[warn] (45)Deadlock situation detected/avoided: Failed to acquire SSL session cache lock

Any suggestions on the above warning?  This happens quite a bit under
very heavy load.  We use shmcb cache (512000).

Thanks,
Brian Hayward
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users <at> modssl.org
Automated List Manager                            majordomo <at> modssl.org

Jean-Pierre Guilloteau est absent.

I will be out of the office starting Sat 05/05/07 and will not return until
Mon 14/05/07.

Je répondrai à votre message dès mon retour.
Vous pouvez en mon absence contacter Aspaway au 01 46 67 88 88 ou notre
support technique au 01 46 67 88 98.
Cordialement.

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users <at> modssl.org
Automated List Manager                            majordomo <at> modssl.org

nokeepalive and SSLVerifyClient

Re: nokeepalive and SSLVerifyClient

Fought, Richard wrote:
> I’ve been searching through the mailing list to find an answer to this 
> question, but haven’t run across it yet.
> 
>  
> 
> We currently use the

The answer to your question is


______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users <at> modssl.org
Automated List Manager                            majordomo <at> modssl.org

nokeepalive and SSLVerifyClient

Problems with CA-Certifcates

Hello,
i have got 2 problems with my Apache using mod_ssl and authentification
with client-certificates.

1. When the Apache is running and i copy a new pem-encoded
CA-Certificate in the specified directory (SSLCACertifcatePath) and
create the symbolic hash-link, no client is able to connect with the
website with his Client-Certificate issued by the copied CA until i
restart the Server. Is this a Bug? Or is there any way to actualise the
CA-Certificates without a restart?

2. The Number of CA-Certificates seems to be limited at ~250. When i use
too many CA-Certificates in the Directory (SSLCACertifcatePath) the
SSL-Message from the Server to the Client is malformed and no Client can
connect. Is this also a Bug?

Dont ask me, why i need more than 250 CA-Certificates. Its for a
Masterthesis.

_________________________________________________________________
Haben Spinnen Ohren? Finden Sie es heraus – mit dem MSN Suche Superquiz via  
http://www.msn-superquiz.de  Jetzt mitmachen und gewinnen!

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users <at> modssl.org
Automated List Manager                            majordomo <at> modssl.org

RE: Problems with CA-Certifcates

1. I believe the server reads the CA cert into memory at startup for a
couple of reasons: to prevent unnecessary disk access, and probably as a
security measure as well.  If your cert is password protected, you might
want an admin to type it in and startup is the perfect time to do it.

2. Maybe it is a # of files limitation?  If I'm not mistaken, you can
have more than one certificate in a PEM file.  Maybe try to combine
them.

Rich
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users <at> modssl.org
Automated List Manager                            majordomo <at> modssl.org

Re: Problems with CA-Certifcates

2. Yes i know, that i can have more than one certificate in a PEM-file.
That is used for the SSLCACertificateFile Option. But this didnt solve
the problem.
There is no difference between having more than 250 single certificate
files or one
file with 250 certificates.
In the SSL-Handshake the Server sends to the Client, which CAs he accepts.
This Massage seems to be malformed when there are too many CAs.
Any Ideas...?

Fought, Richard schrieb:
>1. I believe the server reads the CA cert into memory at startup for a
>couple of reasons: to prevent unnecessary disk access, and probably as a
>security measure as well.  If your cert is password protected, you might
>want an admin to type it in and startup is the perfect time to do it.
>
>2. Maybe it is a # of files limitation?  If I'm not mistaken, you can
>have more than one certificate in a PEM file.  Maybe try to combine
>them.
>
>Rich
>______________________________________________________________________
>Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
>User Support Mailing List                      modssl-users <at> modssl.org
>Automated List Manager                            majordomo <at> modssl.org
>
>
>
>

_________________________________________________________________
Sie suchen E-Mails, Dokumente oder Fotos? Die neue MSN Suche Toolbar mit 
Windows-Desktopsuche liefert in sekundenschnelle Ergebnisse. Jetzt neu! 
http://desktop.msn.de/ Jetzt gratis downloaden!

