Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: Apache 2.2.15 + OpenSSL 0.9.8m Error |
|
| Author |
|
HopkinsProg
Joined: 23 Nov 2008
Posts: 3
|
 Posted: Fri 19 Mar '10 14:48 Post subject: Apache 2.2.15 + OpenSSL 0.9.8m Error |
 |
|
Hey guys, perhaps you can help me with an issue I am having. I installed Apache 2.2.15 from AL shortly after it was released. I have also upgraded openSSL to 0.9.8m. My site loads fine over SSL, but when viewing the website in Opera, I get a message stating that, "The server does not support secure TLS renegotiation. The site owner should upgrade the server." I searched around for this error, and only found one resource - http://directadmin.com/forum/showthread.php?p=176503. That basically said to upgrade openSSL, which I have already done.
Do you all have any thoughts on how to fix this?
Thank you!  |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7404
Location: EU, Germany, Next to Hamburg
|
| Posted: Fri 19 Mar '10 16:33 Post subject: |
|
|
That is not a bug, it is a feature! With the TLS renegotiation there is a theoretical man-in-the-middle-attack possible. To prevent that the developers decided to deactivate the TLS renegotiation. I haven't seen that issue with a browser before, but I don't use Opera.
Solution a) go back to the previous OSSL version
Solution b) Ask the Opera guys why theier browser causes trouble while other don't. |
|
| Back to top |
|
Steffen
Moderator
Joined: 15 Oct 2005
Posts: 3118
Location: Hilversum, NL, EU
|
| Posted: Fri 19 Mar '10 20:02 Post subject: |
|
|
Indeed in the change log:
Comprehensive fix of the TLS renegotiation prefix injection attack when compiled against OpenSSL version 0.9.8m or later. Introduces the 'SSLInsecureRenegotiation' directive to reopen this vulnerability and offer unsafe legacy renegotiation with clients which do not yet support the new secure renegotiation protocol
See also: http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslinsecurerenegotiation
Steffen |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7404
Location: EU, Germany, Next to Hamburg
|
| Posted: Sat 20 Mar '10 10:53 Post subject: |
|
|
I haven't read the docs. Thank you Steffen for the hint. So you could enable the old behavior with
| Code: |
SSLInsecureRenegotiation on
|
But, read the link Steffen has posted before you do that. |
|
| Back to top |
|
HopkinsProg
Joined: 23 Nov 2008
Posts: 3
|
| Posted: Mon 22 Mar '10 18:42 Post subject: |
|
|
Ah. Oddly enough, I had gotten that message with both older and the latest versions of openSSL, but I'm guessing my Apache was only using the 0.9.8m that it was compiled with and not the ones I had installed.
I'm guessing that Opera, perhaps being a bit more verbose, is trying to tell me that it doesn't support the newer protocol extension and thus, cannot re-negotiate? Oh well, since it seems that it is supposed to be that way (the vulnerability being blocked, that is), I can live with it.
Thanks for the info guys! |
|
| Back to top |
|
|
|
|
|
|
