OptRenegotiate - enables avoidance of unnecessary handshakes by mod_ssl which also performs safe parameter checks. It is recommended to enable OptRenegotiate on a per directory basis.
"also performs safe parameter checks" maybe the key. disable it and check if MSIE likes it. -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Jason Haar Sent: Thursday, April 01, 2010 6:11 AM To: openssl-users@openssl.org Subject: Apache "SSL3_ACCEPT:unsafe legacy renegotiation disabled"? Hi there We have a CentOS-4.8 server that was upgraded to httpd-2.0.52-41.ent.7.centos4 this week - along with dependencies like openssl-0.9.7a and openssl096b At that moment our client-certificate based authentication Webapp broke :-( It's really weird. Users running Firefox-3.5+ or Chrome are still working fine - but MSIE7 and MSIE8 now get that useless MSIE error page and Apache reports lines like [Thu Apr 01 12:41:41 2010] [error] SSL Library Error: 336068931 error:14080143:SSL routines:SSL3_ACCEPT:unsafe legacy renegotiation disabled Obviously this is related to the SSL renegotiation bugfix - but Google cannot find anyone else seeing this - so I'm thinking we have some peculiar to us? Our Apache config states <Location ~ "/(ssl_secure/)"> SSLVerifyClient require SSLVerifyDepth 1 SSLOptions +StrictRequire +StdEnvVars -ExportCertData +OptRenegotiate </Location> So when you attempt to access https://server/ssl_secure/ - you are asked for your client cert. We have another section of the site that has "SSLVerifyClient optional" and that also triggers the same fault in MSIE - and FF/Chrome work fine :-( Help? Thanks! -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org No virus found in this incoming message. Checked by AVG - www.avg.com Version: 9.0.791 / Virus Database: 271.1.1/2783 - Release Date: 04/01/10 02:35:00 ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
