We’re running Apache 2.2.22 with OpenSSL 0.98, one of our Citrix NetScaler Hosts cannot send a client certificate after handshaking SSL as we have to set SSLInsecureRenegotiation off as a security standard.
Is there anyway to dynamically set this directive based on Remote_Addr? I have tried so many settings but as designed I guess, there doesn’t seem to be a way of selectively allowing SSLInsecureRenegotiation for one user agent or IP?
We’ve already patched to latest NetScaler 10, but after the SSL initial handshake a renegotiation request is sent back from Apache to the NetScaler because as a client cert is required for a LocationMatch, this is never responded to leading Apache to terminate session. – http://tools.ietf.org/html/rfc5746#section-3.5 . We’re told by Citrix that downstream rules are normally on a “trusted” network, and not supported using the client method, is it possible to differentiate between requests and how the SSLInsecureRenegotiation directive is called by host identity of some sort or IP?
Some comments from other forum –
I don’t believe it can be set anywhere lower than virtual server level, which is why I’m thinking it needs to be addressed at the load-balancer, (despite what Citrix might say). They seem to have quite a few different values that TLS Renegotiation that can be set, including disabling renegotiation support between client and server altogether. Maybe posting this question over on serverfault will help? – mahnsc 14 hours ago
Hi, problem is more that SSL offload is designed to operate in front of web servers, not clients end but unfortunately our project went ahead regardless. Citrix have not fully implemented RFC 5746 extension to prevent man-in-the-middle attacks out the backend as they consider the backend behind the Netscaler (Logical in this reversed context) a trusted channel, with a 3rd party hosting Apache with the strict security rules for all traffic. I could probably convince them to set a special case for our host, but can’t find a way of setting the directive in-session. – ev4nsj 14 mins ago
You need to apply an update to your NetScaler hosts as described in Citrix security bulletin CTX123359.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.