OSSP CVS Repository

ossp - Ticket #46
Not logged in 		[Honeypot]  [Browse]  [Home]  [Login]  [Reports
[Search]  [Ticket]  [Timeline
  [Attach]  [Edit]  [History

Ticket 46: Cannot find peer certificate chain

I'm using the following components:

I've configured: SSLSessionCache shmcb:/opt/slt/ses/apache/run/ssl_scache(512000)

The problem only occures if we use client certs. If we do multiple requests on the same ssl session then I get an error the first time the request is handled by the same apache child that has stored the SSL session ID in the cache. All other childs can acces the cache without problems.

trace output in ssl_engine_log (debug level does not provide better info):

[21/Apr/2004 09:48:18 01201] [trace] OpenSSL: Handshake: start
[21/Apr/2004 09:48:18 01201] [trace] OpenSSL: Loop: before/accept initialization
[21/Apr/2004 09:48:18 01201] [trace] OpenSSL: Loop: SSLv3 read client hello A
[21/Apr/2004 09:48:18 01201] [trace] OpenSSL: Loop: SSLv3 write server hello A
[21/Apr/2004 09:48:18 01201] [trace] OpenSSL: Loop: SSLv3 write change cipher spec A
[21/Apr/2004 09:48:18 01201] [trace] OpenSSL: Loop: SSLv3 write finished A
[21/Apr/2004 09:48:18 01201] [trace] OpenSSL: Loop: SSLv3 flush data
[21/Apr/2004 09:48:18 01201] [trace] OpenSSL: Loop: SSLv3 read finished A
[21/Apr/2004 09:48:18 01201] [trace] OpenSSL: Handshake: done
[21/Apr/2004 09:48:18 01201] [info] Connection: Client IP: 192.168.167.99, Protocol: TLSv1, Cipher: RC4-MD5 (128/128 bits)
[21/Apr/2004 09:48:18 01201] [info] Initial (No.1) HTTPS request received for child 0 (server airlock_baumi.ergon.ch:4442)
[21/Apr/2004 09:48:18 01201] [trace] Changed client verification type will force quick renegotiation
[21/Apr/2004 09:48:18 01201] [info] Requesting connection re-negotiation
[21/Apr/2004 09:48:18 01201] [trace] Performing quick renegotiation: just re-verifying the peer
[21/Apr/2004 09:48:18 01201] [error] Cannot find peer certificate chain
[21/Apr/2004 09:48:18 01201] [trace] OpenSSL: Write: SSL negotiation finished successfully
[21/Apr/2004 09:48:18 01201] [info] Connection to child 0 closed with standard shutdown (server airlock_baumi.ergon.ch:4442, client 192.168.167.99)

I wonder about the "Cannot find peer certificate chain" and then the "SSL negotiation finished successfully". hmmm.

If we use dbm instead of shmcb then this problem does not occure.

Thanks for your help
Erwin Huber

[Add remarks]

Remarks:

Properties:

Type: code           Version: 1.3.0 
Status: new          Created: 2004-Apr-21 16:12
Severity:          Last Change: 2004-Apr-21 16:12
Priority:          Subsystem: mm 
Assigned To: rse           Derived From:  
Creator: anonymous 

CVSTrac 2.0.1