logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Enabling Secure Client-Initiated Renegotiation
Author
gijs



Joined: 27 Apr 2012
Posts: 189
Location: The Netherlands
PostPosted: Tue 15 Mar '16 18:46    Post subject: Enabling Secure Client-Initiated Renegotiation Reply with quote
I'd like to use Secure Client-Initiated Renegotiation on my Apache server but according to SSL-labs it's currently (by default?) disabled.

How can I enable this? Why is this not enabled by default?

https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#Rule_-_Only_Support_Secure_Renegotiations
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
PostPosted: Tue 15 Mar '16 19:04    Post subject: Reply with quote
You need a new OpenSSL Version I guess.
this is my current apache config with the last OpenSSL Version which works. https://gist.github.com/JBlond/a60ff12944c28d0b6349

That is by default see https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslinsecurerenegotiation

Maybe your Apache version is not the last version?
Back to top
gijs



Joined: 27 Apr 2012
Posts: 189
Location: The Netherlands
PostPosted: Tue 15 Mar '16 19:34    Post subject: Reply with quote
I'm using Apache 2.4.18 from this PPA: https://launchpad.net/~ondrej/+archive/ubuntu/apache2 on Ubuntu 15.10

SSL labs reports:
Secure Renegotiation Supported
Secure Client-Initiated Renegotiation No
Insecure Client-Initiated Renegotiation No
Back to top
gijs



Joined: 27 Apr 2012
Posts: 189
Location: The Netherlands
PostPosted: Tue 15 Mar '16 23:46    Post subject: Reply with quote
I've checked the openssl version which appears to be:
OpenSSL 1.0.2g 1 Mar 2016

Another thing I've noticed is that next protocol negotiation appears to be disabled according to ssllabs.

Although the site also reports that some browsers(e.g. edge, firefox and chrome) use H2. (TLS 1.2 > h2)
IE11 reports: TLS 1.2 > http/1.1

Code:

<IfModule http2_module>
        ProtocolsHonorOrder On
        Protocols h2 http/1.1
        H2Direct on
</IfModule>


Not sure why there is no next protocol negotiation reported. Perhaps because the server supports ALPN?
Back to top


Reply to topic   Topic: Enabling Secure Client-Initiated Renegotiation View previous topic :: View next topic
Post new topic   Forum Index -> Apache