I'm testing SSL Insecure Renegotiation vulnerability with Apache and OpenSSL.
When Apache 2.2.14 was compiled against OpenSSL 0.9.8k, openssl command could establish client-initiated insecure SSL renegotiation with Apache as follows:
# /usr/local/openssl-0.9.8k/bin/openssl s_client -connect debian:443
[...]
HEAD / HTTP/1.0
R
RENEGOTIATING
depth=0 /C=UA/ST=Some-State/O=Alice Cruel Ltd/CN=strawberry.xxx
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=UA/ST=Some-State/O=Alice Cruel Ltd/CN=strawberry.xxx
verify return:1
HTTP/1.1 200 OK
Date: Thu, 23 Jan 2014 13:54:33 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8k
Last-Modified: Sat, 20 Nov 2004 20:16:24 GMT
ETag: "1b006b0-2c-3e9564c23b600"
Accept-Ranges: bytes
Content-Length: 44
Connection: close
Content-Type: text/html
closed
#
But with Apache 2.2.15 compiled against OpenSSL 0.9.8m, client-initiated SSL renegotiation failed even when "SSLInsecureRenegotiation on" was added to ssl.conf:
# /usr/local/openssl-0.9.8k/bin/openssl s_client -connect debian:443
CONNECTED(00000003)
[...]
HEAD / HTTP/1.0
R
RENEGOTIATING
4790:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530:
#
The latter result is seemingly unexpected. Is SSLInsecureRenegotiation directive not working? I want to know how to make the directive effective.
Thank you in advance.