Working on a project and need an LTS version of OpenSSL, which is soon to be 1.1.1. Recompiled apache 2.4.34 against it and trying to use client certificates shows a 1 minute delay between the handshake completing and the 0-byte SSL_peek() returning in ssl_engine_kernel.c:1033 returns.
Working just fine with OpenSSL 1.1.0 or 1.0.2, also appears to work without a delay using the 1.1.1 openssl s_server command.
There is no delay before the web browser / client prompts for a certificate to use - just between the ssl re-handshake completing and the peek() returning no bytes.
Working on a project and need an LTS version of OpenSSL, which is soon to be 1.1.1. Recompiled apache 2.4.34 against it and trying to use client certificates shows a 1 minute delay between the handshake completing and the 0-byte SSL_peek() returning in ssl_engine_ kernel. c:1033 returns.
Working just fine with OpenSSL 1.1.0 or 1.0.2, also appears to work without a delay using the 1.1.1 openssl s_server command.
Minimal configuration file is:
------------ apache2/ modules/ mod_ssl. so apache2/ modules/ mod_mpm_ event.so apache2/ modules/ mod_unixd. so apache2/ modules/ mod_mime. so apache2/ modules/ mod_authz_ core.so
LoadModule ssl_module /usr/lib/
LoadModule mpm_event_module /usr/lib/
LoadModule unixd_module /usr/lib/
LoadModule mime_module /usr/lib/
LoadModule authz_core_module /usr/lib/
SSLPassPhraseDialog "exec:......"
LogLevel trace5 certificates. log
ErrorLog /tmp/client-
ServerName my.test.com
DocumentRoot /var/www
<Location />
SSLVerifyClient require
Require ssl-verify-client
</Location>
Listen 1443 ateKeyFile "/etc/xxxx.key" ateFile "/etc/xxxx.cert" ateChainFile "/etc/xxxx.cert" icateFile "/etc/backendca .cert"
<VirtualHost *:1443>
SSLEngine on
SSLCertific
SSLCertific
SSLCertific
SSLCACertif
</VirtualHost>
------------
The logs from apache itself that shows the delay are:
[Tue Sep 04 18:58:14.886205 2018] [ssl:debug] [pid 2571:tid 140532252661504] ssl_engine_ kernel. c(2082) : [client 172.16.1.101:53414] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA- AES128- GCM-SHA256 (128/128 bits) io.c(2204) : [client 172.16.1.101:53414] OpenSSL: read 0/5 bytes from BIO#7fd014002a10 [mem: 7fd014002d43] (BIO dump follows)
---- delay here ----
[Tue Sep 04 18:59:14.944591 2018] [ssl:trace4] [pid 2571:tid 140532252661504] ssl_engine_
There is no delay before the web browser / client prompts for a certificate to use - just between the ssl re-handshake completing and the peek() returning no bytes.