Client Side Negotiation

Novice User asked:

I have -MultiViews set and SSLInsecureNegotation off ( in ifmodule of mod_ssl.c) in Apache.

But still vulnerability report says I am vulnerable to client side negotiation and “This server is vulnerable to MITM attacks because it supports insecure renegotiation”.

Any pointers ?

The same configuration works on our TEST environments. THe only difference is the build release versions.

The systems where it is vulnerable has 31 around release build and in our TEST environment we have 53 release build version)

All on apache 2.2.3 (Oracle provided)

Thanks !

My answer:

You must update httpd to version 2.2.3-31 or later to mitigate this vulnerability. See RHSA 2009:1579 for details.

(Note that the latest release as of this writing is 2.2.3-76.)

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.