Hello!I'm using Apache 2.2 with mod_ssl. Under the DocumentRoot of my SSL virtual host there is a subdirectory which requires client certificates. It has such .htaccess file:
------ .htaccess ------
SSLVerifyClient Require
SSLVerifyDepth 3
<FilesMatch "\.(shtml|php)$">
SSLOptions +StdEnvVars +ExportCertData
</FilesMatch>
------ .htaccess ------
This has been working for couple of years. Two weeks ago I upgraded Apache
from 2.2.9 to 2.2.13. After that, Firefox users visiting this directory
started to get this error page:
SSL peer was not expecting a handshake message it received. (Error code: ssl_error_handshake_unexpected_alert)When they click "Try again", the error condition clears and expected page is displayed.
MSIE did not show this behaviour, but when I tried with Firefox 3.0 and 3.5 they both behave the same.
The error message in Apache log is:[error] [client 12.34.56.78] Re-negotiation handshake failed: Not accepted by client!?
Since I didn't know what to do, I copied the section of httpd-ssl.conf which is meant to accommodate MSIE and modified it for Firefox:
BrowserMatch ".*Firefox.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
That made the error go away. I could stop here and be satisfied with that,
but I'm really curious about why this started happening, and most
importantly, of course, who is guilty, Firefox or Apache ;) Or, if this is
a case of PEBKAC, perhaps someone can point out what I'm doing wrong.
-- Toomas ... When an agnostic dies, does he go to the "great perhaps"? --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|