View Issue Details

IDProjectCategoryView StatusLast Update
0000987Main CAcert Websitewebsite contentpublic2011-09-29 14:07
Reporterantonio Assigned To 
PrioritynormalSeverityminorReproducibilityalways
Status newResolutionopen 
PlatformMain CAcert WebsiteOSN/A 
Summary0000987: no renegotiation when visiting certificate authenticated c.o subdomains with firefox 4.x
Descriptionthere's a problem with certificate renegotiation on subdomain c.o sites

(e.g. https://blog.cacert.org/wp-admin/ and https://svn.cacert.org/)

using "Transport Layer Security (TLS) Renegotiation Indication Extension rfc5746" compliant browsers (capable of view the penguin on https://ssltls.de/)

(e.g. firefox-4.0.x and newer ones)
Steps To Reproducewith firefox-6.0.2 and firefox-7.0 under linux (fedora and debian), with valid installed ca-certificates on browser

1.- just access https://blog.cacert.org/wp-admin/ or https://svn.cacert.org/

so you have the ugly response

=====================
        Secure Connection Failed
        
          An error occurred during a connection to blog.cacert.org.

Renegotiation is not allowed on this SSL socket.

(Error code: ssl_error_renegotiation_not_allowed)


  The page you are trying to view can not be shown because the authenticity of the received data could not be verified.
  Please contact the web site owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site.
=====================

Additional InformationWORKAROUND:
1.- on firefox navigation bar, type
  about:config
2.- and just set
 security.ssl.allow_unrestricted_renego_everywhere=true

and it works again (but this is not the predefined setting as noted on https://wiki.mozilla.org/Security%3ARenegotiation)

This is not an exclusive CAcert problem (but c.o subdomains looks like unsupported sites on firefox when certificate authentication is used)


Interesting, google-chromium (google-chrome) is detected as safari browser:

=====================
No certificate information presented; Safari User please use this link
https://blog.cacert.org/requirecert/wp-login.php
=====================

without better luck
TagsNo tags attached.
Reviewed by
Test Instructions

Activities

illuminat

2011-09-29 14:07

reporter   ~0002548

This was patched in apache 2.2.14 / OpenSSL 0.9.8i

Currently, cacert seems to be running apache 2.2.9 / OpenSSL 0.9.8g

Fix should be relative simple with: apt-get update && apt-get upgrade

Issue History

Date Modified Username Field Change
2011-09-28 22:15 antonio New Issue
2011-09-29 14:07 illuminat Note Added: 0002548