Can I set the SSLInsecureRenegotiation Directive Dynamically

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



We're running Apache 2.2.22 with OpenSSL 0.98, one of our Citrix NetScaler
Hosts cannot send a client certificate after handshaking SSL as we have to
set SSLInsecureRenegotiation off as a security standard.
 
Is there anyway to dynamically set this directive based on Remote_Addr? I
have tried so many settings but as designed I guess, there doesn't seem to
be a way of selectively allowing SSLInsecureRenegotiation for one user agent
or IP?
 
We've already patched to latest NetScaler 10, but after the SSL initial
handshake a renegotiation request is sent back from Apache to the NetScaler
because as a client cert is required for a LocationMatch, this is never
responded to leading Apache to terminate session. -
http://tools.ietf.org/html/rfc5746#section-3.5 . We're told by Citrix that
downstream rules are normally on a "trusted" network, and not supported
using the client method, is it possible to differentiate between requests
and how the SSLInsecureRenegotiation directive is called by host identity of
some sort or IP?
 
Citrix have basically said that when netscaler acts as a client, it never
sends the extension as the backend zone is assumed to be on a secure
network,it's not something that they have enabled or support running in
client mode. - IE/Latest Browser - HTTP to NetScaler alias - HTTP-HTTPS
rewrite + client certificate to Apache.. I believe the NetScaler doesn't
reply as being able to securely renegotiate and the session is terminated.
Is it possible to set this directive off (or others) if the client comes
from a particular host identity? 



--
View this message in context: http://apache-http-server.18135.n6.nabble.com/Can-I-set-the-SSLInsecureRenegotiation-Directive-Dynamically-tp5003027.html
Sent from the Apache HTTP Server - Users mailing list archive at Nabble.com.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux