SSL renegotiation failing even after enabling SSLInsecureRenegotiation directive.

[gaurav jha]

As would be clear from the post header, i am trying for an insecure SSL renegotiaion as my SSL client does not have support for the latest TLS renegotiation vulnerability (CVE-2009-3555).

My server configuration :
server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/1.0.0a on Ubuntu 10.04.1 LTS

The problem is my handshake goes through successfully, but in application data stage client initiates the renegotiation upon which i get thrown an error and the connection terminates. I did enable SSLInsecureRenegotiation directive, but the error persists.

Error as received on the client side ( as interpreted by the client) is EOF (does not convey much). But the same client when connected to the earlier version of APACHE - 2.0.47 works pretty fine.

Error on server side corresponding to my client request in error.log represents :
[Fri Sep 03 16:19:16 2010] [error] [client 10.225.171.98] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /index.html
[Fri Sep 03 16:19:38 2010] [error] [client 10.225.171.98] rejecting client initiated renegotiation

SSL conf file (vhost configuration in https-ssl.conf ) :

<VirtualHost 10.225.209.115:543>

SSLInsecureRenegotiation on [I even tried placing it globally, but with no +ve outcome]
DocumentRoot "/usr/local/apache2/htdocs"
ServerName httpsmtpssl.test.intra
ServerAdmin y...@example.com
ErrorLog "/usr/local/apache2/logs/error_log"
TransferLog "/usr/local/apache2/logs/access_log"

SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

SSLCertificateFile "/usr/local/apache2/conf/ssl.crt/server.crt"
SSLCertificateKeyFile "/usr/local/apache2/conf/ssl.key/NO-PASS-PHRASE"

<FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/usr/local/apache2/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

BrowserMatch ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

CustomLog "/usr/local/apache2/logs/ssl_request_log" \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>

Can you guys, help me with this ?
Am i missing something on the server config part or not using the SSLInsecureRenegotiation directive correctly ?

Hope to get some pointers,
Gaurav

[Tomas Hoger]

On Mon, 6 Sep 2010 15:12:34 +0530 gaurav jha wrote:

> The problem is my handshake goes through successfully, but in
> application data stage client initiates the renegotiation upon which
> i get thrown an error and the connection terminates. I did enable
> SSLInsecureRenegotiation directive, but the error persists.

SSLInsecureRenegotiation setting and RFC 5746 support on the client
side do not matter in your case, current mod_ssl always rejects client
initiated renegotiation.

th.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List opens...@openssl.org
Automated List Manager majo...@openssl.org