Mobile app version of vmapp.org
Login or Join
Murray432

: Can I dynamically set the SSLInsecureRenegotiation Directive? We're running Apache 2.2.22 with OpenSSL 0.98, one of our Citrix NetScaler Hosts cannot send a client certificate after handshaking SSL

@Murray432

Posted in: #Apache2

We're running Apache 2.2.22 with OpenSSL 0.98, one of our Citrix NetScaler Hosts cannot send a client certificate after handshaking SSL as we have to set SSLInsecureRenegotiation off as a security standard.

Is there anyway to dynamically set this directive based on Remote_Addr? I have tried so many settings but as designed I guess, there doesn't seem to be a way of selectively allowing SSLInsecureRenegotiation for one user agent or IP?

We've already patched to latest NetScaler 10, but after the SSL initial handshake a renegotiation request is sent back from Apache to the NetScaler because as a client cert is required for a LocationMatch, this is never responded to leading Apache to terminate session. - tools.ietf.org/html/rfc5746#section-3.5 . We're told by Citrix that downstream rules are normally on a "trusted" network, and not supported using the client method, is it possible to differentiate between requests and how the SSLInsecureRenegotiation directive is called by host identity of some sort or IP?

Many thanks.

10.01% popularity Vote Up Vote Down


Login to follow query

More posts by @Murray432

1 Comments

Sorted by latest first Latest Oldest Best

 

@Fox8124981

I could be incorrectly understanding the mod_ssl docs (but I don't believe I am) but if you have linked your Apache version to OpenSSL 0.98m or later and the client is also using a patched TLS implementation, the SSLInsecureRenegotiation directive set to Off should have no effect on those client connections.

Are you terminating SSL between client and NetScaler or is it passing through to the Apache servers and terminating there? Some load balancers behave like reverse proxies and if you're terminating ssl at the load-balancer, the load-balancer needs to be configured to accept the renegotiated connection attempt.

The easiest way to tell if it is your load-balancer causing this is to bypass the load-balancer and fire the request off directly against your apache server. If you succeed, the load-balancer's virtual server and/or ssl/tls configuration needs to be looked at. If that fails (and you are sure you are using a client with a patched TLS implementation), then there is still something wrong with the apache server configuration. You probably don't even need to test the directory requiring the client cert, just fire up openssl s_client -connect <host> <port> and press R, then enter. If it succeeds, it's probably the load-balancer. Based on a yahoo search, it looks like you can tell what the netscaler's policy is for handling renegotiated connections by running a show ssl parameter on the netscaler.

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme