[Mod_nss-list] hello, and problem 1

Jennings, Jared L CTR USAF AFMC 46 SK/CCI jared.jennings.ctr at eglin.af.mil
Mon May 9 19:39:08 UTC 2011 

> So I have no a priori evidence that a client cert was presented in the
> second connection, but I think there was a client cert. I'll see if I
> can make that more sure.

I've added a bunch of debug logging statements.

In nss_hook_pre_connection (mod_nss.c:361 or so), right after the local
variable ssl is set up, the options SSL_REQUEST_CERTIFICATE and
SSL_REQUIRE_CERTIFICATE are successfully passed from mctx->model to ssl.
Both are true in all new sockets with my configuration.

A bit farther down, we SSL_ResetHandshake. Apparently the handshake
happens in between the creation of the socket and the time when we can
receive a request over it, and all the necessary inputs from mod_nss
during the handshake process are handled with hook functions. One among
these is nss_AuthCertificate (nss_engine_io.c:1373 or so), which is set
as the SSL_AuthCertificateHook. During the first connection, this hook
happens: I put a log call in it and the message shows up. During ensuing
connections, the hook does not happen. By the time of nss_hook_ReadReq
(nss_engine_kernel.c:81 or so, "Log information about incoming HTTPS
requests") there is no sslconn->client_cert.

Subsequent requests over the first connection (via keepalives) work
fine; only after the connection is closed, and another connection is
made, is there no client certificate. I tested this using httpd -X to
eliminate multiple-process issues from consideration. Also tried turning
off keepalives; that makes the problem appear immediately.

When I use the NSS tstclnt, it works right every time I've tried it.
With Firefox, when I take out my smartcard and put it back in, it works
right. When I leave the card in, that's when it fails.

Enough with Firefox. I decided to try it with IE. Trying to visit one
page takes seven connections; the nss_AuthCertificate happens in two of
those seven. What a mess.

In fine, I'm not any surer whether a certificate is presented or not
than before writing this email: the actual request for the certificate
and the actual provision of the certificate are happening at a lower
level than I'm observing, inside NSS.

More information about the Mod_nss-list mailing list