[BugDB] Problem with Verisign GlobalID Certificate (PR#282)

modssl-bugdb Mon, 20 Sep 1999 03:20:42 -0700
Full_Name: winni peters
Version: 2.3.11
OS: AIX 4.2.1.0
Submission from: px.bull.de (194.120.12.97)


The problem is using a Verisign GLobalID Certificate within the apache server.
The server negotiate this special certificate but if I try to connect 
to this site the Re-negotiation failed to choose a new cipher suite !

All information are in the following logs and conf files:

Versions : 
SERVER
modssl : 2.3.11
apache : 1.3.6

CLIENT:
IE4.0 SP1
IE5.0
NS4.04
NS4.5
NS4.6

#####################
http.conf
#####################
...
DocumentRoot /usr/local/apache+ssl+modssl/htdocs
                                                                               
SSLEngine on
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

SSLSessionCache                 none
SSLMutex  file:/usr/local/apache+ssl+modssl/logs/ssl_mutex
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin         

SSLLog      /usr/local/apache+ssl+modssl/logs/ssl_engine_log
SSLLogLevel trace
                                                          
SSLCertificateFile /usr/local/apache+ssl+modssl/conf/ssl.crt/httpsd.pem
SSLCertificateKeyFile
/usr/local/apache+ssl+modssl/conf/ssl.key/httpsd_private.k
ey

######### Here I use different definitions but always the same failure!! ######
######### The idea is to use strong encryption if I access this directory :
test128 #####
######### I try the same with the the location statement -> the same failure ##
<Directory /usr/local/apache+ssl+modssl/htdocs/test128>
#SSLCipherSuite MEDIUM:HIGH
SSLCipherSuite EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:RC4-SHA:RC
4-MD5
##### With this statement no error occured but the session is only 40 bit !! ##
#SSLRequire     %{SSL_CIPHER_USEKEYSIZE} >= 128
</Directory>  
                                         

##########
error_log
##########
[Mon Sep 20 12:33:18 1999] [error] mod_ssl: Re-negotiation handshake failed:
Not
 accepted by client!?
[Mon Sep 20 12:33:18 1999] [error] mod_ssl: SSL error on reading data (OpenSSL
l
ibrary error follows)
[Mon Sep 20 12:33:18 1999] [error] OpenSSL: error:140940E5:SSL
routines:SSL3_REA
D_BYTES:ssl handshake failure          

##########
ssl_engine_log
##########
[20/Sep/1999 12:46:04] [info]  Init: 34nd restart round (already detached)
[20/Sep/1999 12:46:04] [info]  Init: Seeding PRNG with 1032 bytes of entropy
[20/Sep/1999 12:46:04] [info]  Init: Initializing (virtual) servers for SSL
[20/Sep/1999 12:46:04] [info]  Init: Configuring server myserver:443 for SSL
protocol
[20/Sep/1999 12:46:04] [trace] Init: (myserver:443) Creating new SSL context
(protocols: SSLv2, SSLv3, TLSv1)
[20/Sep/1999 12:46:04] [trace] Init: (myserver:443) Configuring permitted SSL
 ciphers [ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL]
[20/Sep/1999 12:46:04] [trace] Init: (myserver:443) Configuring client authen
tication
...                                                                      
[20/Sep/1999 12:46:04] [trace] Init: (myserver:443) Configuring certificate r
evocation facility
[20/Sep/1999 12:46:04] [trace] Init: (myserver:443) Configuring RSA server ce
rtificate
[20/Sep/1999 12:46:04] [info]  Init: (myserver:443) RSA server certificate en
ables Server Gated Cryptography (SGC)
[20/Sep/1999 12:46:04] [trace] Init: (myserver:443) Configuring RSA server pr
ivate key    
...
#############  Noew I try to access the directory test128 : ####
[20/Sep/1999 12:52:05] [info]  Connection to child 0 established (server myse
rver:443)
[20/Sep/1999 12:52:05] [trace] Seeding PRNG with 1032 bytes of entropy
[20/Sep/1999 12:52:05] [trace] OpenSSL: Handshake: start                        
                          
