Bookmarks

Yahoo Gmail Google Facebook Delicious Twitter Reddit Stumpleupon Myspace Digg

Search queries

procmail change subject header, wwwXxx not20, Wwwxxx.doks sas, linux raid resync after reboot, bind-address mysql multiple, sanibleone xxxx, ftp://192.168.100.100/, www.xxxcon, which comes first ob_start or session, wwwxxx/58/2010

Links

XODOX
Impressum

#1: Client certificate do not work / renegociate

Posted on 2010-03-29 20:14:13 by developer

Hello,
In a host where client certificate is optional and in some directories
requirement. Server is SNI, and this configuration works fine before
SNI.

> <VirtualHost *:443 >
> SSLVerifyClient optional
>
<Location "/certrequirement">
> SSLVerifyClient require
</Location>
....

I use SNI client (firefox) with client certificate that works on optional locations but do not in certrequirement location.


> [info] Initial (No.1) HTTPS request received for child 5 (server www.1pc.es:443)
> [debug] ssl_engine_kernel.c(487): [client 192.168.1.40] Changed client verification type will force renegotiation, referer: http:
> [info] [client 192.168.1.40] Requesting connection re-negotiation, referer: http://www.1pc.es/
> [debug] ssl_engine_kernel.c(724): [client 192.168.1.40] Performing full renegotiation: complete handshake protocol, referer: http
> [debug] ssl_engine_kernel.c(1861): OpenSSL: Handshake: start
> [debug] ssl_engine_kernel.c(1869): OpenSSL: Loop: SSL renegotiate ciphers
> [debug] ssl_engine_kernel.c(1869): OpenSSL: Loop: SSLv3 write hello request A
> [debug] ssl_engine_kernel.c(1869): OpenSSL: Loop: SSLv3 flush data
> [debug] ssl_engine_kernel.c(1869): OpenSSL: Loop: SSLv3 write hello request C
> [info] [client 192.168.1.40] Awaiting re-negotiation handshake, referer: http://www.1pc.es/
> [debug] ssl_engine_kernel.c(1861): OpenSSL: Handshake: start
> [debug] ssl_engine_kernel.c(1869): OpenSSL: Loop: before accept initialization
> [debug] ssl_engine_io.c(1873): OpenSSL: read 5/5 bytes from BIO#7f4325589ef0 [mem: 7f4325577083] (BIO dump follows)
> [debug] ssl_engine_kernel.c(1874): OpenSSL: Read: SSLv3 read client hello B
> [debug] ssl_engine_kernel.c(1893): OpenSSL: Exit: failed in SSLv3 read client hello B
> [error] [client 192.168.1.40] Re-negotiation handshake failed: Not accepted by client!?, referer: http://www.1pc.es/


> openssl-1.0.0-0.13.beta4.fc12.x86_64
> httpd-2.2.14-1.fc12.x86_64
> mod_ssl-2.2.14-1.fc12.x86_64


Anyone knows where is the problem?
Why do not work in required, and do the job in optional?


--
http://www.1pc.es/


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Report this message

#2: Re: Client certificate do not work / renegociate

Posted on 2010-03-30 10:03:23 by James Blond

Hi,
That is not a bug, it is a feature! With the TLS renegotiation there
is a theoretical man-in-the-middle-attack possible. To prevent that
the developers decided to deactivate the TLS renegotiation.

Solution: use SSLInsecureRenegotiation on


http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslinsecur erenegotiation


From the changelog:
Comprehensive fix of the TLS renegotiation prefix injection attack
when compiled against OpenSSL version 0.9.8m or later. Introduces the
'SSLInsecureRenegotiation' directive to reopen this vulnerability and
offer unsafe legacy renegotiation with clients which do not yet
support the new secure renegotiation protocol.



Mario
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Report this message