As would be clear from the post header, i am trying for an insecure SSL renegotiaion as my SSL client does not have support for the latest TLS renegotiation vulnerability (CVE-2009-3555).
My server configuration : server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/1.0.0a on Ubuntu 10.04.1 LTS The problem is my handshake goes through successfully, but in application data stage client initiates the renegotiation upon which i get thrown an error and the connection terminates. I did enable SSLInsecureRenegotiation directive, but the error persists. Error as received on the client side ( as interpreted by the client) is EOF (does not convey much). But the same client when connected to the earlier version of APACHE - 2.0.47 works pretty fine. Error on server side corresponding to my client request in error.log represents : [Fri Sep 03 16:19:16 2010] [error] [client 10.225.171.98] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /index.html [Fri Sep 03 16:19:38 2010] [error] [client 10.225.171.98] rejecting client initiated renegotiation SSL conf file (vhost configuration in https-ssl.conf ) : <VirtualHost 10.225.209.115:543> SSLInsecureRenegotiation on [I even tried placing it globally, but with no +ve outcome] DocumentRoot "/usr/local/apache2/htdocs" ServerName httpsmtpssl.test.intra ServerAdmin [email protected] ErrorLog "/usr/local/apache2/logs/error_log" TransferLog "/usr/local/apache2/logs/access_log" SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile "/usr/local/apache2/conf/ssl.crt/server.crt" SSLCertificateKeyFile "/usr/local/apache2/conf/ssl.key/NO-PASS-PHRASE" <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory "/usr/local/apache2/cgi-bin"> SSLOptions +StdEnvVars </Directory> BrowserMatch ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog "/usr/local/apache2/logs/ssl_request_log" \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" </VirtualHost> Can you guys, help me with this ? Am i missing something on the server config part or not using the SSLInsecureRenegotiation directive correctly ? Hope to get some pointers, Gaurav
