http://bugzilla.novell.com/show_bug.cgi?id=558176 http://bugzilla.novell.com/show_bug.cgi?id=558176#c1 --- Comment #1 from jean-christophe baptiste 2009-11-24 21:34:32 UTC --- I forgot to add that I first tried to get some hints from upstream, on the mod-ssl mailing list. I got little feedback and no clue about what is going on. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

http://bugzilla.novell.com/show_bug.cgi?id=558176 http://bugzilla.novell.com/show_bug.cgi?id=558176#c2 --- Comment #2 from jean-christophe baptiste 2009-11-28 09:21:26 UTC --- Ok, as a kind guy on IRC pointed out, it might have something to do with a recent patch from upstream : http://www.mail-archive.com/openssl-users@openssl.org/msg59562.html By the way, the exact versions of openSSL I tried : Debian Lenny : OpenSSL 0.9.8g 19 Oct 2007 openSUSE 11.2 : OpenSSL 0.9.8k 25 Mar 2009 -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

http://bugzilla.novell.com/show_bug.cgi?id=558176 http://bugzilla.novell.com/show_bug.cgi?id=558176#c4 --- Comment #4 from jean-christophe baptiste 2009-11-28 14:27:44 UTC --- The comments are interesting there : https://bugzilla.redhat.com/show_bug.cgi?id=533125 So it appears not to be a breakage but a "feature". Renegociation is just not allowed anymore, breaking any client authentication. By the way, the log could be improved on this point. The message telling it is not accepted by the client is just wrong and confusing. So as long as browsers don't get a patch also, it seems to be a no go. Personnally I will probably stick with an older version of ssl until then. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

http://bugzilla.novell.com/show_bug.cgi?id=558176 http://bugzilla.novell.com/show_bug.cgi?id=558176#c6 Tomas Hoger changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |thoger@pobox.sk --- Comment #6 from Tomas Hoger 2009-11-30 07:42:47 UTC --- OpenSSL 0.9.8l does not send hello request when server calls SSL_do_handshake. IIRC, SUSE-SA:2009:057 did add the patch equal to 0.9.8k -> 0.9.8l diff. As SSLVerifyClient none global setting + SSLVerifyClient require for some directory requires renegotiation, so it does not work with 0.9.8l (unless you modify mod_ssl to set flag). -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

http://bugzilla.novell.com/show_bug.cgi?id=558176 http://bugzilla.novell.com/show_bug.cgi?id=558176#c8 --- Comment #8 from Guanjun He 2009-12-29 03:11:41 UTC --- please reference bug #553641. Renegotiation is disabled. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

http://bugzilla.novell.com/show_bug.cgi?id=558176 http://bugzilla.novell.com/show_bug.cgi?id=558176#c10 Thomas Schmühl changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |t.schmuehl@fz-juelich.de --- Comment #10 from Thomas Schmühl 2010-02-15 13:01:04 UTC --- Is there anything new about this problem? I've got the same problem with my SLES 10 after updating it to SP3 (and the final patchlevel). We need these renegotiation handshakes because we have configured "SSLVerifyClient require" for some directories. What can I do? -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

http://bugzilla.novell.com/show_bug.cgi?id=558176 http://bugzilla.novell.com/show_bug.cgi?id=558176#c14 --- Comment #14 from Willy Weisz 2010-03-16 11:50:49 UTC --- (In reply to comment #9)

As soon as the problem is really solved upstream we will release updates.

It's already solved in openssl-0.9.8m(!) which incorporates TLS renegotiation according to RFC 5746, but this version isn't available as openSuSE RPM. So please release a corresponding update!!! And please release an Apache 2.2.15 RPM compiled against openssl-0.9.8m which allows to accept or reject unsecure "old-style" TLS renegotiations. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.