On Fri, Jan 08, 2010 at 05:35:58AM +0300, Vladimir Volovich wrote: > Hi! > > On Sat, Nov 21, 2009 at 09:38:20AM +0100, Kurt Roeckx wrote: > > On Fri, Nov 20, 2009 at 08:25:02PM +0000, Dick Middleton wrote: > > > Package: libssl0.9.8 > > > Version: 0.9.8k-5 > > > Severity: important > > > > > > > > > I've just updated my 'sid/unstable' system and found stunnel4 can no > > > longer do its client certificate auth with apache connecting with ssl > > > on port https/443. > > > > > > Apache reports: > > > Re-negotiation handshake failed: Not accepted by client!? > > > > The change in -6 disabled renegotiation because it happens in > > an insecure way. Since you're talking to an apache server, > > I would suggest you talk to the administrator to set up his > > website so that it doesn't require renegotiation. I understand > > that this requires that the whole server or virtual server needs > > to be configured to accept the client certificate. > > sorry for asking, but could you please explain if it is always possible > to reconfigure the server to eliminate the need for renegotiation? > > consider situation when one of directories is protected with > "SSLVerifyClient require", but the rest of the site is not: > > <VirtualHost hostname.com:443> > # [...] > SSLEngine on > SSLCertificateFile ... > SSLCertificateKeyFile ... > SSLCertificateChainFile ... > SSLVerifyClient none > > <Directory /protected> > SSLVerifyClient require > SSLCACertificateFile ... > </Directory> > </VirtualHost> > > now, whenever i go to any URL starting with /protected/, apache seems > to be forcing renegotiation and the client browser linked against > 0.9.8k-5 and above fails to load the page. > > is it possible, and how, to reconfigure apache in this case, to > eliminate the need for renegotiation?
As I understand it, it will not do the renegotation if you do it for the whole virtual host. Kurt -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
