Hi, I've seen some messages in the 'GlobalID problem' thread which could explain a problem I have... Some new CAs (apart from VeriSign have been allowed to issue SGC certs: Thawte, GlobalSign - ourselves, etc.). I am doing right now some tests on Apache/mod_ssl and as Matthias Loepfe indicated, it seems that OpenSSL does not support the 'Fast SGC' protocol which Microsoft IE uses. Extract of the ssl_engine_log: [08/Dec/1999 10:43:45] [trace] OpenSSL: Handshake: start [08/Dec/1999 10:43:45] [trace] OpenSSL: Loop: before/accept initialization [08/Dec/1999 10:43:45] [trace] OpenSSL: Loop: SSLv3 read client hello A [08/Dec/1999 10:43:45] [trace] OpenSSL: Loop: SSLv3 write server hello A [08/Dec/1999 10:43:45] [trace] OpenSSL: Loop: SSLv3 write certificate A [08/Dec/1999 10:43:45] [trace] OpenSSL: Loop: SSLv3 write key exchange A [08/Dec/1999 10:43:45] [trace] OpenSSL: Loop: SSLv3 write server done A [08/Dec/1999 10:43:45] [trace] OpenSSL: Loop: SSLv3 flush data [08/Dec/1999 10:43:47] [trace] OpenSSL: Write: SSLv3 read client certificate B [08/Dec/1999 10:43:47] [trace] OpenSSL: Exit: error in SSLv3 read client certificate B [08/Dec/1999 10:43:47] [trace] OpenSSL: Exit: error in SSLv3 read client certificate B [08/Dec/1999 10:43:47] [error] SSL handshake failed (client 194.78.232.115, server sgctest.globalsign.net:443) (OpenSSL library error follows) [08/Dec/1999 10:43:47] [error] OpenSSL: error:14089106:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:wrong message type As you can see the error is right were a MS IE is sending a 'reset' in case of a SGC enabled server certificate (http://www.microsoft.com/security/tech/sgc/TechnicalDetails.asp) instead of waiting for the complete SSL negociation to end in case of Netscape browsers. Can somebody confirm this? Does anybody know if the OpenSSL team has plans to support this in the future? Are there patches available? Thanks! Christian. _____________________________________________ GlobalSign NV/SA http://www.globalsign.net ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
