Hello Henrik,

sorry to not respond for such a long time - was busy with some other stuff.
I make a simple patch which
sets SSL_CTX_set_session_id_context(). Now client auth works with both
Mozilla and Explorer. Let me
know what do you think.

--- ssl_support.cc 2004-04-27 14:57:14.000000000 +0200
+++ ssl_support.cc.ORIG 2003-04-20 00:19:45.000000000 +0200
@@ -419,7 +419,6 @@
SSL_METHOD *method;
SSL_CTX *sslContext;
long fl = ssl_parse_flags(flags);
- const unsigned char sid_ctx = 999;

ssl_initialize();

@@ -467,12 +466,6 @@
ERR_error_string(ssl_error, NULL));
}

- /* by David Hajek */
- if (!SSL_CTX_set_session_id_context(sslContext, &sid_ctx,
sizeof(sid_ctx))){
- ssl_error = ERR_get_error();
- fatalf("Failed to set session resumption :
%s\n",ERR_error_string(ssl_error, NULL));
- }
-
SSL_CTX_set_options(sslContext, ssl_parse_options(options));

if (cipher) {
@@ -575,9 +568,6 @@
if (fl & SSL_FLAG_DONT_VERIFY_DOMAIN)
SSL_CTX_set_ex_data(sslContext,
ssl_ctx_ex_index_dont_verify_domain, (void *) -1);

-
-
-
return sslContext;

error:

> -----Original Message-----
> From: Henrik Nordstrom [mailto:hno@squid-cache.org]
> Sent: Thursday, March 04, 2004 7:46 AM
> To: David Hajek
> Cc: 'Henrik Nordstrom'; squid-users@squid-cache.org
> Subject: RE: [squid-users] client auth with SSL certificate
>
> On Thu, 4 Mar 2004, David Hajek wrote:
>
> > Well, it seems that correct session handling in SSL is not easy. It
> > seems that 255 sessions are cached for each SSL_CTX by

> default, even
> > if the session_id_context is not set. Thats probably why mozilla
> > complaints. So I think we have two options here:

>
> All the version used in development allow caching for far
> more than 255 sessions, and the documentation says that the
> session id context is only required for using offline
> caching. There is automatic session maintenance every 255
> connections, but as removal is based on expiry not number.
>
> My guess what happens is that the version of Mozilla used
> blindly assumes there is a session id context, and as result
> its session resumption messages is "odd". To get a better
> understanding of what Mozilla does causing it to fail please
> use ssldump.
>
> > 1/ Disable SSL session caching by calling
> > SSL_CTX_set_session_cache_mode ( SSL_SESS_CACHE_OFF )

>
> You certainly do not want to focibly disable the session
> cache as this cache is required for session resumption. If
> you disable this there will be a RSA handshake on each new connection.
>
> Having an option to disable session resumption is good
> however in situations where you are short on memory.
>
> > 2/ Enable internal OpenSSL session caching by calling
> > SSL_CTX_set_session_id_context().

>
> My understanding is that this is only required when using an
> external session cache, which Squid is not.
>
> > But then it seems we have to (manually) add each session to the
> > internal OpenSSL cache by calling SSL_CTX_add_session( ).

>
> My understanding is that this should only be required if you
> also disable the automatic caching by calling
> SSL_CTX_set_session_cache_mode.
>
> Which versions of Mozilla and OpenSSL are you using?
>
> Regards
> Henrik
>
>