Menu
picture of tbs certificates
picture of tbs certificates
Certificates
Our products range
Partners
Support
Focus


Configure Apache to make it run without SSL renegotiation

After the issues due to Apache renegotiation made public on November 2009, it is advised to configure Apache this way:

On the SSL virtualhost root
SSLVerifyDepth 4
SSLVerifyClient none (ou require)
SSLCipherSuite !EDH:!ADH:!DSS:!RC4:HIGH:+3DES
SSLProtocol all -SSLv2 -SSLv3 
SSLHonorCipherOrder on  # apache 2.1+
Then inside your virtualhost, or in the .htaccess of your DocumentRoot, do not ever use the 4 instructions up here.

It makes Apache negotiate the right values from the root and not to renegotiate them after.

Downside: you can not configure a site without certificate authentication on the root with one repertory requiring a certificate anymore. You will have to create a special site that requires the user certificate from the root.