[Pkg-openssl-devel] Bug#557261: Bug#557261: libssl0.9.8: Updating from version k-5 to k-6 breaks client auth with stunnel4

[Vladimir Volovich]

Hi!

On Sat, Nov 21, 2009 at 09:38:20AM +0100, Kurt Roeckx wrote:
> On Fri, Nov 20, 2009 at 08:25:02PM +0000, Dick Middleton wrote:
> > Package: libssl0.9.8
> > Version: 0.9.8k-5
> > Severity: important
> > 
> > 
> > I've just updated my 'sid/unstable' system and found stunnel4 can no
> > longer do its client certificate auth with apache connecting with ssl
> > on port https/443.
> > 
> > Apache reports:
> >  Re-negotiation handshake failed: Not accepted by client!? 
> 
> The change in -6 disabled renegotiation because it happens in
> an insecure way.  Since you're talking to an apache server,
> I would suggest you talk to the administrator to set up his
> website so that it doesn't require renegotiation.  I understand
> that this requires that the whole server or virtual server needs
> to be configured to accept the client certificate.

sorry for asking, but could you please explain if it is always possible
to reconfigure the server to eliminate the need for renegotiation?

consider situation when one of directories is protected with
"SSLVerifyClient require", but the rest of the site is not:

<VirtualHost hostname.com:443>
  # [...]
  SSLEngine on
  SSLCertificateFile ...
  SSLCertificateKeyFile ...
  SSLCertificateChainFile ...
  SSLVerifyClient none

  <Directory /protected>
    SSLVerifyClient require
    SSLCACertificateFile ...
  </Directory>
</VirtualHost>

now, whenever i go to any URL starting with /protected/, apache seems
to be forcing renegotiation and the client browser linked against
0.9.8k-5 and above fails to load the page.

is it possible, and how, to reconfigure apache in this case, to
eliminate the need for renegotiation?

Best,
v.