[Hi, I put this in the bug database as Bug 205 and waited a while, but it hasn't shown up on the users list, so I guess that means I should mail it independently if I also want input from the list. If I'm wrong and it shows up twice, my apologies. If not, the FAQ is somewhat misleading. Thanks for all you folks' help on the bn_mulw.c issue also.] ----------- Hi, I am using Apache/1.3.6 (Win32), mod_ssl/2.3.5, OpenSSL/0.9.3a under Windows NT 4.0. I have a problem very similar to the one that Jeffrey Burgoyne was having in the "No common encryption algorithms" thread on the modssl-users list (found in the MARC archive). When I turn SSLEngine on in <VirtualHost _default_:443> and go there (from the same machine) with https://localhost or https://localhost:143 or https://127.0.0.1, my Netscape 4.05 browser says that the browser and the server "cannot communicate securely because they have no common encryption algorithm." The error_log (for the secure virtual host) has: [Wed Jul 14 17:23:30 1999] [error] mod_ssl: SSL handshake failed (client 127.0.0.1, server 192.168.0.163:443) (OpenSSL library error follows) [Wed Jul 14 17:23:30 1999] [error] OpenSSL: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher In Jeffrey's case, this turned out to be a matter of the wrong hostname: he changed "the hostname on the machine" to match what he was using in his browser. In my case, I have set these both to be the same, this has not helped. Perhaps OpenSSL does a variety of security checks - e.g. reverse DNS? - and if anything is weird, gives that "no shared cipher" error? Like Jeffrey, I can connect fine with openssl s_client. Here's the output: D:\APACHE\webserver>openssl s_client -connect 192.168.0.165:443 -quiet depth=0 /C=XY/ST=Snake Desert/L=Snake Town/O=Snake Oil, Ltd/OU=Webserver Team/CN [EMAIL PROTECTED] verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=XY/ST=Snake Desert/L=Snake Town/O=Snake Oil, Ltd/OU=Webserver Team/CN [EMAIL PROTECTED] verify error:num=21:unable to verify the first certificate verify return:1 Here's the output of "openssl ciphers": D:\APACHE\webserver>openssl ciphers EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:IDEA-CBC-SHA:RC4-SHA:RC4- MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:DES-CBC3-MD5:IDEA-CBC-MD 5:RC2-CBC-MD5:RC4-MD5:RC4-64-MD5:DES-CBC-MD5:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS -DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5:EXP-RC2-CBC-MD5:EXP-RC4 -MD5 Seems like that would be enough - even for version 4.05 of Netscape! ;-) Here's the relevant sections of my httpd.conf: <IfDefine SSL> Listen 80 Listen 443 AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl </IfDefine> <IfModule mod_ssl.c> SSLPassPhraseDialog builtin SSLSessionCache dbm:logs/ssl_scache SSLSessionCacheTimeout 300 SSLMutex sem SSLRandomSeed startup builtin SSLRandomSeed connect builtin SSLLog logs/ssl_engine_log SSLLogLevel info </IfModule> <IfDefine SSL> <VirtualHost _default_:443> # General setup for the virtual host DocumentRoot htdocs-ssl ServerName 192.168.0.165 #ServerAdmin [EMAIL PROTECTED] ErrorLog logs/error_log_ssl TransferLog logs/access_log_ssl SSLEngine on SSLCipherSuite ALL SSLCertificateFile conf/ssl.crt/snakeoil-dsa.crt SSLCertificateKeyFile conf/ssl.key/snakeoil-dsa.key SSLCACertificateFile conf/ssl.crt/ca-bundle.crt SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown CustomLog logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" </VirtualHost> </IfDefine> The regular http:// on port 80 is working fine. I get an even less helpful error message trying to connect to the https:// host with IE 4.72("Im Support des sicheren Channels ist ein Fehler aufgetreten" - it's a German copy). I can't think of anything else to try. Any help will be *greatly* appreciated. Thanks, - Benjamin Rosenbaum [EMAIL PROTECTED] P.S. I looked in the openssl source, and there is only one place that throws that error. The code is beyond me, but it's ssl/s3_srvr.c line 714, and it seems like the issue is that there are no matches between s->session->ciphers and ssl_get_ciphers_by_id(s)... ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
