CVE-2003-0192

Name of the Vulnerable Software and Affected Versions: Apache versions prior to 2.0.47 Apache 1.3 with certain versions of mod ssl

Description: The issue arises from improper handling of certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one. This could cause the use of a weak ciphersuite. A bug in the optional renegotiation code in mod ssl can cause cipher suite restrictions to be ignored when optional renegotiation is used along with verification of client certificates and a change to the cipher suite over the renegotiation.

Recommendations: For Apache versions prior to 2.0.47, update to version 2.0.47 or later to resolve the issue. For Apache 1.3 with certain versions of mod ssl, consider disabling the optional renegotiation feature by removing the SSLOptions +OptRenegotiate directive until a patched version of mod ssl is available.