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users <at> modssl.org
Automated List Manager                            majordomo <at> modssl.org

RE: Problems with CA-Certifcates

Looking at the SSL 3.0 spec at
http://wp.netscape.com/eng/ssl3/draft302.txt, there appears to be a size
limit for the list of CA distinguished names ..

     struct {
         CertificateType certificate_types<1..2^8-1>;
         DistinguishedName certificate_authorities<3..2^16-1>;
     } CertificateRequest;

If I interpret the spec correctly, this means 3 - 65535 bytes of data
available for the list of DNs (someone please correct me if I am wrong).

Perhaps you are hitting this limit.

Rich

-----Original Message-----
From: owner-modssl-users <at> modssl.org
[mailto:owner-modssl-users <at> modssl.org] On Behalf Of Keller Kind
Sent: Thursday, May 17, 2007 10:30 AM
To: modssl-users <at> modssl.org
Subject: Re: Problems with CA-Certifcates

2. Yes i know, that i can have more than one certificate in a PEM-file.
That is used for the SSLCACertificateFile Option. But this didnt solve
the problem.
There is no difference between having more than 250 single certificate
files or one
file with 250 certificates.
In the SSL-Handshake the Server sends to the Client, which CAs he
accepts.
This Massage seems to be malformed when there are too many CAs.
Any Ideas...?

Fought, Richard schrieb:
>1. I believe the server reads the CA cert into memory at startup for a
>couple of reasons: to prevent unnecessary disk access, and probably as
a
>security measure as well.  If your cert is password protected, you
might
>want an admin to type it in and startup is the perfect time to do it.
>
>2. Maybe it is a # of files limitation?  If I'm not mistaken, you can
>have more than one certificate in a PEM file.  Maybe try to combine
>them.
>
>Rich
>______________________________________________________________________
>Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
>User Support Mailing List                      modssl-users <at> modssl.org
>Automated List Manager                            majordomo <at> modssl.org
>
>
>
>

_________________________________________________________________
Sie suchen E-Mails, Dokumente oder Fotos? Die neue MSN Suche Toolbar mit

Windows-Desktopsuche liefert in sekundenschnelle Ergebnisse. Jetzt neu! 
http://desktop.msn.de/ Jetzt gratis downloaden!

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users <at> modssl.org
Automated List Manager                            majordomo <at> modssl.org
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users <at> modssl.org
Automated List Manager                            majordomo <at> modssl.org

re: client certificate authentication and IE friendly errors

Hello,

I'm having a problem with Internet Explorer's "Show friendly HTTP error
messages" in response to a 403 generated by an SSLRequire directive, when
trying client certificate authentication. 

I've come across some information about over-riding the browser config by
setting the size of the message [greater than 512 bytes for a 403], which
doesn't appear to work. Unfortunately I can't rely on users having unchecked
this setting in the browser options.

The config directives that I'm using are an SSLRequire %{SSL_CLIENT_VERIFY} eq
"SUCCESS" in conjunction with an SSLVerifyClient Optional, both within the
same Location directive. I've combined these because there is a likelihood
that the resource will be accessed by clients without certificates, and I'm
trying to trap this in as friendly a way as possible.

Everything works fine in my testing [good cert, no cert, wrong cert], except
when I try to hit the server with an expired client certificate in IE. Because
of some testing constraints around where I get the certificates from I've been
simulating expiry by adjusting the time on both the desktop and server - just
the client cert is expired at the chosen time; not the issuing CA cert or web
server's.

With an expired client certificate, my ErrorDocument 403 is correctly
displayed if the 'show friendly messages' is unchecked, but the browser shows
a 'page cannot be displayed' error if the setting is enabled. I can't see
anything in the logs to distinguish the two states. A reload on the browser
correctly renders the error.

Is this something that anyone else has come across? I've checked the archives,
and although people have cited problems with friendly errors
[http://marc.info/?l=apache-modssl&m=101554001204754&w=2] the circumstances
seem different.

Is there a saner way of handling the access attempts from browsers attempting
to access the same resource both with and without client certs?

Version info:
- desktop: XP SP2, IE version 6.0.29...
- server: Suse Linux 10.1; Apache 1.3.37; mod_ssl 2.8.28-1.3.33; openssl
0.9.8e

I have the SetEnvIf HTTP_USER_AGENT ".*MSIE.*" ... enabled as per default
config. SSLCACertificateFile has a single entry for the issuing CA.

Thanks,

Donal

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users <at> modssl.org
Automated List Manager                            majordomo <at> modssl.org