Client Side Negotiation

Question

I have -MultiViews set and SSLInsecureNegotation off ( in ifmodule of mod_ssl.c) in Apache.

But still vulnerability report says I am vulnerable to client side negotiation and "This server is vulnerable to MITM attacks because it supports insecure renegotiation".

Any pointers ?

The same configuration works on our TEST environments. THe only difference is the build release versions.

The systems where it is vulnerable has 31 around release build and in our TEST environment we have 53 release build version)

All on apache 2.2.3 (Oracle provided)

Thanks !

score 0 · Answer 1 · answered Jan 11 '13 at 18:09

0

You must update httpd to version 2.2.3-31 or later to mitigate this vulnerability. See RHSA 2009:1579 for details.

(Note that the latest release as of this writing is 2.2.3-76.)

answered Jan 11 '13 at 18:09

Michael Hampton

244,070
43
506
972

If thats the case, then it should work in our live environment as there we have 2.2.3-31 – Novice User Jan 12 '13 at 09:02

Client Side Negotiation

1 Answers1