SSL routines SSL3_ACCEPT unsafe legacy renegotiation disabled

Posted: December 30, 2011    Author:     Category:  Linux

After moving this website completely to HTTPS, it would no longer load in Internet Explorer. IE’s well known for having compatibility issues with websites that other browsers do not have but this was different from what I had ever seen before.

IE didn’t display anything useful to describe what error was encountering, it put the issue down to connection issues, the same error you’d receive if you lost your internet connection. Not useful at all for diagnosing the problem.

I then looked at the Apache error logs and noticed the following errors being logged every time the site was accessed from IE:

[Fri Dec 30 22:04:09 2011] [error] [client] Re-negotiation request failed
[Fri Dec 30 22:04:09 2011] [error] SSL Library Error: 336068946 error:14080152:SSL routines:SSL3_ACCEPT:unsafe legacy renegotiation disabled

Google didn’t give me any help worthwhile so I had to resort to commenting out the SSL directives in the virtual host configuration file. I eventually narrowed it down to the following directive:

SSLVerifyClient optional

Disabling that directive made the site load successfully in Internet Explorer. The SSLVerifyClient directive¬†sets the certificate verification level for the client authentication. I’m not sure why Internet Explorer doesn’t like this because my certificate is from a valid issuing authority. I guess it’s just one more thing that doesn’t work in IE…


3 Responses

  1. You should see if Google Chrome Frame can replace the broken functionality in IE, and if it does force it upon users who use the User-Agent string of the broken builds of IE.

    If you don’t have the option to stop supporting IE all-together, put a fat ass warning and disclaimer and force the user to accept it without allowing them to click accept without an artificial timer or captcha.

  2. Thanks for that Jon, I’ve got around it by using nginx to terminate the SSL connection before passing it to Apache but I’ll keep that in mind for the future.

  3. Try this: (inside the virtualhost declaration)

    SSLInsecureRenegotiation ON

Leave a Reply

Home Linux SSL routines SSL3_ACCEPT unsafe legacy renegotiation disabled