: Can I dynamically set the SSLInsecureRenegotiation Directive? We're running Apache 2.2.22 with OpenSSL 0.98, one of our Citrix NetScaler Hosts cannot send a client certificate after handshaking SSL

@Fox8124981

I could be incorrectly understanding the mod_ssl docs (but I don't believe I am) but if you have linked your Apache version to OpenSSL 0.98m or later and the client is also using a patched TLS implementation, the SSLInsecureRenegotiation directive set to Off should have no effect on those client connections.

Are you terminating SSL between client and NetScaler or is it passing through to the Apache servers and terminating there? Some load balancers behave like reverse proxies and if you're terminating ssl at the load-balancer, the load-balancer needs to be configured to accept the renegotiated connection attempt.

The easiest way to tell if it is your load-balancer causing this is to bypass the load-balancer and fire the request off directly against your apache server. If you succeed, the load-balancer's virtual server and/or ssl/tls configuration needs to be looked at. If that fails (and you are sure you are using a client with a patched TLS implementation), then there is still something wrong with the apache server configuration. You probably don't even need to test the directory requiring the client cert, just fire up openssl s_client -connect <host> <port> and press R, then enter. If it succeeds, it's probably the load-balancer. Based on a yahoo search, it looks like you can tell what the netscaler's policy is for handling renegotiated connections by running a show ssl parameter on the netscaler.

Vote Up Vote Down