View Issue Details

IDProjectCategoryView StatusLast Update
0004259CentOS-4httpdpublic2010-04-07 09:31
Reporterjhaar 
PrioritynormalSeveritymajorReproducibilityalways
Status resolvedResolutionno change required 
Product Version4.8 
Target VersionFixed in Version 
Summary0004259: Apache blocking MSIE with "SSL3_ACCEPT:unsafe legacy renegotiation disabled"
DescriptionHi there

We have a webapp that uses client certificates via

<Location ~ "/(ssl_secure/)">
        SSLVerifyClient require
        SSLVerifyDepth 1
        SSLOptions +StrictRequire +StdEnvVars -ExportCertData +OptRenegotiate
</Location>

This has worked fine for years - until this week when httpd-2.0.52-41.ent.7.centos4 came out. At that moment, all our MSIE7/8 users were locked out. Every time they attempted to access a client-cert protected area, they got the crappy MSIE error page and the Apache error_log reported

[Thu Apr 01 12:41:41 2010] [error] SSL Library Error: 336068931
error:14080143:SSL routines:SSL3_ACCEPT:unsafe legacy renegotiation disabled


Firefox-3.5+ and Chrome work just fine - only MSIE is affected.

Help?

Thanks

Jason
TagsNo tags attached.

Activities

jhaar

jhaar

2010-04-01 21:56

reporter   ~0011118

Actually I've just created the same config on a CentOS-5.3 server running httpd-2.2.3-31.el5.centos.4 and I get the same thing. MSIE doesn't work (fully patched today) but FF and Chrome work


Jason
jhaar

jhaar

2010-04-02 01:05

reporter   ~0011119

You can close this - I found the underlying issue

It appears as of April 1st 2010, fully patched MSIE still doesn't support the new "renegotiation" SSL options, and so BREAKS with mod_ssl doing client-cert access control.

Until it is fixed, the following mod_ssl option will re-enable MSIE to work - at the cost of increasing compromise risk

SSLInsecureRenegotiation on
range

range

2010-04-07 09:31

administrator   ~0011130

Thank you for finding out the issue.

Issue History

Date Modified Username Field Change
2010-04-01 19:19 jhaar New Issue
2010-04-01 21:56 jhaar Note Added: 0011118
2010-04-02 01:05 jhaar Note Added: 0011119
2010-04-07 09:31 range Note Added: 0011130
2010-04-07 09:31 range Status new => resolved
2010-04-07 09:31 range Resolution open => no change required