RE: Apache SSL3_ACCEPT:unsafe legacy renegotiation disabled?
OptRenegotiate - enables avoidance of unnecessary handshakes by mod_ssl which also performs safe parameter checks. It is recommended to enable OptRenegotiate on a per directory basis. also performs safe parameter checks maybe the key. disable it and check if MSIE likes it. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Jason Haar Sent: Thursday, April 01, 2010 6:11 AM To: openssl-users@openssl.org Subject: Apache SSL3_ACCEPT:unsafe legacy renegotiation disabled? Hi there We have a CentOS-4.8 server that was upgraded to httpd-2.0.52-41.ent.7.centos4 this week - along with dependencies like openssl-0.9.7a and openssl096b At that moment our client-certificate based authentication Webapp broke :-( It's really weird. Users running Firefox-3.5+ or Chrome are still working fine - but MSIE7 and MSIE8 now get that useless MSIE error page and Apache reports lines like [Thu Apr 01 12:41:41 2010] [error] SSL Library Error: 336068931 error:14080143:SSL routines:SSL3_ACCEPT:unsafe legacy renegotiation disabled Obviously this is related to the SSL renegotiation bugfix - but Google cannot find anyone else seeing this - so I'm thinking we have some peculiar to us? Our Apache config states Location ~ /(ssl_secure/) SSLVerifyClient require SSLVerifyDepth 1 SSLOptions +StrictRequire +StdEnvVars -ExportCertData +OptRenegotiate /Location So when you attempt to access https://server/ssl_secure/ - you are asked for your client cert. We have another section of the site that has SSLVerifyClient optional and that also triggers the same fault in MSIE - and FF/Chrome work fine :-( Help? Thanks! -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org No virus found in this incoming message. Checked by AVG - www.avg.com Version: 9.0.791 / Virus Database: 271.1.1/2783 - Release Date: 04/01/10 02:35:00 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Apache SSL3_ACCEPT:unsafe legacy renegotiation disabled?
On Thu, Apr 1, 2010 at 3:11 AM, Jason Haar jason.h...@trimble.co.nz wrote: Hi there We have a CentOS-4.8 server that was upgraded to httpd-2.0.52-41.ent.7.centos4 this week - You need to upgrade Apache to httpd-2.2.15 (released March 6, 2010) Your version is years old. -Chris __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Apache SSL3_ACCEPT:unsafe legacy renegotiation disabled?
On 04/01/2010 11:50 PM, Saju Paul wrote: OptRenegotiate - enables avoidance of unnecessary handshakes by mod_ssl which also performs safe parameter checks. It is recommended to enable OptRenegotiate on a per directory basis. also performs safe parameter checks maybe the key. disable it and check if MSIE likes it. Nope - didn't make a difference -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Apache SSL3_ACCEPT:unsafe legacy renegotiation disabled?
On 04/02/2010 02:21 AM, Chris Clark wrote: You need to upgrade Apache to httpd-2.2.15 (released March 6, 2010) Your version is years old. It is the official version released for CentOS-4.8 this week (which actually means Redhat too). It wouldn't surprise me if they never tested the client cert case too well - I certainly don't understand why only MSIE is having a problem. -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Apache SSL3_ACCEPT:unsafe legacy renegotiation disabled?
On 04/02/2010 08:13 AM, Jason Haar wrote: On 04/02/2010 02:21 AM, Chris Clark wrote: You need to upgrade Apache to httpd-2.2.15 (released March 6, 2010) Your version is years old. OK, this is getting weird... I just created the same directory structure on a CentOS-5.3 server running httpd-2.2.3-31.el5.centos.4 (which also only came out this week) and I get EXACTLY the same issue! (ie works with FF/Chrome - but not MSIE8) Can someone confirm they see the same issue with Location /ssl_secure SSLVerifyClient require SSLVerifyDepth 1 SSLOptions +StrictRequire +StdEnvVars -ExportCertData +OptRenegotiate /Location I'm confused, I don't understand how no-one else seems to see it? -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Apache SSL3_ACCEPT:unsafe legacy renegotiation disabled? [ANSWER]
I found a fix. I'll be verbose to make this better for search engines :-) So after upgrading to httpd-2.0.52-41.ent.7.centos4 under CentOS-4.8 and/or httpd-2.2.3-31.el5.centos.4 under CentOS-5.3 our client-cert based authentication started failing for all versions of MSIE (Internet Explorer) httpd-2.0.52 produced the following error [Thu Apr 01 12:41:41 2010] [error] SSL Library Error: 336068931 error:14080143:SSL routines:SSL3_ACCEPT:unsafe legacy renegotiation disabled Whereas httpd-2.2.3 produced [Fri Apr 02 09:54:36 2010] [debug] ssl_engine_kernel.c(426): Changed client verification type will force renegotiation [Fri Apr 02 09:54:36 2010] [info] Requesting connection re-negotiation [Fri Apr 02 09:54:36 2010] [debug] ssl_engine_kernel.c(625): [client 218.101.54.25] Performing full renegotiation: complete handshake protocol (client does not support secure renegotiation) What I'm guessing has happened is openssl was patched to fix the renegotiation flaw discovered last year, and although Firefox-3.5+ and Chrome-5.036+ work fine with this updated version, MSIE 7 and 8 still don't contain a fix? Anyway, google final lead me to a new Apache option. Adding the following line to your config will make Apache (mod_ssl actually) revert to the older insecure option, and then MSIE will work again SSLInsecureRenegotiation on Obviously we now need to track MSIE patches and wait until that is fixed, and then remove this option. Thanks Microsoft, you never cease to disappoint me -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
