Description of problem: The current mod_ssl does not support safe renegotiation (RFC 5746). Even if the server is not vulnerable to CVE-2009-3555 because it never performs server-initiated renegotiation, the client has no way to know that and may warn the user. Support has been added in Apache 2.2.15. Please update or patch Apache in Fedora. Version-Release number of selected component (if applicable): mod_ssl-2.2.14-1.fc12.x86_64 How reproducible: Always Steps to Reproduce: 1. Set up Apache for https://localhost/, if not already done. 2. In Firefox, set the preference "security.ssl.treat_unsafe_negotiation_as_broken" to true. (This will become the default soon: see https://bugzilla.mozilla.org/show_bug.cgi?id=535649 .) 3. Go to https://localhost/ and add a certificate override. Actual results: The server does not get the blue SSL badge because it does not support safe renegotiation. Expected results: The server gets the blue SSL badge.
httpd-2.2.15-1.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/httpd-2.2.15-1.fc13
httpd-2.2.15-1.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/httpd-2.2.15-1.fc12
httpd-2.2.15-1.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/httpd-2.2.15-1.fc11
(In reply to comment #0) > Support has been added in Apache 2.2.15. Please update or patch Apache in > Fedora. That is incorrect. httpd 2.2.15 does not add support for RFC 5746, you need updated openssl for that. mod_ssl in 2.2.15 does two things: - refuses client-initiated renegotiation (does not require new openssl) - adds SSLInsecureRenegotiation directive (this requires new openssl at build time to actually work, though looking at the build logs, old openssl was used on F11, 1.0.0-beta4 on F12 should be missing some bits too)
To reply a question from bodhi: - first upstream openssl release with RFC 5746 support is 0.9.8m http://marc.info/?l=openssl-dev&m=126712103527093&w=2 there are already updated 0.9.8n packages in F11 testing - for F12+ / openssl-1.0.0, 1.0.0-beta5 should have all httpd needs, so for F12, it needs openssl 1.0.0-1 or newer
(In reply to comment #5) > - for F12+ / openssl-1.0.0, 1.0.0-beta5 should have all httpd needs, so for > F12, > it needs openssl 1.0.0-1 or newer Unfortunately, openssl-1.0.0-1.fc12 is considered broken due to a multilib conflict (bug 579004), though that might not actually interfere with building against it.
Though httpd build against it will have to wait for it to enter stable / testing. There are two options: - leave httpd 2.2.15 built against old openssl for now, SSLInsecureRenegotiation won't work (but based on comment #0, you don't really care) - wait for openssl updates In either case, openssl update is needed to actually get RFC support.
Understood. I would be inclined to wait for the openssl update. I don't see much point in marking this bug fixed while leaving SSLInsecureRenegotiation broken; instead, I'll broaden this bug.
Buildroot override requested: https://fedorahosted.org/rel-eng/ticket/3584
httpd-2.2.15-1.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update httpd'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/httpd-2.2.15-1.fc13
httpd-2.2.15-1.fc12.1 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/httpd-2.2.15-1.fc12.1
httpd-2.2.15-1.fc11.1 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/httpd-2.2.15-1.fc11.1
httpd-2.2.15-1.fc12.1 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update httpd'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/httpd-2.2.15-1.fc12.1
httpd-2.2.15-1.fc11.1 has been pushed to the Fedora 11 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update httpd'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/httpd-2.2.15-1.fc11.1
httpd-2.2.15-1.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.
httpd-2.2.15-1.fc11.1 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
This is not fixed in F12 until an installable httpd update is pushed, which requires that an installable openssl update be pushed (bug 588181). (I should have reopened this a long time ago.)
httpd-2.2.15-1.fc12.2 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.