I never used an IP Adress for ServerName on my Apache / NT. I used the exact
hostname e.g. www.yourdomain.com in the SSL section. Here is my Config
Section. I copied it from my linux box, which uses the same config and runs
with it, too. Additonaly: I use IE5.0 on Win32 and Netscape 4.6 on Linux.
The Config Section:
<IfDefine SSL>
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
</IfDefine>
<IfModule mod_ssl.c>
SSLPassPhraseDialog builtin
SSLSessionCache dbm:logs/www.mydomain.com/ssl_scache
SSLSessionCacheTimeout 300
SSLMutex file:logs/ssl_mutex
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLLog logs/www.mydomain.com/ssl_engine.log
SSLLogLevel info
</IfModule>
<IfDefine SSL>
<VirtualHost _default_:443>
DocumentRoot "C:/Apache/htdocs/www.mydomain.com"
ServerName www.mydomain.com
ServerAdmin [EMAIL PROTECTED]
ErrorLog logs/www.mydomain.com/ssl_error.log
TransferLog logs/www.mydomain.com/ssl_access.log
SSLEngine on
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile "C:/Apache/conf/www.mydomain.com/ssl.crt/server.crt"
SSLCertificateKeyFile "C:/Apache/conf/www.mydomain.com/ssl.key/server.key"
SSLCACertificatePath "C:/Apache/conf/www.mydomain.com/ssl.crt
SSLCACertificateFile
"C:/Apache/conf/www.mydomain.com/ssl.crt/ca-bundle.crt
SSLCARevocationPath "C:/Apache/conf/www.mydomain.com/ssl.crl
SSLCARevocationFile
"C:/Apache/conf/www.mydomain.com/ssl.crl/ca-bundle.crl
SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
CustomLog logs/www.mydomain.com/ssl_request.log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
</IfDefine>
Cheers
----- Original Message -----
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Wednesday, July 14, 1999 5:55 PM
Subject: [BugDB] Another OpenSSL "no common encryption" error (PR#205)
> Full_Name: Benjamin Rosenbaum
> Version: 2.3.5
> OS: NT 4.0
> Submission from: bastel.eunet.ch (146.228.10.31)
>
>
> Hi,
>
> I am using Apache/1.3.6 (Win32), mod_ssl/2.3.5, OpenSSL/0.9.3a
> under Windows NT 4.0.
>
> I have a problem very similar to the one that Jeffrey Burgoyne
> was having in the "No common encryption algorithms" thread on the
> modssl-users list (found in the MARC archive). When I turn SSLEngine on
> in <VirtualHost _default_:443> and go there (from the same machine)
> with https://localhost or https://localhost:143 or https://127.0.0.1,
> my Netscape 4.05 browser says that the browser and the server "cannot
> communicate securely because they have no common encryption algorithm."
> The error_log (for the secure virtual host) has:
>
> [Wed Jul 14 17:23:30 1999] [error] mod_ssl: SSL handshake failed (client
> 127.0.0.1, server 192.168.0.163:443) (OpenSSL library error follows)
> [Wed Jul 14 17:23:30 1999] [error] OpenSSL: error:1408A0C1:SSL
> routines:SSL3_GET_CLIENT_HELLO:no shared cipher
>
> In Jeffrey's case, this turned out to be a matter of the wrong
> hostname: he changed "the hostname on the machine" to match what
> he was using in his browser. In my case, I have set these both to
> be the same, this has not helped.
>
> Perhaps OpenSSL does a variety of security checks - e.g. reverse
> DNS? - and if anything is weird, gives that "no shared cipher" error?
>
> Like Jeffrey, I can connect fine with openssl s_client. Here's the output:
>
> D:\APACHE\webserver>openssl s_client -connect 192.168.0.165:443 -quiet
> depth=0 /C=XY/ST=Snake Desert/L=Snake Town/O=Snake Oil, Ltd/OU=Webserver
> Team/CN
> [EMAIL PROTECTED]
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 /C=XY/ST=Snake Desert/L=Snake Town/O=Snake Oil, Ltd/OU=Webserver
> Team/CN
> [EMAIL PROTECTED]
> verify error:num=21:unable to verify the first certificate
> verify return:1
>
> Here's the output of "openssl ciphers":
> D:\APACHE\webserver>openssl ciphers
>
EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:IDEA-CBC-SHA:RC4-SHA:
RC4-
>
MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:DES-CBC3-MD5:IDEA-CB
C-MD
>
5:RC2-CBC-MD5:RC4-MD5:RC4-64-MD5:DES-CBC-MD5:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH
-DSS
> -DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5:EXP-RC2-CBC-MD5:E
XP-RC4
> -MD5
>
> Seems like that would be enough - even for version 4.05 of Netscape! ;-)
>
> Here's the relevant sections of my httpd.conf:
>
> <IfDefine SSL>
> Listen 80
> Listen 443
> AddType application/x-x509-ca-cert .crt
> AddType application/x-pkcs7-crl .crl
> </IfDefine>
>
> <IfModule mod_ssl.c>
> SSLPassPhraseDialog builtin
> SSLSessionCache dbm:logs/ssl_scache
> SSLSessionCacheTimeout 300
> SSLMutex sem
> SSLRandomSeed startup builtin
> SSLRandomSeed connect builtin
> SSLLog logs/ssl_engine_log
> SSLLogLevel info
> </IfModule>
>
> <IfDefine SSL>
> <VirtualHost _default_:443>
> # General setup for the virtual host
> DocumentRoot htdocs-ssl
> ServerName 192.168.0.165
> #ServerAdmin [EMAIL PROTECTED]
> ErrorLog logs/error_log_ssl
> TransferLog logs/access_log_ssl
> SSLEngine on
> SSLCipherSuite ALL
> SSLCertificateFile conf/ssl.crt/snakeoil-dsa.crt
> SSLCertificateKeyFile conf/ssl.key/snakeoil-dsa.key
> SSLCACertificateFile conf/ssl.crt/ca-bundle.crt
> SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
> CustomLog logs/ssl_request_log \
> "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
> </VirtualHost>
> </IfDefine>
>
> The regular http:// on port 80 is working fine.
>
> I get an even less helpful error message trying to connect
> to the https:// host with IE 4.72("Im Support des sicheren
> Channels ist ein Fehler aufgetreten" - it's a German copy).
>
> I can't think of anything else to try. Any help will be *greatly*
> appreciated.
>
> Thanks,
>
> - Benjamin Rosenbaum
> [EMAIL PROTECTED]
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
