We have a WSP of our client's WS, and use a forward SSL Proxy Profile for the back-side connection. The client is using Apache HTTPD server, and, the way they explain it to me is, they don't do the mutual authentication until after they receive the message payload from us.
When the payload is a large message, their Apache is failing with "request body exceeds maximum size (131072) for SSL buffer", and "could not buffer message body to allow SSL renegotiation to proceed".
The client is asking us to fix our side to somehow force the mutual authentication exchange on the original SSL negotiation, so their Apache won't fail.
The way I understand it is, the server is in control here. So their request hits me as backwards. That is, they should increase their buffer.
Is there some kind of way for me to setup the forward profile to force our cert to their server for mutual auth?
This topic has been locked.
2 replies Latest Post - 2012-12-13T22:26:01Z by SystemAdmin
Pinned topic SSL mutual auth failing due to Apache buffer overrun
Answered question This question has been answered.
Unanswered question This question has not been answered yet.
Updated on 2012-12-13T22:26:01Z at 2012-12-13T22:26:01Z by SystemAdmin
inestlerode 270001CUTT166 PostsACCEPTED ANSWER
Re: SSL mutual auth failing due to Apache buffer overrun2012-12-13T22:24:23Z in response to SystemAdminYour understanding is correct and what they are asking for is impossible. No SSL client can unilaterally offer client auth credentials to the SSL server. The SSL protocol says that the SSL client cannot present its credentials until after the SSL server asks for them. So this is something that they need to fix on their SSL server; not on DataPower.