[Pkg-openssl-devel] Bug#557261: Bug#557261: libssl0.9.8: Updating from version k-5 to k-6 breaks client auth with stunnel4
Kurt Roeckx
kurt at roeckx.be
Sat Jan 9 11:05:41 UTC 2010
On Fri, Jan 08, 2010 at 05:35:58AM +0300, Vladimir Volovich wrote:
> Hi!
>
> On Sat, Nov 21, 2009 at 09:38:20AM +0100, Kurt Roeckx wrote:
> > On Fri, Nov 20, 2009 at 08:25:02PM +0000, Dick Middleton wrote:
> > > Package: libssl0.9.8
> > > Version: 0.9.8k-5
> > > Severity: important
> > >
> > >
> > > I've just updated my 'sid/unstable' system and found stunnel4 can no
> > > longer do its client certificate auth with apache connecting with ssl
> > > on port https/443.
> > >
> > > Apache reports:
> > > Re-negotiation handshake failed: Not accepted by client!?
> >
> > The change in -6 disabled renegotiation because it happens in
> > an insecure way. Since you're talking to an apache server,
> > I would suggest you talk to the administrator to set up his
> > website so that it doesn't require renegotiation. I understand
> > that this requires that the whole server or virtual server needs
> > to be configured to accept the client certificate.
>
> sorry for asking, but could you please explain if it is always possible
> to reconfigure the server to eliminate the need for renegotiation?
>
> consider situation when one of directories is protected with
> "SSLVerifyClient require", but the rest of the site is not:
>
> <VirtualHost hostname.com:443>
> # [...]
> SSLEngine on
> SSLCertificateFile ...
> SSLCertificateKeyFile ...
> SSLCertificateChainFile ...
> SSLVerifyClient none
>
> <Directory /protected>
> SSLVerifyClient require
> SSLCACertificateFile ...
> </Directory>
> </VirtualHost>
>
> now, whenever i go to any URL starting with /protected/, apache seems
> to be forcing renegotiation and the client browser linked against
> 0.9.8k-5 and above fails to load the page.
>
> is it possible, and how, to reconfigure apache in this case, to
> eliminate the need for renegotiation?
As I understand it, it will not do the renegotation if you do
it for the whole virtual host.
Kurt
More information about the Pkg-openssl-devel
mailing list