[20/Sep/1999 12:52:05] [trace] OpenSSL: Loop: before/accept initialization
[20/Sep/1999 12:52:05] [trace] OpenSSL: Loop: SSLv3 read client hello A
[20/Sep/1999 12:52:05] [trace] OpenSSL: Loop: SSLv3 write server hello A
[20/Sep/1999 12:52:05] [trace] OpenSSL: Loop: SSLv3 write certificate A
[20/Sep/1999 12:52:05] [trace] OpenSSL: Loop: SSLv3 write key exchange A
[20/Sep/1999 12:52:05] [trace] OpenSSL: Loop: SSLv3 write server done A
[20/Sep/1999 12:52:05] [trace] OpenSSL: Loop: SSLv3 flush data
[20/Sep/1999 12:52:05] [trace] OpenSSL: Loop: SSLv3 read client key exchange A
[20/Sep/1999 12:52:05] [trace] OpenSSL: Loop: SSLv3 read finished A
[20/Sep/1999 12:52:05] [trace] OpenSSL: Loop: SSLv3 write change cipher spec A
[20/Sep/1999 12:52:05] [trace] OpenSSL: Loop: SSLv3 write finished A
[20/Sep/1999 12:52:05] [trace] OpenSSL: Loop: SSLv3 flush data
[20/Sep/1999 12:52:05] [trace] Inter-Process Session Cache: request=SET
status=B
AD id=CC578915641DF146E2DD277341503E782163A6952F53E806E5ABE2D3B15CB7E5
timeout=3
00s (session caching)
[20/Sep/1999 12:52:05] [trace] OpenSSL: Handshake: done
[20/Sep/1999 12:52:05] [info]  Connection: Client IP: 129.184.216.249,
Protocol:
 SSLv3, Cipher: EXP-RC4-MD5 (40/128 bits)
[20/Sep/1999 12:52:05] [info]  Initial (No.1) HTTPS request received for child
0
 (server myserver:443)
[20/Sep/1999 12:52:05] [info]  Requesting connection re-negotiation
[20/Sep/1999 12:52:05] [trace] Performing full renegotiation: complete
handshake
 protocol
[20/Sep/1999 12:52:05] [trace] OpenSSL: Handshake: start
[20/Sep/1999 12:52:05] [trace] OpenSSL: Loop: SSL renegotiate ciphers
[20/Sep/1999 12:52:05] [trace] OpenSSL: Loop: SSLv3 write hello request A
[20/Sep/1999 12:52:05] [trace] OpenSSL: Loop: SSLv3 flush data
[20/Sep/1999 12:52:05] [info]  Awaiting re-negotiation handshake
[20/Sep/1999 12:52:05] [trace] OpenSSL: Handshake: start
[20/Sep/1999 12:52:05] [trace] OpenSSL: Loop: before accept initialization
[20/Sep/1999 12:52:05] [trace] OpenSSL: Write: SSLv3 read client hello C
[20/Sep/1999 12:52:05] [trace] OpenSSL: Exit: error in SSLv3 read client hello
C
[20/Sep/1999 12:52:05] [error] Re-negotiation handshake failed: Not accepted by
client!?
[20/Sep/1999 12:52:05] [trace] OpenSSL: Exit: failed in SSLv3 read client hello
C
[20/Sep/1999 12:52:05] [error] SSL error on reading data (OpenSSL library error
follows)
[20/Sep/1999 12:52:05] [error] OpenSSL: error:140940E5:SSL
routines:SSL3_READ_BY
TES:ssl handshake failure
[20/Sep/1999 12:52:05] [info]  Connection to child 0 closed with standard
shutdo
wn (server myserver:443)
###########################################################

Well I have read the messages with the ID:166, 271 with describe also
a "Re-negotiation handshake failed" but with a diffrent error-code.             
                    

The error from the Netscape Browser : 
Netscape and this server cannot communicate securely
because they have no common encryption algorithm(s)

Within the Netscape Browser I accept all ciphers within sslv3(2)



For the moment I have no idea. May be there are some people 
in the world they can help me or they have the same problem ?  ;-)

winni

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]
[BugDB] Problem with Verisign GlobalID Certificate (PR#282)

Reply via email to
