Ssl – set the SSLInsecureRenegotiation Directive with SetEnvIf

apache-2.2opensslssl

We're running Apache 2.2.22 with OpenSSL 0.98, one of our Citrix NetScaler Hosts cannot send a client certificate after handshaking SSL as we have to set SSLInsecureRenegotiation off as a security standard.

Is there anyway to dynamically set this directive based on Remote_Addr? I have tried so many settings but as designed I guess, there doesn't seem to be a way of selectively allowing SSLInsecureRenegotiation for one user agent or IP?

We've already patched to latest NetScaler 10, but after the SSL initial handshake a renegotiation request is sent back from Apache to the NetScaler because as a client cert is required for a LocationMatch, this is never responded to leading Apache to terminate session. – https://www.rfc-editor.org/rfc/rfc5746#section-3.5 . We're told by Citrix that downstream rules are normally on a "trusted" network, and not supported using the client method, is it possible to differentiate between requests and how the SSLInsecureRenegotiation directive is called by host identity of some sort or IP?

Some comments from other forum –

I don't believe it can be set anywhere lower than virtual server level, which is why I'm thinking it needs to be addressed at the load-balancer, (despite what Citrix might say). They seem to have quite a few different values that TLS Renegotiation that can be set, including disabling renegotiation support between client and server altogether. Maybe posting this question over on serverfault will help? – mahnsc 14 hours ago

Hi, problem is more that SSL offload is designed to operate in front of web servers, not clients end but unfortunately our project went ahead regardless. Citrix have not fully implemented RFC 5746 extension to prevent man-in-the-middle attacks out the backend as they consider the backend behind the Netscaler (Logical in this reversed context) a trusted channel, with a 3rd party hosting Apache with the strict security rules for all traffic. I could probably convince them to set a special case for our host, but can't find a way of setting the directive in-session. – ev4nsj 14 mins ago

Best Answer

You need to apply an update to your NetScaler hosts as described in Citrix security bulletin CTX123359.

Appliance firmware version 8.1, build 68.7 or later, and version 9.1, build 99.8 or later.

Related Solutions

Nginx – WebDav rename fails on an Apache mod_dav install behind NginX

(Back to the days when I used Subversion) I had similar problem with proxying to Apache SVN from Nginx SSL frontend. Suppose Nginx SSL frontend is https ://host and we'd like to proxy connections to the internal Apache SVN server http ://svn

The problem occurs when you try to copy a resource is with Destination header:

COPY /path HTTP/1.1
Host: host
Destination: https://host/another_path

As you can see Destination header still contains https schema. The fix is pretty evident --

location / {
    # to avoid 502 Bad Gateway:
    # http://vanderwijk.info/Members/ivo/articles/ComplexSVNSetupFix
    set $destination $http_destination;

    if ($destination ~* ^https(.+)$) {
         set $destination http$1;
    }

    proxy_set_header Destination $destination;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $remote_addr;

    proxy_pass http://svn;
}

Ssl – Apache SSL Log Incomplete SSL Handshake

SSL connections have extra options for CustomLog but they're not going to break down the step-by-step connection status. You'll probably want to try LogLevel debug, but that will get you plenty of extra junk to wade through.

Honestly, a better idea for this class would be to demonstrate using the openssl s_server command, since it can be configured to show the step-by-step progress of the SSL state machine, you'll be able to see exactly at what step the client dropped the connection.

Something like

openssl s_server -key [somekey.pem] -cert [somecert.pem] -accept 443 -state -www

When someone connects it'll print off the steps of the connection:

SSL_accept:before/accept initialization
SSL_accept:SSLv3 read client hello A
SSL_accept:SSLv3 write server hello A
SSL_accept:SSLv3 write certificate A
SSL_accept:SSLv3 write key exchange A
SSL_accept:SSLv3 write server done A
SSL_accept:SSLv3 flush data
SSL_accept:SSLv3 read client key exchange A
SSL_accept:SSLv3 read finished A
SSL_accept:SSLv3 write change cipher spec A
SSL_accept:SSLv3 write finished A
SSL_accept:SSLv3 flush data

the -www option makes it print some information when someone actually connects to it with a webbrowser. If the user navigates away without accepting the fake cert, then I'm guessing the connection will be broken somewhere in the middle there.

You can use the openssl s_client command in a similar fashion, though I'm not certain how flexible it is about accepting or not accepting invalid certificates.

Best Answer

Related Solutions

Nginx – WebDav rename fails on an Apache mod_dav install behind NginX

Ssl – Apache SSL Log Incomplete SSL Handshake

Related Topic