Results 1 to 1 of 1
As would be clear from the post header, i am trying for an insecure SSL renegotiaion as my SSL client does not have support for the latest TLS renegotiation vulnerability ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
- 09-06-2010 #1
- Join Date
- Sep 2010
SSL renegotiation failing even after enabling SSLInsecureRenegotiation directive.
As would be clear from the post header, i am trying for an insecure SSL renegotiaion as my SSL client does not have support for the latest TLS renegotiation vulnerability (CVE-2009-3555).
My server configuration :
server:- Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/1.0.0a
Platform: Ubuntu 10.04.1 LTS
The problem is my handshake goes through successfully, but in application data stage client initiates the renegotiation upon which i get thrown an error and the connection terminates. I did enable SSLInsecureRenegotiation directive, but the error persists.
Error as received on the client side ( as interpreted by the client) is EOF (does not convey much). But the same client when connected to the earlier version of APACHE - 2.0.47 works pretty fine.
Error on server side corresponding to my client request in error.log represents :
[Fri Sep 03 16:19:16 2010] [error] [client 10.225.171.98] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /index.html
[Fri Sep 03 16:19:38 2010] [error] [client 10.225.171.98] rejecting client initiated renegotiation
SSL conf file (vhost configuration in httpd-ssl.conf ) : attached as a separate attachment [httpd-ssl.txt]
Can you guys, help me with this ?
Am i missing something on the server config part or not using the SSLInsecureRenegotiation directive correctly ?
Hope to get some pointers,