OS X Server Security Update 2010-001 and Apache client authentication
So, it seems that Apple have disabled SSL renegotiation (CVE ID: CVE-2009-3555) in the latest security patch thanks to a man-in-the-middle vulnerability. All well and good.
Client authentication with Apache relies on renegotiating a connection (secure connection starts when the server presents the server certificate and is renegotiated when the client presents the client certificate) – which is now broken. My virtual host error logs were filling up with all sorts of completely useless and uninformative errors, such as:
[Mon Jan 25 16:01:57 2010] [info] [client <ip-address>] Connection to child 1 established (server <server-address>:443)
[Mon Jan 25 16:01:57 2010] [info] Seeding PRNG with 144 bytes of entropy
[Mon Jan 25 16:01:57 2010] [info] Initial (No.1) HTTPS request received for child 1 (server <server-address>:443)
[Mon Jan 25 16:01:57 2010] [info] [client <ip-address>] Requesting connection re-negotiation
[Mon Jan 25 16:01:57 2010] [info] [client <ip-address>] Awaiting re-negotiation handshake
[Mon Jan 25 16:01:57 2010] [error] [client <ip-address>] Re-negotiation handshake failed: Not accepted by client!?
[Mon Jan 25 16:01:57 2010] [info] [client <ip-address>] Requesting connection re-negotiation
[Mon Jan 25 16:01:57 2010] [error] [client <ip-address>] Re-negotiation request failed
..and so on. Looks like a problem with the client end – but it’s actually on the server end. The fix? Er.. there isn’t one as yet. I’ll update this post if I work out how to fix it.
- zac.