As would be clear from the post header, i am trying for an insecure SSL renegotiaion as my SSL client does not have support for the latest TLS renegotiation vulnerability (CVE-2009-3555).

My server configuration :
server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/1.0.0a on Ubuntu 10.04.1 LTS

The problem is my handshake goes through successfully, but in application data stage client initiates the renegotiation upon which i get thrown an error and the connection terminates. I did enable SSLInsecureRenegotiation directive, but the error persists.

Error as received on the client side ( as interpreted by the client) is EOF (does not convey much). But the same client when connected to the earlier version of APACHE - 2.0.47 works pretty fine.

Error on server side corresponding to my client request in error.log represents :
[Fri Sep 03 16:19:16 2010] [error] [client 10.225.171.98] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /index.html
[Fri Sep 03 16:19:38 2010] [error] [client 10.225.171.98] rejecting client initiated renegotiation

SSL conf file (vhost configuration in https-ssl.conf ) :



SSLInsecureRenegotiation on [I even tried placing it globally, but with no +ve outcome]
DocumentRoot "/usr/local/apache2/htdocs"
ServerName httpsmtpssl.test.intra
ServerAdmin you@example.com
ErrorLog "/usr/local/apache2/logs/error_log"
TransferLog "/usr/local/apache2/logs/access_log"

SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSL v2:+EXP:+eNULL

SSLCertificateFile "/usr/local/apache2/conf/ssl.crt/server.crt"
SSLCertificateKeyFile "/usr/local/apache2/conf/ssl.key/NO-PASS-PHRASE"


SSLOptions +StdEnvVars


SSLOptions +StdEnvVars


BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

CustomLog "/usr/local/apache2/logs/ssl_request_log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"



Can you guys, help me with this ?
Am i missing something on the server config part or not using the SSLInsecureRenegotiation directive correctly ?

Hope to get some pointers,
Gaurav