Apache "SSL3_ACCEPT:unsafe legacy renegotiation disabled"?
Jason Haar
We have a CentOS-4.8 server that was upgraded to
httpd-2.0.52-41.ent.7.centos4 this week - along with dependencies like
openssl-0.9.7a and openssl096b
At that moment our client-certificate based authentication Webapp broke :-(
It's really weird. Users running Firefox-3.5+ or Chrome are still
working fine - but MSIE7 and MSIE8 now get that useless MSIE error page
and Apache reports lines like
[Thu Apr 01 12:41:41 2010] [error] SSL Library Error: 336068931
error:14080143:SSL routines:SSL3_ACCEPT:unsafe legacy renegotiation disabled
Obviously this is related to the SSL renegotiation bugfix - but Google
cannot find anyone else seeing this - so I'm thinking we have some
peculiar to us?
Our Apache config states
<Location ~ "/(ssl_secure/)">
SSLVerifyClient require
SSLVerifyDepth 1
SSLOptions +StrictRequire +StdEnvVars -ExportCertData
+OptRenegotiate
</Location>
So when you attempt to access https://server/ssl_secure/ - you are asked
for your client cert.
We have another section of the site that has "SSLVerifyClient optional"
and that also triggers the same fault in MSIE - and FF/Chrome work fine :-(
Help?
Thanks!
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org
Saju Paul
which also performs safe parameter checks. It is recommended to enable
OptRenegotiate on a per directory basis.
"also performs safe parameter checks" maybe the key.
disable it and check if MSIE likes it.
Hi there
Our Apache config states
Help?
Thanks!
--
Cheers
No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 9.0.791 / Virus Database: 271.1.1/2783 - Release Date: 04/01/10
02:35:00
Chris Clark
> Hi there
>
> We have a CentOS-4.8 server that was upgraded to
> httpd-2.0.52-41.ent.7.centos4 this week -
You need to upgrade Apache to httpd-2.2.15 (released March 6, 2010)
Your version is years old.
-Chris
Jason Haar
> OptRenegotiate - enables avoidance of unnecessary handshakes by mod_ssl
> which also performs safe parameter checks. It is recommended to enable
> OptRenegotiate on a per directory basis.
>
> "also performs safe parameter checks" maybe the key.
> disable it and check if MSIE likes it.
>
Nope - didn't make a difference
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
______________________________________________________________________
Jason Haar
> You need to upgrade Apache to httpd-2.2.15 (released March 6, 2010)
> Your version is years old.
>
>
actually means Redhat too). It wouldn't surprise me if they never tested
the client cert case too well - I certainly don't understand why only
MSIE is having a problem.
Jason Haar
> On 04/02/2010 02:21 AM, Chris Clark wrote:
>
>> You need to upgrade Apache to httpd-2.2.15 (released March 6, 2010)
>> Your version is years old.
>>
>>
>>
>
on a CentOS-5.3 server running httpd-2.2.3-31.el5.centos.4 (which also
only came out this week) and I get EXACTLY the same issue! (ie works
with FF/Chrome - but not MSIE8)
Can someone confirm they see the same issue with
<Location /ssl_secure>
SSLVerifyClient require
SSLVerifyDepth 1
SSLOptions +StrictRequire +StdEnvVars -ExportCertData
+OptRenegotiate
</Location>
I'm confused, I don't understand how no-one else seems to see it?