Re: [BugDB] Another OpenSSL "no common encryption" error (PR#205)

Benjamin Rosenbaum Mon, 19 Jul 1999 02:52:24 -0700
I have changed the ServerName line to:

ServerName nb50spm.comit.ch

Doesn't seem to matter. I couldn't detect any other relevant
differences in the config file.

The server actually works against cURL, the freeware browser:
I can get pages served by it when running cURL. So the server
seems to be there and talking at least some kind of SSL. But why 
can't Netscape 4.05 or IE 4.72 talk to it? I guess I should try
with later browser versions. Does anyone have any idea what
other diagnostics I could run? Perhaps OpenSSL is built 
wrong somehow?

Thanks.

- Ben

P.S. My apologies that this question did get posted twice. Oops. ;-)


Daniel Reichenbach wrote:
> 
> I never used an IP Adress for ServerName on my Apache / NT. I used the exact
> hostname e.g. www.yourdomain.com in the SSL section. Here is my Config
> Section. I copied it from my linux box, which uses the same config and runs
> with it, too. Additonaly: I use IE5.0 on Win32 and Netscape 4.6 on Linux.
> 
> The Config Section:
> 
> <IfDefine SSL>
> AddType application/x-x509-ca-cert .crt
> AddType application/x-pkcs7-crl    .crl
> </IfDefine>
> <IfModule mod_ssl.c>
> SSLPassPhraseDialog  builtin
> SSLSessionCache         dbm:logs/www.mydomain.com/ssl_scache
> SSLSessionCacheTimeout  300
> SSLMutex  file:logs/ssl_mutex
> SSLRandomSeed startup builtin
> SSLRandomSeed connect builtin
> SSLLog      logs/www.mydomain.com/ssl_engine.log
> SSLLogLevel info
> </IfModule>
> <IfDefine SSL>
> <VirtualHost _default_:443>
> DocumentRoot "C:/Apache/htdocs/www.mydomain.com"
> ServerName www.mydomain.com
> ServerAdmin [EMAIL PROTECTED]
> ErrorLog logs/www.mydomain.com/ssl_error.log
> TransferLog logs/www.mydomain.com/ssl_access.log
> SSLEngine on
> SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
> SSLCertificateFile    "C:/Apache/conf/www.mydomain.com/ssl.crt/server.crt"
> SSLCertificateKeyFile "C:/Apache/conf/www.mydomain.com/ssl.key/server.key"
> SSLCACertificatePath    "C:/Apache/conf/www.mydomain.com/ssl.crt
> SSLCACertificateFile
> "C:/Apache/conf/www.mydomain.com/ssl.crt/ca-bundle.crt
> SSLCARevocationPath     "C:/Apache/conf/www.mydomain.com/ssl.crl
> SSLCARevocationFile
> "C:/Apache/conf/www.mydomain.com/ssl.crl/ca-bundle.crl
> SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
> SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
> CustomLog logs/www.mydomain.com/ssl_request.log \
>           "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
> </VirtualHost>
> </IfDefine>
> 
> Cheers
> ----- Original Message -----
> From: <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Cc: <[EMAIL PROTECTED]>
> Sent: Wednesday, July 14, 1999 5:55 PM
> Subject: [BugDB] Another OpenSSL "no common encryption" error (PR#205)
> 
> > Full_Name: Benjamin Rosenbaum
> > Version: 2.3.5
> > OS: NT 4.0
> > Submission from: bastel.eunet.ch (146.228.10.31)
> >
> >
> > Hi,
> >
> > I am using Apache/1.3.6 (Win32), mod_ssl/2.3.5, OpenSSL/0.9.3a
> > under Windows NT 4.0.
> >
> > I have a problem very similar to the one that Jeffrey Burgoyne
> > was having in the "No common encryption algorithms" thread on the
> > modssl-users list (found in the MARC archive). When I turn SSLEngine on
> > in <VirtualHost _default_:443> and go there (from the same machine)
> > with https://localhost or https://localhost:143 or https://127.0.0.1,
> > my Netscape 4.05 browser says that the browser and the server "cannot
> > communicate securely because they have no common encryption algorithm."
> > The error_log (for the secure virtual host) has:
> >
