Thank you Toomas. I will also try these settings and see what I get. I am currently running OpenSSL 1.0.0 version with Apache 2.2.15. Regards, VP On Tue, Oct 16, 2012 at 3:58 PM, Toomas Aas <toomas.aas@xxxxxxxxxxxxx> wrote: > I have had my share of trouble with client certificate authentication / SSL > renegotiation. It is difficult to troubleshoot. In addition to what Mark > already suggested, here are some other things that may help: > > 1. Try to reduce the possible amount of SSL protocols and ciphers that > client and server are going to negotiate about. I have following settings in > use now: > > SSLProtocol -All +SSLv3 +TLSv1 > SSLCipherSuite !DH:HIGH > > 2. Reduce the amount of possible renegotiation attempts. Inside the > <Location> block where you have "SSLVerifyClient require", add "SSLOptions > +OptRenegotiate". The manual does not recommend to turn it on for global > configuration or entire vhost but restrict it to some specific <Location> or > <Directory> only. > > 3. For compatibility with older browsers, you may need to turn on > SSLInsecureRenegotiation. Be aware that this opens your SSL sessions to > possible man-in-the-middle attack (CVE-3555), but in some cases the only > other option is that clients won't be able to access your site at all - you > can't unfortunately always tell everyone to upgrade their browser. > > 4. Make sure you are not using some very old version of OpenSSL. > > -- > Toomas Aas > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|