Running Gentoo with Apache 2.2. When I put SSLVerifyClient just inside <VirtualHost> it works fine. If I put it inside a <Location> or <Directory> block inside that vhost, however, it fails. Log shows: Re-negotiation handshake failed: Not accepted by client!?

Relevant config file snippet:

<VirtualHost _default_:443>
        ServerName ssl.example.com
        SSLEngine on
        SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
        SSLCertificateFile /etc/apache2/ssl/server.crt
        SSLCertificateKeyFile /etc/apache2/ssl/server.key
        SSLVerifyClient none
        SSLVerifyDepth  10
        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory "/var/www/default/cgi-bin">
                SSLOptions +StdEnvVars
        </Directory>
       <IfModule setenvif_module>
                BrowserMatch ".*MSIE.*" \
                        nokeepalive ssl-unclean-shutdown \
                        downgrade-1.0 force-response-1.0
        </IfModule>
        <IfModule log_config_module>
                CustomLog /var/log/apache2/ssl_request_log \
                        "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
        </IfModule>

        <Location /foo/*>
                SSLOptions +OptRenegotiate
                SSLVerifyClient require
                SSLVerifyDepth 10
        </Location>
</VirtualHost>

SSL renegotiation may be turned off in the client because it was recently discovered that the SSL protocol has a very bad MITM attack when it is enabled.

I've never used Client Certs; as I understand it moving from a non-cert required area to a cert required area forces a renegotiation. And that's where it fails.

If I'm right your options, typically, are to never need a client cert on a site, or to always require a client cert. Potentially you could also disable SSL persistence (it'd force every query to make a new connection and negotiate a new SSL session, so there'd be no SSL _re_negotiation within a session as it went from a non-cert area to a cert-area) but that would kill performance and put additional load on your server.

_________________
Rgds
Stephen
(Linux user since kernel version 0.11)

Huh. So I guess Apache doc is not up to date with what modern browsers are doing:



So I have a somewhat usable work-around, but I'd be interested if any Apache gurus have a better one:

SSLVerifyClient optional
SSLVerifyDepth  10
<Location /foo/*>
    SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
    and %{SSL_CLIENT_VERIFY} eq "SUCCESS"   )
</Location>

This works, but the annoying thing is that browsers get a pop-up requesting authentication for all parts of the site. The dialog can be dismissed, but I wish there was a way to prevent it from displaying.

Get a 2nd IP address from linode, run one apache SSL vhost without client certs, and run the other vhost with client certs

_________________
Rgds

Stephen

(Linux user since kernel version 0.11)

Hmm. $12 a year just might be worth it.