Client certificate do not work / renegociate

Client certificate do not work / renegociate

am 29.03.2010 20:14:13 von developer

Hello,
In a host where client certificate is optional and in some directories
requirement. Server is SNI, and this configuration works fine before
SNI.

>
> SSLVerifyClient optional
>

> SSLVerifyClient require

....

I use SNI client (firefox) with client certificate that works on optional locations but do not in certrequirement location.


> [info] Initial (No.1) HTTPS request received for child 5 (server www.1pc.es:443)
> [debug] ssl_engine_kernel.c(487): [client 192.168.1.40] Changed client verification type will force renegotiation, referer: http:
> [info] [client 192.168.1.40] Requesting connection re-negotiation, referer: http://www.1pc.es/
> [debug] ssl_engine_kernel.c(724): [client 192.168.1.40] Performing full renegotiation: complete handshake protocol, referer: http
> [debug] ssl_engine_kernel.c(1861): OpenSSL: Handshake: start
> [debug] ssl_engine_kernel.c(1869): OpenSSL: Loop: SSL renegotiate ciphers
> [debug] ssl_engine_kernel.c(1869): OpenSSL: Loop: SSLv3 write hello request A
> [debug] ssl_engine_kernel.c(1869): OpenSSL: Loop: SSLv3 flush data
> [debug] ssl_engine_kernel.c(1869): OpenSSL: Loop: SSLv3 write hello request C
> [info] [client 192.168.1.40] Awaiting re-negotiation handshake, referer: http://www.1pc.es/
> [debug] ssl_engine_kernel.c(1861): OpenSSL: Handshake: start
> [debug] ssl_engine_kernel.c(1869): OpenSSL: Loop: before accept initialization
> [debug] ssl_engine_io.c(1873): OpenSSL: read 5/5 bytes from BIO#7f4325589ef0 [mem: 7f4325577083] (BIO dump follows)
> [debug] ssl_engine_kernel.c(1874): OpenSSL: Read: SSLv3 read client hello B
> [debug] ssl_engine_kernel.c(1893): OpenSSL: Exit: failed in SSLv3 read client hello B
> [error] [client 192.168.1.40] Re-negotiation handshake failed: Not accepted by client!?, referer: http://www.1pc.es/


> openssl-1.0.0-0.13.beta4.fc12.x86_64
> httpd-2.2.14-1.fc12.x86_64
> mod_ssl-2.2.14-1.fc12.x86_64


Anyone knows where is the problem?
Why do not work in required, and do the job in optional?


--
http://www.1pc.es/


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Client certificate do not work / renegociate

am 30.03.2010 10:03:23 von James Blond

Hi,
That is not a bug, it is a feature! With the TLS renegotiation there
is a theoretical man-in-the-middle-attack possible. To prevent that
the developers decided to deactivate the TLS renegotiation.

Solution: use SSLInsecureRenegotiation on


http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslinsecur erenegotiation


From the changelog:
Comprehensive fix of the TLS renegotiation prefix injection attack
when compiled against OpenSSL version 0.9.8m or later. Introduces the
'SSLInsecureRenegotiation' directive to reopen this vulnerability and
offer unsafe legacy renegotiation with clients which do not yet
support the new secure renegotiation protocol.



Mario
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org