> > [Wed Jul 14 17:23:30 1999] [error] mod_ssl: SSL handshake failed (client
> > 127.0.0.1, server 192.168.0.163:443) (OpenSSL library error follows)
> > [Wed Jul 14 17:23:30 1999] [error] OpenSSL: error:1408A0C1:SSL
> > routines:SSL3_GET_CLIENT_HELLO:no shared cipher
> >
> > In Jeffrey's case, this turned out to be a matter of the wrong
> > hostname: he changed "the hostname on the machine" to match what
> > he was using in his browser. In my case, I have set these both to
> > be the same, this has not helped.
> >
> > Perhaps OpenSSL does a variety of security checks - e.g. reverse
> > DNS? - and if anything is weird, gives that "no shared cipher" error?
> >
> > Like Jeffrey, I can connect fine with openssl s_client. Here's the output:
> >
> > D:\APACHE\webserver>openssl s_client -connect 192.168.0.165:443 -quiet
> > depth=0 /C=XY/ST=Snake Desert/L=Snake Town/O=Snake Oil, Ltd/OU=Webserver
> > Team/CN
> > [EMAIL PROTECTED]
> > verify error:num=20:unable to get local issuer certificate
> > verify return:1
> > depth=0 /C=XY/ST=Snake Desert/L=Snake Town/O=Snake Oil, Ltd/OU=Webserver
> > Team/CN
> > [EMAIL PROTECTED]
> > verify error:num=21:unable to verify the first certificate
> > verify return:1
> >
> > Here's the output of "openssl ciphers":
> > D:\APACHE\webserver>openssl ciphers
> >
> EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:IDEA-CBC-SHA:RC4-SHA:
> RC4-
> >
> MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:DES-CBC3-MD5:IDEA-CB
> C-MD
> >
> 5:RC2-CBC-MD5:RC4-MD5:RC4-64-MD5:DES-CBC-MD5:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH
> -DSS
> > -DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5:EXP-RC2-CBC-MD5:E
> XP-RC4
> > -MD5
> >
> > Seems like that would be enough - even for version 4.05 of Netscape! ;-)
> >
> > Here's the relevant sections of my httpd.conf:
> >
> > <IfDefine SSL>
> > Listen 80
> > Listen 443
> > AddType application/x-x509-ca-cert .crt
> > AddType application/x-pkcs7-crl    .crl
> > </IfDefine>
> >
> > <IfModule mod_ssl.c>
> > SSLPassPhraseDialog  builtin
> > SSLSessionCache         dbm:logs/ssl_scache
> > SSLSessionCacheTimeout  300
> > SSLMutex sem
> > SSLRandomSeed startup builtin
> > SSLRandomSeed connect builtin
> > SSLLog      logs/ssl_engine_log
> > SSLLogLevel info
> > </IfModule>
> >
> > <IfDefine SSL>
> > <VirtualHost _default_:443>
> > #  General setup for the virtual host
> > DocumentRoot htdocs-ssl
> > ServerName 192.168.0.165
> > #ServerAdmin [EMAIL PROTECTED]
> > ErrorLog logs/error_log_ssl
> > TransferLog logs/access_log_ssl
> > SSLEngine on
> > SSLCipherSuite ALL
> > SSLCertificateFile    conf/ssl.crt/snakeoil-dsa.crt
> > SSLCertificateKeyFile conf/ssl.key/snakeoil-dsa.key
> > SSLCACertificateFile    conf/ssl.crt/ca-bundle.crt
> > SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
> > CustomLog logs/ssl_request_log \
> >           "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
> > </VirtualHost>
> > </IfDefine>
> >
> > The regular http:// on port 80 is working fine.
> >
> > I get an even less helpful error message trying to connect
> > to the https:// host with IE 4.72("Im Support des sicheren
> > Channels ist ein Fehler aufgetreten" - it's a German copy).
> >
> > I can't think of anything else to try. Any help will be *greatly*
> > appreciated.
> >
> > Thanks,
> >
> > - Benjamin Rosenbaum
> > [EMAIL PROTECTED]
> 
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
> User Support Mailing List                      [EMAIL PROTECTED]
> Automated List Manager                            [EMAIL PROTECTED]
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]
Re: [BugDB] Another OpenSSL "no common encryption" error (PR#205)

Reply via email to
