Re: Client certificate do not work / renegociate

2010-03-30 Thread Mario Brandt 
Hi,
That is not a bug, it is a feature! With the TLS renegotiation there
is a theoretical man-in-the-middle-attack possible. To prevent that
the developers decided to deactivate the TLS renegotiation.

Solution: use SSLInsecureRenegotiation on


http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslinsecurerenegotiation


From the changelog:
Comprehensive fix of the TLS renegotiation prefix injection attack
when compiled against OpenSSL version 0.9.8m or later. Introduces the
'SSLInsecureRenegotiation' directive to reopen this vulnerability and
offer unsafe legacy renegotiation with clients which do not yet
support the new secure renegotiation protocol.



Mario
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Managermajord...@modssl.org

Client certificate do not work / renegociate

2010-03-29 Thread Developer 
Hello,
In a host where client certificate is optional and in some directories
requirement. Server is SNI, and this configuration works fine before
SNI.

 VirtualHost *:443 
 SSLVerifyClient optional
 
Location /certrequirement
 SSLVerifyClient require
/Location
...

I use SNI client (firefox) with client certificate that works on optional 
locations but do not in certrequirement location.


 [info] Initial (No.1) HTTPS request received for child 5 (server 
 www.1pc.es:443)
 [debug] ssl_engine_kernel.c(487): [client 192.168.1.40] Changed client 
 verification type will force renegotiation, referer: http:
 [info] [client 192.168.1.40] Requesting connection re-negotiation, referer: 
 http://www.1pc.es/
 [debug] ssl_engine_kernel.c(724): [client 192.168.1.40] Performing full 
 renegotiation: complete handshake protocol, referer: http
 [debug] ssl_engine_kernel.c(1861): OpenSSL: Handshake: start
 [debug] ssl_engine_kernel.c(1869): OpenSSL: Loop: SSL renegotiate ciphers
 [debug] ssl_engine_kernel.c(1869): OpenSSL: Loop: SSLv3 write hello request A
 [debug] ssl_engine_kernel.c(1869): OpenSSL: Loop: SSLv3 flush data
 [debug] ssl_engine_kernel.c(1869): OpenSSL: Loop: SSLv3 write hello request C
 [info] [client 192.168.1.40] Awaiting re-negotiation handshake, referer: 
 http://www.1pc.es/
 [debug] ssl_engine_kernel.c(1861): OpenSSL: Handshake: start
 [debug] ssl_engine_kernel.c(1869): OpenSSL: Loop: before accept initialization
 [debug] ssl_engine_io.c(1873): OpenSSL: read 5/5 bytes from BIO#7f4325589ef0 
 [mem: 7f4325577083] (BIO dump follows)
 [debug] ssl_engine_kernel.c(1874): OpenSSL: Read: SSLv3 read client hello B
 [debug] ssl_engine_kernel.c(1893): OpenSSL: Exit: failed in SSLv3 read client 
 hello B
 [error] [client 192.168.1.40] Re-negotiation handshake failed: Not accepted 
 by client!?, referer: http://www.1pc.es/


 openssl-1.0.0-0.13.beta4.fc12.x86_64
 httpd-2.2.14-1.fc12.x86_64
 mod_ssl-2.2.14-1.fc12.x86_64


Anyone knows where is the problem?
Why do not work in required, and do the job in optional?


-- 
http://www.1pc.es/


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Managermajord...@modssl.org