I have had my share of trouble with client certificate authentication
/ SSL renegotiation. It is difficult to troubleshoot. In addition to
what Mark already suggested, here are some other things that may help:
1. Try to reduce the possible amount of SSL protocols and ciphers that
client and server are going to negotiate about. I have following
settings in use now:
SSLProtocol -All +SSLv3 +TLSv1
SSLCipherSuite !DH:HIGH
2. Reduce the amount of possible renegotiation attempts. Inside the
<Location> block where you have "SSLVerifyClient require", add
"SSLOptions +OptRenegotiate". The manual does not recommend to turn it
on for global configuration or entire vhost but restrict it to some
specific <Location> or <Directory> only.
3. For compatibility with older browsers, you may need to turn on
SSLInsecureRenegotiation. Be aware that this opens your SSL sessions
to possible man-in-the-middle attack (CVE-3555), but in some cases the
only other option is that clients won't be able to access your site at
all - you can't unfortunately always tell everyone to upgrade their
browser.
4. Make sure you are not using some very old version of OpenSSL.
--
Toomas Aas
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
