1. Home
  2. Forums Index
  3. Server Side / Apache Web Server 3:19 am May 2, 2026

Forum Moderators: phranque

Message Too Old, No Replies

SSL renegotiation failing even after enabling SSLInsecureRenegotiation

Apache 2.2.16 - SSL renegotiation not working.

         

juventus16

11:04 am on Sep 6, 2010 (gmt 0)

10+ Year Member



As would be clear from the post header, i am trying for an insecure SSL renegotiaion as my SSL client does not have support for the latest TLS renegotiation vulnerability (CVE-2009-3555).

My server configuration :
server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/1.0.0a on Ubuntu 10.04.1 LTS

The problem is my handshake goes through successfully, but in application data stage clientinitiates the renegotiationupon which i get thrown an error and the connection terminates. I did enable SSLInsecureRenegotiationdirective, but the error persists.

Error as received on the client side ( as interpreted by the client) is EOF (does not convey much). But the same client when connected to the earlier version of APACHE - 2.0.47 works pretty fine.

Error on server side corresponding to my client request in error.log represents :
[Fri Sep 03 16:19:16 2010] [error] [client 10.225.171.98] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /index.html
[Fri Sep 03 16:19:38 2010] [error] [client 10.225.171.98] rejecting client initiated renegotiation

SSL conf file (vhost configuration in https-ssl.conf ) :

<VirtualHost 10.225.209.115:543>

SSLInsecureRenegotiation on [I even tried placing it globally, but with no +ve outcome]
DocumentRoot "/usr/local/apache2/htdocs"
ServerName httpsmtpssl.test.intra
ServerAdmin you@example.com
ErrorLog "/usr/local/apache2/logs/error_log"
TransferLog "/usr/local/apache2/logs/access_log"

SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

SSLCertificateFile "/usr/local/apache2/conf/ssl.crt/server.crt"
SSLCertificateKeyFile "/usr/local/apache2/conf/ssl.key/NO-PASS-PHRASE"

<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/usr/local/apache2/cgi-bin">
SSLOptions +StdEnvVars
</Directory>

BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

CustomLog "/usr/local/apache2/logs/ssl_request_log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>

Can you guys, help me with this ?
Am i missing something on the server config part or not using the SSLInsecureRenegotiation directive correctly ?

Hope to get some pointers,
Gaurav
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / Apache Web Server 3:19 am May 2, 2026