[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug 62691] New: OpenSSL 1.1.1 and client-certificate renegotiation causes 1 minute delay

            Bug ID: 62691
           Summary: OpenSSL 1.1.1 and client-certificate renegotiation
                    causes 1 minute delay
           Product: Apache httpd-2
           Version: 2.4.34
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_ssl
          Assignee: bugs@xxxxxxxxxxxxxxxx
          Reporter: wmperry@xxxxxxxxx
  Target Milestone: ---

Working on a project and need an LTS version of OpenSSL, which is soon to be
1.1.1.  Recompiled apache 2.4.34 against it and trying to use client
certificates shows a 1 minute delay between the handshake completing and the
0-byte SSL_peek() returning in ssl_engine_kernel.c:1033 returns.

Working just fine with OpenSSL 1.1.0 or 1.0.2, also appears to work without a
delay using the 1.1.1 openssl s_server command.

Minimal configuration file is:

LoadModule ssl_module           /usr/lib/apache2/modules/
LoadModule mpm_event_module     /usr/lib/apache2/modules/
LoadModule unixd_module         /usr/lib/apache2/modules/
LoadModule mime_module          /usr/lib/apache2/modules/
LoadModule authz_core_module    /usr/lib/apache2/modules/

SSLPassPhraseDialog "exec:......"

LogLevel trace5
ErrorLog /tmp/client-certificates.log
DocumentRoot /var/www

<Location />
   SSLVerifyClient require
   Require ssl-verify-client

Listen 1443
<VirtualHost *:1443>
    SSLEngine on
    SSLCertificateKeyFile "/etc/xxxx.key"
    SSLCertificateFile "/etc/xxxx.cert"
    SSLCertificateChainFile "/etc/xxxx.cert"
    SSLCACertificateFile "/etc/backendca.cert"

The logs from apache itself that shows the delay are:

[Tue Sep 04 18:58:14.886205 2018] [ssl:debug] [pid 2571:tid 140532252661504]
ssl_engine_kernel.c(2082): [client] AH02041: Protocol:
TLSv1.2, Cipher: ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits) 
---- delay here ---- 
[Tue Sep 04 18:59:14.944591 2018] [ssl:trace4] [pid 2571:tid 140532252661504]
ssl_engine_io.c(2204): [client] OpenSSL: read 0/5 bytes from
BIO#7fd014002a10 [mem: 7fd014002d43] (BIO dump follows)

There is no delay before the web browser / client prompts for a certificate to
use - just between the ssl re-handshake completing and the peek() returning no

You are receiving this mail because:
You are the assignee for the bug.
To unsubscribe, e-mail: bugs-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: bugs-help@xxxxxxxxxxxxxxxx