Comment 1 for bug 1833896

Working on a project and need an LTS version of OpenSSL, which is soon to be 1.1.1. Recompiled apache 2.4.34 against it and trying to use client certificates shows a 1 minute delay between the handshake completing and the 0-byte SSL_peek() returning in ssl_engine_kernel.c:1033 returns.

Working just fine with OpenSSL 1.1.0 or 1.0.2, also appears to work without a delay using the 1.1.1 openssl s_server command.

Minimal configuration file is:

------------
LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
LoadModule mpm_event_module /usr/lib/apache2/modules/mod_mpm_event.so
LoadModule unixd_module /usr/lib/apache2/modules/mod_unixd.so
LoadModule mime_module /usr/lib/apache2/modules/mod_mime.so
LoadModule authz_core_module /usr/lib/apache2/modules/mod_authz_core.so

SSLPassPhraseDialog "exec:......"

LogLevel trace5
ErrorLog /tmp/client-certificates.log
ServerName my.test.com
DocumentRoot /var/www

<Location />
   SSLVerifyClient require
   Require ssl-verify-client
</Location>

Listen 1443
<VirtualHost *:1443>
    SSLEngine on
    SSLCertificateKeyFile "/etc/xxxx.key"
    SSLCertificateFile "/etc/xxxx.cert"
    SSLCertificateChainFile "/etc/xxxx.cert"
    SSLCACertificateFile "/etc/backendca.cert"
</VirtualHost>
------------

The logs from apache itself that shows the delay are:

[Tue Sep 04 18:58:14.886205 2018] [ssl:debug] [pid 2571:tid 140532252661504] ssl_engine_kernel.c(2082): [client 172.16.1.101:53414] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
---- delay here ----
[Tue Sep 04 18:59:14.944591 2018] [ssl:trace4] [pid 2571:tid 140532252661504] ssl_engine_io.c(2204): [client 172.16.1.101:53414] OpenSSL: read 0/5 bytes from BIO#7fd014002a10 [mem: 7fd014002d43] (BIO dump follows)

There is no delay before the web browser / client prompts for a certificate to use - just between the ssl re-handshake completing and the peek() returning no bytes.