1

I'm testing SSL Insecure Renegotiation vulnerability with Apache and OpenSSL.

When Apache 2.2.14 was compiled against OpenSSL 0.9.8k, openssl command could establish client-initiated insecure SSL renegotiation with Apache as follows:

# /usr/local/openssl-0.9.8k/bin/openssl s_client -connect debian:443
[...]
HEAD / HTTP/1.0
R
RENEGOTIATING
depth=0 /C=UA/ST=Some-State/O=Alice Cruel Ltd/CN=strawberry.xxx
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=UA/ST=Some-State/O=Alice Cruel Ltd/CN=strawberry.xxx
verify return:1

HTTP/1.1 200 OK
Date: Thu, 23 Jan 2014 13:54:33 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8k
Last-Modified: Sat, 20 Nov 2004 20:16:24 GMT
ETag: "1b006b0-2c-3e9564c23b600"
Accept-Ranges: bytes
Content-Length: 44
Connection: close
Content-Type: text/html

closed
#

But with Apache 2.2.15 compiled against OpenSSL 0.9.8m, client-initiated SSL renegotiation failed even when "SSLInsecureRenegotiation on" was added to ssl.conf:

# /usr/local/openssl-0.9.8k/bin/openssl s_client -connect debian:443
CONNECTED(00000003)
[...]
HEAD / HTTP/1.0
R
RENEGOTIATING
4790:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530:
#

The latter result is seemingly unexpected. Is SSLInsecureRenegotiation directive not working? I want to know how to make the directive effective.

Thank you in advance.

  • Try testing with `-legacy_renegotiation` option. – jww Jan 24 '14 at 23:46
  • I tested `-legacy_renegotiation` option with openssl 0.9.8m as openssl 0.9.8k doesn't support the option. But it didn't work. –  Jan 26 '14 at 11:28
  • I wonder if `SSLInsecureRenegotiation` enables only sever-initiated insecure renegotiation and client-initiated insecure renegotiation is still disabled. –  Jan 26 '14 at 12:33
  • There is a `SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION` context option. I suppose that's what `SSLInsecureRenegotiation` controls. There's also a `SSL_AD_NO_RENEGOTIATION`, but I'm not sure how its used other than it has to do with TLS. Both are declared in `ssl.h`. There are no `#defines` for secure renegotiation, so I don't think it can be disabled at compile time. – jww Jan 26 '14 at 14:46
  • 2
    Thanks, noloader. I looked through the source code of Apache (ssl_engine_kernel.c) and found that from Apache 2.2.15 up to Apache 2.4.7 (latest), every client-initiated renegotiation in an ssl session is rejected and cause the ssl session to be aborted. –  Jan 27 '14 at 13:29
  • 1
    You can find that from `ssl_callback_Info()` in `ssl_engine_kernel.c`. –  Jan 27 '14 at 13:31

0 Answers0