[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug 62691] OpenSSL 1.1.1 and client-certificate renegotiation causes 1 minute delay


--- Comment #4 from Rainer Jung <rainer.jung@xxxxxxxxxxx> ---
Thanks for the logs. I can't currently promise to work on it myself, but some

- the branch tlsv1.3-for-2.4.x has been merged just 3 days ago into the normal
2.4.x branch. So any further tests can be done against the normal branch,
unless something needs to get tested which might only exist in trunk, in which
case that would b the right source. The tlsv1.3-for-2.4.x should probably
considered stale starting now.

- what was the client you tested with?

- just to make sure: the hang only happens when "RE"negotation occurs due to
the VHost having different TLS config than the URI on that VHost that you are
trying to access (eg. the access to the VHost is not protected by client certs,
but some URLs are). To phrase it differently: when all of the vhost uses the
same ssl config including client certs, ciphers etc., then no hang occurs?

- As far as I understand this situation, previously handled by renegotiation,
gets handled in OpenSSL 1.1.1 by a post-handshake-authentication (PHA)
extension and support for PHA is not yet clear for all clients. Especially
clients using OpenSSL as their client TLS stack need to explicitly turn on PHA
when using OpenSSL 1.1.1. But that's only what I think I understood from other

Thanks and regards,


You are receiving this mail because:
You are the assignee for the bug.
To unsubscribe, e-mail: bugs-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: bugs-help@xxxxxxxxxxxxxxxx