Hi there
We have a CentOS-4.8 server that was upgraded to
httpd-2.0.52-41.ent.7.centos4 this week - along with dependencies like
openssl-0.9.7a and openssl096b
At that moment our client-certificate based authentication Webapp broke :-(
It's really weird. Users running Firefox-3.5+ or Chrome are still
working fine - but MSIE7 and MSIE8 now get that useless MSIE error page
and Apache reports lines like
[Thu Apr 01 12:41:41 2010] [error] SSL Library Error: 336068931
error:14080143:SSL routines:SSL3_ACCEPT:unsafe legacy renegotiation disabled
Obviously this is related to the SSL renegotiation bugfix - but Google
cannot find anyone else seeing this - so I'm thinking we have some
peculiar to us?
Our Apache config states
<Location ~ "/(ssl_secure/)">
SSLVerifyClient require
SSLVerifyDepth 1
SSLOptions +StrictRequire +StdEnvVars -ExportCertData
+OptRenegotiate
</Location>
So when you attempt to access https://server/ssl_secure/ - you are asked
for your client cert.
We have another section of the site that has "SSLVerifyClient optional"
and that also triggers the same fault in MSIE - and FF/Chrome work fine :-(
Help?
Thanks!
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
