Re: Re: Client certificate authentication issues

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I have had my share of trouble with client certificate authentication / SSL renegotiation. It is difficult to troubleshoot. In addition to what Mark already suggested, here are some other things that may help:
1. Try to reduce the possible amount of SSL protocols and ciphers that client and server are going to negotiate about. I have following settings in use now: 

SSLProtocol -All +SSLv3 +TLSv1
SSLCipherSuite !DH:HIGH
2. Reduce the amount of possible renegotiation attempts. Inside the <Location> block where you have "SSLVerifyClient require", add "SSLOptions +OptRenegotiate". The manual does not recommend to turn it on for global configuration or entire vhost but restrict it to some specific <Location> or <Directory> only.
3. For compatibility with older browsers, you may need to turn on SSLInsecureRenegotiation. Be aware that this opens your SSL sessions to possible man-in-the-middle attack (CVE-3555), but in some cases the only other option is that clients won't be able to access your site at all - you can't unfortunately always tell everyone to upgrade their browser. 

4. Make sure you are not using some very old version of OpenSSL.

--
Toomas Aas


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux