Topic
2 replies Latest Post - ‏2012-12-13T22:26:01Z by SystemAdmin
SystemAdmin
SystemAdmin
6772 Posts
ACCEPTED ANSWER

Pinned topic SSL mutual auth failing due to Apache buffer overrun

‏2012-12-13T20:39:36Z |
We have a WSP of our client's WS, and use a forward SSL Proxy Profile for the back-side connection. The client is using Apache HTTPD server, and, the way they explain it to me is, they don't do the mutual authentication until after they receive the message payload from us.

When the payload is a large message, their Apache is failing with "request body exceeds maximum size (131072) for SSL buffer", and "could not buffer message body to allow SSL renegotiation to proceed".

The client is asking us to fix our side to somehow force the mutual authentication exchange on the original SSL negotiation, so their Apache won't fail.

The way I understand it is, the server is in control here. So their request hits me as backwards. That is, they should increase their buffer.

Is there some kind of way for me to setup the forward profile to force our cert to their server for mutual auth?
Updated on 2012-12-13T22:26:01Z at 2012-12-13T22:26:01Z by SystemAdmin
  • inestlerode
    inestlerode
    166 Posts
    ACCEPTED ANSWER

    Re: SSL mutual auth failing due to Apache buffer overrun

    ‏2012-12-13T22:24:23Z  in response to SystemAdmin
    Your understanding is correct and what they are asking for is impossible. No SSL client can unilaterally offer client auth credentials to the SSL server. The SSL protocol says that the SSL client cannot present its credentials until after the SSL server asks for them. So this is something that they need to fix on their SSL server; not on DataPower.
    • SystemAdmin
      SystemAdmin
      6772 Posts
      ACCEPTED ANSWER

      Re: SSL mutual auth failing due to Apache buffer overrun

      ‏2012-12-13T22:26:01Z  in response to inestlerode
      OK.. Thanks. This is what I thought, too, and was just making sure there wasn't something about the protocol I didn't know.