Ralf, I've got a "bugfix" (documentation, really) for anyone who is having
either of the following problems with Netscape 4.61 under Linux:
After downloading the CA certificate, attempts to access the https port give
either
[10/Sep/1999 12:15:09] [error] SSL handshake failed (client 255.255.255.255, ser
ver lyta.gsfc.nasa.gov:8443) (OpenSSL library error follows)
[10/Sep/1999 12:15:09] [error] OpenSSL: error:14094410:SSL routines:SSL3_READ_BY
TES:sslv3 alert handshake failure
or
[10/Sep/1999 11:53:28] [error] SSL handshake failed (client 255.255.255.255, ser
ver lyta.gsfc.nasa.gov:8443) (OpenSSL library error follows)
[10/Sep/1999 11:53:28] [error] OpenSSL: error:1E06D401:RSAref routines:RSA_REF_P
RIVATE_DECRYPT:data
[10/Sep/1999 11:53:28] [error] OpenSSL: error:1408F071:SSL routines:SSL3_GET_REC
ORD:bad mac decode
and a failed connection at the browser.
These are caused by browsers that will not accept a 1024-bit key. Cutting the
key down to 512 bits allows them to work OK. Here's the procedure to build
everything including the CA at 512 bits. It's essentially the same as the
standard build.
1) Follow the install instructions all the way through, including
"make install".
2) cd to the new conf/ssl.key directory.
3) openssl genrsa -des3 -out server.key 512
4) openssl req -noout -text -in server.csr
5) openssl genrsa -des3 -out ca.key 512
6) openssl req -new -x509 -days 365 -key ca.key -out ca.crt
7) copy sign.sh to this directory.
8) ./sign.sh server.csr
9) mv *.csr ../ssl.csr
10) mv *.crt ../ssl.crt
11) cd back to the Apache source tree and "make install" again
(this will rehash the certificates). You could look up the
command to do the rehash, I suppose, but this is easier. :)
Ralf, there are a couple of entries in the bug database that this will fix.
--- Joe M.
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
