I would like to second this problem. I have several servers doing
client side auth. They were all running 2.6.0 with openssl 0.9.4 and
worked just fine. I upgraded to 2.6.2 and openssl 0.9.5 and now they
don't work with Netscape 4.72.
I'm going to do more testing, but wanted to add another data point.
-Jeremy
"HIROSE, Masaaki" wrote:
>
> Client authentication came to fail in following situation.
>
> Client:
> c1: MSIE 5.0 (5.00.2314.1003) / Windows NT 4.0 SP5
> c2: MSIE 5.01 (5.00.2919.6307) / Windows NT 4.0 SP5
>
> Server:
> s1: apache-1.3.11 + mod_ssl-2.5.0 + OpenSSL-0.9.4
> s2: apache-1.3.12 + mod_ssl-2.6.0 + OpenSSL-0.9.4
> s3: apache-1.3.12 + mod_ssl-2.6.1 + OpenSSL-0.9.5
> s4: apache-1.3.12 + mod_ssl-2.6.2 + OpenSSL-0.9.5
>
> OS:
> linux 2.2.14 / glibc-2.1.3 / gcc 2.95.3
> linux 2.2.14 / glibc-2.0.7 / gcc 2.7.2.3
>
> client c2(MSIE 5.01) is OK in all case (s1-s4).
> Netscape Communicator 4.7 (linux) and 4.72 (MacOS) is OK, too.
>
> But client c1(MSIE 5.0) is OK only in s1.
>
> error message is here.
> # SSLLogLevel trace
>
> ----------8<----------8<----------8<----------8<----------8<----------
> [03/Mar/2000 00:33:00 29531] [info] Connection to child 2 established (server
>www0.irori.org:443, client 10.6.25.163)
> [03/Mar/2000 00:33:00 29531] [info] Seeding PRNG with 1024 bytes of entropy
> [03/Mar/2000 00:33:00 29531] [trace] OpenSSL: Handshake: start
> [03/Mar/2000 00:33:00 29531] [trace] OpenSSL: Loop: before/accept initialization
> [03/Mar/2000 00:33:00 29531] [trace] OpenSSL: Loop: SSLv3 read client hello A
> [03/Mar/2000 00:33:00 29531] [trace] OpenSSL: Loop: SSLv3 write server hello A
> [03/Mar/2000 00:33:00 29531] [trace] OpenSSL: Loop: SSLv3 write certificate A
> [03/Mar/2000 00:33:00 29531] [trace] OpenSSL: Loop: SSLv3 write key exchange A
> [03/Mar/2000 00:33:00 29531] [trace] OpenSSL: Loop: SSLv3 write server done A
> [03/Mar/2000 00:33:00 29531] [trace] OpenSSL: Loop: SSLv3 flush data
> [03/Mar/2000 00:33:00 29531] [trace] OpenSSL: Exit: failed in SSLv3 read client
>certificate A
> [03/Mar/2000 00:33:00 29531] [info] Spurious SSL handshake interrupt[Hint: Usually
>just one of those OpenSSL confusions!?]
> ----------8<----------8<----------8<----------8<----------8<----------
>
> o CA's DN
> subject=/C=JP/ST=Tokyo/L=Nakano ku/O=IRORI/CN=Root CA inside
>[EMAIL PROTECTED]
>
> o Server's DN
> subject=/C=JP/ST=Tokyo/O=IRORI/OU=HTTP
>[EMAIL PROTECTED]
>
> o Client's DN
>
>[EMAIL PROTECTED]
>
> it is because of mod_ssl ? or OpenSSL ?
>
> --
> HIROSE, Masaaki
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
--
Jeremy Beker, Technical Manager
Research & Development, 3-G International
S/MIME Cert: http://employees.3gi.com/~jbeker/
Condensing fact from the vapor of nuance.
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
