Can someone explain legacy renegotiation?


#1

Hi! I’m using Let’s Encrypt, and I ran into some weird (to me) errors in the Apache 2 log files:

SSL Library Error: error:14080152:SSL routines:SSL3_ACCEPT:unsafe legacy renegotiation disabled

I was able to reproduce this by surfing to my website using Safari 4 (OSX 10.4.11). Safari can’t display the page at all. Apparently, this older Safari doesn’t know how to handle the SSL-configuration. I was able to fix my problem by putting the following into my .htaccess file:

SSLOptions +OptRenegotiate

My question is: does this make my setup less secure? Why isn’t this the default for Let’s Encrypt? Is there a better way to fix this?


#2

your SSL settings for Apache 2.2 would be as follows:

# intermediate configuration, tweak to your needs
SSLProtocol             all -SSLv2 -SSLv3
SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder     on

for Apache 2.4

# intermediate configuration, tweak to your needs
SSLProtocol             all -SSLv3
SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder     on
SSLCompression          off
SSLSessionTickets       off

# OCSP Stapling, only in httpd 2.3.3 and later
SSLUseStapling          on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache        shmcb:/var/run/ocsp(128000)

Use the Mozilla generator to get the correct settings for your apache SSL

https://mozilla.github.io/server-side-tls/ssl-config-generator/


#3

Hi,

Sometimes older browsers require the use of technologies and features that have been discovered to be unsafe. That’s a relatively common pattern and might be the case here. The legacy renegotiation method constitutes a security vulnerability (originally documented by Marsh Ray in 2009), which is why servers have removed support for it or suggested removing support for it. But it might be required by some older browers for compatibility. In this case, web site operators would have to choose between breaking compatibility and leaving some potential security vulnerabilities in place.

The defaults for Let’s Encrypt are based on Mozilla’s Intermediate profile, which currently says

Oldest compatible clients: Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1, Windows XP IE8, Android 2.3, Java 7

If allowing legacy renegotiation to be disabled breaks Safari 4, maybe the Mozilla profile compatibility claims are inaccurate?


#4

Hi,

Thanks for the very comprehensive and easy-to-understand reply! I’ve read about the attack vector (http://www.educatedguesswork.org/2009/11/understanding_the_tls_renegoti.html) and I think it’s smart to disable this feature. I still don’t really understand why the SSL library reports an “Error”, when nothing goes wrong (a configurable setting works as intended)… But that’s not an issue with LetsEncrypt I guess.

Thanks for helping,


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.