OS X Server Security Update 2010-001 and Apache client authentication
So, it seems that Apple have disabled SSL renegotiation (CVE ID: CVE-2009-3555) in the latest security patch thanks to a man-in-the-middle vulnerability. All well and good.
Client authentication with Apache relies on renegotiating a connection (secure connection starts when the server presents the server certificate and is renegotiated when the client presents the client certificate) – which is now broken. My virtual host error logs were filling up with all sorts of completely useless and uninformative errors, such as:
[Mon Jan 25 16:01:57 2010] [info] [client <ip-address>] Connection to child 1 established (server <server-address>:443)
[Mon Jan 25 16:01:57 2010] [info] Seeding PRNG with 144 bytes of entropy
[Mon Jan 25 16:01:57 2010] [info] Initial (No.1) HTTPS request received for child 1 (server <server-address>:443)
[Mon Jan 25 16:01:57 2010] [info] [client <ip-address>] Requesting connection re-negotiation
[Mon Jan 25 16:01:57 2010] [info] [client <ip-address>] Awaiting re-negotiation handshake
[Mon Jan 25 16:01:57 2010] [error] [client <ip-address>] Re-negotiation handshake failed: Not accepted by client!?
[Mon Jan 25 16:01:57 2010] [info] [client <ip-address>] Requesting connection re-negotiation
[Mon Jan 25 16:01:57 2010] [error] [client <ip-address>] Re-negotiation request failed
..and so on. Looks like a problem with the client end – but it’s actually on the server end. The fix? Er.. there isn’t one as yet. I’ll update this post if I work out how to fix it.
- zac.
I’ve got this same issue that just raised it’s ugly head on my CentOS box running Apache. Did you figure out a fix? I can’t imagine all Apache users are just simply living without client certificate authentication now.
FYI
I figured out the issue and posted it to this CentOS forum.
https://www.centos.org/modules/newbb/viewtopic.php?topic_id=25557&forum=38
Hey Bob, thanks for posting those pointers (and sorry it took me so long to notice your comment!)
Oh wow, trying this out for myself has been quite a pain the the ass. For one – OS X Server doesn’t have a version of Apache recent enough to recognise the SSLInsecureRenegotiation command, so that’s a complete deal-breaker. Hopefully Apple will update to a more modern version of Apache at some point, but I’m not holding my breath.
In testing on another server (running Debian Lenny), I found a similarly ancient version of Apache as well – so I had to “dist-upgrade” to Debian Squeeze (which is the current ‘testing’ Debian distro) first before I was able to get things up and running.
Finally got it all sorted out, plus for bonus points I actually got logging working the way I wanted it to. I’ll write up a new post on how to get this working in detail soon.