httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From VP <rpeyy...@gmail.com>
Subject Re: [users@httpd] Re: Client certificate authentication issues
Date Wed, 17 Oct 2012 06:14:16 GMT
Thank you Toomas. I will also try these settings and see what I get. I
am currently running OpenSSL 1.0.0 version with Apache 2.2.15.

Regards,
VP

On Tue, Oct 16, 2012 at 3:58 PM, Toomas Aas <toomas.aas@raad.tartu.ee> wrote:
> I have had my share of trouble with client certificate authentication / SSL
> renegotiation. It is difficult to troubleshoot. In addition to what Mark
> already suggested, here are some other things that may help:
>
> 1. Try to reduce the possible amount of SSL protocols and ciphers that
> client and server are going to negotiate about. I have following settings in
> use now:
>
> SSLProtocol -All +SSLv3 +TLSv1
> SSLCipherSuite !DH:HIGH
>
> 2. Reduce the amount of possible renegotiation attempts. Inside the
> <Location> block where you have "SSLVerifyClient require", add "SSLOptions
> +OptRenegotiate". The manual does not recommend to turn it on for global
> configuration or entire vhost but restrict it to some specific <Location> or
> <Directory> only.
>
> 3. For compatibility with older browsers, you may need to turn on
> SSLInsecureRenegotiation. Be aware that this opens your SSL sessions to
> possible man-in-the-middle attack (CVE-3555), but in some cases the only
> other option is that clients won't be able to access your site at all - you
> can't unfortunately always tell everyone to upgrade their browser.
>
> 4. Make sure you are not using some very old version of OpenSSL.
>
> --
> Toomas Aas
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message