I found a fix. I'll be verbose to make this better for search engines :-) So after upgrading to httpd-2.0.52-41.ent.7.centos4 under CentOS-4.8 and/or httpd-2.2.3-31.el5.centos.4 under CentOS-5.3 our client-cert based authentication started failing for all versions of MSIE (Internet Explorer)
httpd-2.0.52 produced the following error [Thu Apr 01 12:41:41 2010] [error] SSL Library Error: 336068931 error:14080143:SSL routines:SSL3_ACCEPT:unsafe legacy renegotiation disabled Whereas httpd-2.2.3 produced [Fri Apr 02 09:54:36 2010] [debug] ssl_engine_kernel.c(426): Changed client verification type will force renegotiation [Fri Apr 02 09:54:36 2010] [info] Requesting connection re-negotiation [Fri Apr 02 09:54:36 2010] [debug] ssl_engine_kernel.c(625): [client 218.101.54.25] Performing full renegotiation: complete handshake protocol (client does not support secure renegotiation) What I'm guessing has happened is openssl was patched to fix the renegotiation flaw discovered last year, and although Firefox-3.5+ and Chrome-5.036+ work fine with this updated version, MSIE 7 and 8 still don't contain a fix? Anyway, google final lead me to a new Apache option. Adding the following line to your config will make Apache (mod_ssl actually) revert to the older "insecure" option, and then MSIE will work again SSLInsecureRenegotiation on Obviously we now need to track MSIE patches and wait until that is fixed, and then remove this option. Thanks Microsoft, you never cease to disappoint me -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
