We're running Apache 2.2.22 with OpenSSL 0.98, one of our Citrix NetScaler Hosts cannot send a client certificate after handshaking SSL as we have to set SSLInsecureRenegotiation off as a security standard. Is there anyway to dynamically set this directive based on Remote_Addr? I have tried so many settings but as designed I guess, there doesn't seem to be a way of selectively allowing SSLInsecureRenegotiation for one user agent or IP? We've already patched to latest NetScaler 10, but after the SSL initial handshake a renegotiation request is sent back from Apache to the NetScaler because as a client cert is required for a LocationMatch, this is never responded to leading Apache to terminate session. - http://tools.ietf.org/html/rfc5746#section-3.5 . We're told by Citrix that downstream rules are normally on a "trusted" network, and not supported using the client method, is it possible to differentiate between requests and how the SSLInsecureRenegotiation directive is called by host identity of some sort or IP? Citrix have basically said that when netscaler acts as a client, it never sends the extension as the backend zone is assumed to be on a secure network,it's not something that they have enabled or support running in client mode. - IE/Latest Browser - HTTP to NetScaler alias - HTTP-HTTPS rewrite + client certificate to Apache.. I believe the NetScaler doesn't reply as being able to securely renegotiate and the session is terminated. Is it possible to set this directive off (or others) if the client comes from a particular host identity? -- View this message in context: http://apache-http-server.18135.n6.nabble.com/Can-I-set-the-SSLInsecureRenegotiation-Directive-Dynamically-tp5003027.html Sent from the Apache HTTP Server - Users mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|