Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

SSL renegotiation failing even after enabling SSLInsecureRenegotiation directive.

995 views
Skip to first unread message

gaurav jha

unread,
Sep 6, 2010, 5:42:34 AM9/6/10
to

As would be clear from the post header, i am trying for an insecure SSL renegotiaion as my SSL client does not have support for the latest TLS renegotiation vulnerability (CVE-2009-3555).

My server configuration :
server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/1.0.0a on Ubuntu 10.04.1 LTS

The problem is my handshake goes through successfully, but in application data stage client initiates the renegotiation upon which i get thrown an error and the connection terminates. I did enable SSLInsecureRenegotiation directive, but the error persists.

Error as received on the client side ( as interpreted by the client) is EOF (does not convey much). But the same client when connected to the earlier version of APACHE - 2.0.47 works pretty fine.

Error on server side corresponding to my client request in error.log represents :
[Fri Sep 03 16:19:16 2010] [error] [client 10.225.171.98] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /index.html
[Fri Sep 03 16:19:38 2010] [error] [client 10.225.171.98] rejecting client initiated renegotiation

SSL conf file (vhost configuration in https-ssl.conf ) :

<VirtualHost 10.225.209.115:543>

SSLInsecureRenegotiation on [I even tried placing it globally, but with no +ve outcome]
DocumentRoot "/usr/local/apache2/htdocs"
ServerName httpsmtpssl.test.intra
ServerAdmin y...@example.com
ErrorLog "/usr/local/apache2/logs/error_log"
TransferLog "/usr/local/apache2/logs/access_log"

SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

SSLCertificateFile "/usr/local/apache2/conf/ssl.crt/server.crt"
SSLCertificateKeyFile "/usr/local/apache2/conf/ssl.key/NO-PASS-PHRASE"

<FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/usr/local/apache2/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

BrowserMatch ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

CustomLog "/usr/local/apache2/logs/ssl_request_log" \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>

Can you guys, help me with this ?
Am i missing something on the server config part or not using the SSLInsecureRenegotiation directive correctly ?

Hope to get some pointers,
Gaurav


Tomas Hoger

unread,
Sep 8, 2010, 2:33:41 PM9/8/10
to
On Mon, 6 Sep 2010 15:12:34 +0530 gaurav jha wrote:

> The problem is my handshake goes through successfully, but in
> application data stage client initiates the renegotiation upon which
> i get thrown an error and the connection terminates. I did enable
> SSLInsecureRenegotiation directive, but the error persists.

SSLInsecureRenegotiation setting and RFC 5746 support on the client
side do not matter in your case, current mod_ssl always rejects client
initiated renegotiation.

th.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List opens...@openssl.org
Automated List Manager majo...@openssl.org

0 new messages