandshake request (but actually has not) and is waiting for a new handshake to begin. Items 2 and 3 above are problems with the server. THey may be due to misconfiguration, or a coding error. But this bug shows no evidence of NSS misbehaving. So, I'm marking it invalid.
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: