You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by "Denis BUCHER (lists)" <db...@hsolutions.ch> on 2013/02/09 20:09:50 UTC
[users@httpd] Very confused about Re-negotiation request failed (and SSLInsecureRenegotiation)
Dear all,
Many users (but not all) are complaining that they can't access our SSL
webserver.
After some research I found two kind of error in apache logs :
a) Re-negotiation request failed / SSL Library Error: 336068931
error:14080143:SSL routines:SSL3_ACCEPT:unsafe legacy renegotiation disabled
b) Re-negotiation handshake failed: Not accepted by client!?
At first I really don't understand at all why this could happen ?
And secondly, I found some advices to add the "|SSLInsecureRenegotiation
on" option. Is it a solution, and is it only for very old browsers or
can it be required for still in use browsers ?
Thanks in advance for some help or any hint :-)
Best regards,
|Denis
Re: [users@httpd] Very confused about Re-negotiation request failed
(and SSLInsecureRenegotiation)
Posted by "Denis BUCHER (lists)" <db...@hsolutions.ch>.
Dear Edward,
On my side, the solution was to provide to these people a*non-SSL link
*and it worked for all of them.
But what's strange is that most of them told me that "their browser is
uptodate" and that their computer was recent.
The problem came mostly with people having MacOS and Safari as far as I
know.
Our SSL certificate is not a very expensive Verisign or Thawte SSL
certificate but a cheap one, with "chains". We did that because we don't
use it intensively.
Do you think this could also be part of the problem ?
Best regards,
Denis
Le 12.02.2013 13:25, Edward Quick a écrit :
> That doesn't surprise me to be honest. I would say it was a similar
> number in my case as well, It's a tricky one to manage because it's
> not easy to explain to customers.
> I tried to find an alternative solution but there wasn't one, and so
> passed the problem back to the customers/windows admins to fix.
>
> ------------------------------------------------------------------------
> Date: Tue, 12 Feb 2013 12:54:23 +0100
> From: dbucherml@hsolutions.ch
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] Very confused about Re-negotiation request
> failed (and SSLInsecureRenegotiation)
>
> Dear Ed,
>
> What's surprising me is that I got more than 10% of users complaining
> they can't access our webserver. Are so many people equipped with
> outdated browsers ?
>
> Denis
>
> Le 11.02.2013 09:33, Edward Quick a écrit :
>
> Hi Denis,
> I've been through exactly the same situation. There isn't anything
> you can do from the apache side to fix this apart from enabling
> insecure renegotiation, but you shouldn't.
>
> The customers have to fix their end by possibly upgrading to a
> later browser in the case of FF/Chrome.
>
> Assuming your customers are on Windows, and using IE8 or below,
> then apply http://support.microsoft.com/kb/980436. Windows SP3 is
> a prerequisite.
>
> Hope this helps,
> Ed.
>
> ------------------------------------------------------------------------
> Date: Sat, 9 Feb 2013 20:09:50 +0100
> From: dbucherml@hsolutions.ch <ma...@hsolutions.ch>
> To: users@httpd.apache.org <ma...@httpd.apache.org>
> Subject: [users@httpd] Very confused about Re-negotiation request
> failed (and SSLInsecureRenegotiation)
>
> Dear all,
>
> Many users (but not all) are complaining that they can't access
> our SSL webserver.
>
> After some research I found two kind of error in apache logs :
> a) Re-negotiation request failed / SSL Library Error: 336068931
> error:14080143:SSL routines:SSL3_ACCEPT:unsafe legacy
> renegotiation disabled
> b) Re-negotiation handshake failed: Not accepted by client!?
>
> At first I really don't understand at all why this could happen ?
>
> And secondly, I found some advices to add the
> "|SSLInsecureRenegotiation on" option. Is it a solution, and is it
> only for very old browsers or can it be required for still in use
> browsers ?
>
> Thanks in advance for some help or any hint :-)
>
> Best regards,
>
> |Denis
>
>
RE: [users@httpd] Very confused about Re-negotiation request failed
(and SSLInsecureRenegotiation)
Posted by Edward Quick <ed...@hotmail.com>.
That doesn't surprise me to be honest. I would say it was a similar number in my case as well, It's a tricky one to manage because it's not easy to explain to customers.I tried to find an alternative solution but there wasn't one, and so passed the problem back to the customers/windows admins to fix.
Date: Tue, 12 Feb 2013 12:54:23 +0100
From: dbucherml@hsolutions.ch
To: users@httpd.apache.org
Subject: Re: [users@httpd] Very confused about Re-negotiation request failed (and SSLInsecureRenegotiation)
Dear Ed,
What's surprising me is that I got more than 10% of users
complaining they can't access our webserver. Are so many people
equipped with outdated browsers ?
Denis
Le 11.02.2013 09:33, Edward Quick a écrit :
Hi Denis,
I've been through exactly the same situation. There isn't
anything you can do from the apache side to fix this apart
from enabling insecure renegotiation, but you shouldn't.
The customers have to fix their end by possibly upgrading
to a later browser in the case of FF/Chrome.
Assuming your customers are on Windows, and using IE8 or
below, then apply http://support.microsoft.com/kb/980436.
Windows SP3 is a prerequisite.
Hope this helps,
Ed.
Date: Sat, 9 Feb 2013 20:09:50 +0100
From: dbucherml@hsolutions.ch
To: users@httpd.apache.org
Subject: [users@httpd] Very confused about Re-negotiation
request failed (and SSLInsecureRenegotiation)
Dear all,
Many users (but not all) are complaining that they can't
access our SSL webserver.
After some research I found two kind of error in apache
logs :
a) Re-negotiation request failed / SSL Library Error:
336068931 error:14080143:SSL routines:SSL3_ACCEPT:unsafe
legacy renegotiation disabled
b) Re-negotiation handshake failed: Not accepted by
client!?
At first I really don't understand at all why this could
happen ?
And secondly, I found some advices to add the "SSLInsecureRenegotiation
on" option. Is it a solution, and is it only for very
old browsers or can it be required for still in use
browsers ?
Thanks in advance for some help or any hint :-)
Best regards,
Denis
Re: [users@httpd] Very confused about Re-negotiation request failed
(and SSLInsecureRenegotiation)
Posted by "Denis BUCHER (lists)" <db...@hsolutions.ch>.
Dear Ed,
What's surprising me is that I got more than 10% of users complaining
they can't access our webserver. Are so many people equipped with
outdated browsers ?
Denis
Le 11.02.2013 09:33, Edward Quick a écrit :
> Hi Denis,
> I've been through exactly the same situation. There isn't anything you
> can do from the apache side to fix this apart from enabling insecure
> renegotiation, but you shouldn't.
>
> The customers have to fix their end by possibly upgrading to a later
> browser in the case of FF/Chrome.
>
> Assuming your customers are on Windows, and using IE8 or below, then
> apply http://support.microsoft.com/kb/980436. Windows SP3 is a
> prerequisite.
>
> Hope this helps,
> Ed.
>
> ------------------------------------------------------------------------
> Date: Sat, 9 Feb 2013 20:09:50 +0100
> From: dbucherml@hsolutions.ch
> To: users@httpd.apache.org
> Subject: [users@httpd] Very confused about Re-negotiation request
> failed (and SSLInsecureRenegotiation)
>
> Dear all,
>
> Many users (but not all) are complaining that they can't access our
> SSL webserver.
>
> After some research I found two kind of error in apache logs :
> a) Re-negotiation request failed / SSL Library Error: 336068931
> error:14080143:SSL routines:SSL3_ACCEPT:unsafe legacy renegotiation
> disabled
> b) Re-negotiation handshake failed: Not accepted by client!?
>
> At first I really don't understand at all why this could happen ?
>
> And secondly, I found some advices to add the
> "|SSLInsecureRenegotiation on" option. Is it a solution, and is it
> only for very old browsers or can it be required for still in use
> browsers ?
>
> Thanks in advance for some help or any hint :-)
>
> Best regards,
>
> |Denis
>
RE: [users@httpd] Very confused about Re-negotiation request failed
(and SSLInsecureRenegotiation)
Posted by Edward Quick <ed...@hotmail.com>.
Hi Denis,I've been through exactly the same situation. There isn't anything you can do from the apache side to fix this apart from enabling insecure renegotiation, but you shouldn't.
The customers have to fix their end by possibly upgrading to a later browser in the case of FF/Chrome.
Assuming your customers are on Windows, and using IE8 or below, then apply http://support.microsoft.com/kb/980436. Windows SP3 is a prerequisite.
Hope this helps,Ed.
Date: Sat, 9 Feb 2013 20:09:50 +0100
From: dbucherml@hsolutions.ch
To: users@httpd.apache.org
Subject: [users@httpd] Very confused about Re-negotiation request failed (and SSLInsecureRenegotiation)
Dear all,
Many users (but not all) are complaining that they can't access our
SSL webserver.
After some research I found two kind of error in apache logs :
a) Re-negotiation request failed / SSL Library Error: 336068931
error:14080143:SSL routines:SSL3_ACCEPT:unsafe legacy renegotiation
disabled
b) Re-negotiation handshake failed: Not accepted by client!?
At first I really don't understand at all why this could happen ?
And secondly, I found some advices to add the "SSLInsecureRenegotiation
on" option. Is it a solution, and is it only for very old browsers
or can it be required for still in use browsers ?
Thanks in advance for some help or any hint :-)
Best regards,
Denis