Topic: secure renegotiation

[fundsnetworks]

Good Morning

I'm currently running two Apache Web Servers (build 2.2.14) on RHEL 5.4 running two versions of the same website. One is our live site and the other is our test site. Each site has identical httpd.conf and httpd-ssl.conf files.

The issue I have is related to secure renegotiation in that it's supported on the live site but not on the test site. My understating was that this was either disabled or enabled by using the following command in your httpd-ssl.conf: SSLInsecureRenegotiation off
and that version 2.2.15 was required.
This has definitely not been specified in either of the config files, nor is there an SSI or CGI script containing the SSL_SECURE_RENEG environment.

I'm also aware that this can be supported by the client I'm using, however, I've ruled this out by running the test using the same client (IE10, Firefox and running 'openssl s_client -connect' on a Linux terminal).


Please can someone advise where else I'm likely to find out where this has been configured as our sites need to be configured exactly the same.

Any help or assistance would be much appreciated.

Thanks

[James Blond]

depending on your distro there might have been a backport from the last 2.2.x to the version number you see. Since SSLInsecureRenegotiation offis the default value, it might be secure now on your live server. Are you sure that the two servers are on the same update level?

[fundsnetworks]

Yes both servers are definitely on the same update level.

Test Server:
Server version: Services./2.2.14 (Unix)
Server built: Feb 5 2010 08:33:58

Live Server:
Server version: Services./2.2.14 (Unix)
Server built: Apr 28 2010 10:49:23


If the default value is off I would expect see SSLInsecureRenegotiation on in the httpd-ssl.conf file on the live server.