Hi All,
during setting up a SGC-configuration (using apache_1.3.12 /
mod_ssl-2.6.6-1.3.12 / openssl-0.9.5a / Thawte-128-Bit-SuperCert / running
on Suse Linux 7.0 (2.2.16)) following problem occured.
It seems several older browsers with export-ciphers (40- and 56-bit), both
Netscape and IE, can't successfully proceed the renegotiation up to 128-Bit.
(see logfile-extract). With newer browsers (128-bit "by nature") the system
works fine.
I've tested the stepup-feature of the older browsers successfully with a
website of a finacial institute (just Netscape 3.0 can't deal with the
stepup). However that site runs on Netscape-Enterprise/3.5.1 and a
VeriSign-Cert. With newer browsers my SSL-configuration runs without any
problems.
The GlobalID-Flags in the Thawte-SuperCert are 1.3.6.1.5.5.7.3.1 /
2.16.840.1.113730.4.1
Output from 'openssl x509':
X509v3 Extended Key Usage: TLS Web Server Authentication, Netscape Server
Gated Crypto
++++ extract from ssl_engine.log ++++
...
[10/Oct/2000 10:18:57 18192] [info] Init: (foo:443) RSA server certificate
enables Server Gated Cryptography (SGC)
...
[10/Oct/2000 10:19:47 18193] [info] Connection to child 0 established
(server foo:443, client 172.30.128.127)
[10/Oct/2000 10:19:47 18193] [info] Seeding PRNG with 1160 bytes of entropy
[10/Oct/2000 10:19:47 18193] [trace] OpenSSL: Handshake: start
[10/Oct/2000 10:19:47 18193] [trace] OpenSSL: Loop: before/accept
initialization
[10/Oct/2000 10:19:47 18193] [trace] OpenSSL: Loop: SSLv3 read client hello
A
[10/Oct/2000 10:19:47 18193] [trace] OpenSSL: Loop: SSLv3 write server hello
A
[10/Oct/2000 10:19:47 18193] [trace] OpenSSL: Loop: SSLv3 write certificate
A
[10/Oct/2000 10:19:47 18193] [trace] OpenSSL: Loop: SSLv3 write key exchange
A
[10/Oct/2000 10:19:47 18193] [trace] OpenSSL: Loop: SSLv3 write server done
A
[10/Oct/2000 10:19:47 18193] [trace] OpenSSL: Loop: SSLv3 flush data
[10/Oct/2000 10:19:47 18193] [trace] OpenSSL: Loop: SSLv3 read client key
exchange A
[10/Oct/2000 10:19:47 18193] [trace] OpenSSL: Loop: SSLv3 read finished A
[10/Oct/2000 10:19:47 18193] [trace] OpenSSL: Loop: SSLv3 write change
cipher spec A
[10/Oct/2000 10:19:47 18193] [trace] OpenSSL: Loop: SSLv3 write finished A
[10/Oct/2000 10:19:47 18193] [trace] OpenSSL: Loop: SSLv3 flush data
[10/Oct/2000 10:19:47 18193] [trace] Inter-Process Session Cache:
request=SET status=OK
id=6CAA6047775EB58925D23579D87F1DF21D21DC591AAD271EF7CBDD899C59D692
timeout=300s (session caching)
[10/Oct/2000 10:19:47 18193] [trace] OpenSSL: Handshake: done
[10/Oct/2000 10:19:47 18193] [info] Connection: Client IP: 172.30.128.127,
Protocol: SSLv3, Cipher: EXP-RC4-MD5 (40/128 bits)
[10/Oct/2000 10:19:47 18193] [info] Initial (No.1) HTTPS request received
for child 0 (server foo:443)
[10/Oct/2000 10:19:47 18193] [trace] Reconfigured cipher suite will force
renegotiation
[10/Oct/2000 10:19:47 18193] [info] Requesting connection re-negotiation
[10/Oct/2000 10:19:47 18193] [trace] Performing full renegotiation: complete
handshake protocol
[10/Oct/2000 10:19:47 18193] [trace] OpenSSL: Handshake: start
[10/Oct/2000 10:19:47 18193] [trace] OpenSSL: Loop: SSL renegotiate ciphers
[10/Oct/2000 10:19:47 18193] [trace] OpenSSL: Loop: SSLv3 write hello
request A
[10/Oct/2000 10:19:47 18193] [trace] OpenSSL: Loop: SSLv3 flush data
[10/Oct/2000 10:19:47 18193] [info] Awaiting re-negotiation handshake
[10/Oct/2000 10:19:47 18193] [trace] OpenSSL: Handshake: start
[10/Oct/2000 10:19:47 18193] [trace] OpenSSL: Loop: before accept
initialization
[10/Oct/2000 10:19:47 18193] [trace] OpenSSL: Write: SSLv3 read client hello
C
[10/Oct/2000 10:19:47 18193] [trace] OpenSSL: Exit: error in SSLv3 read
client hello C
[10/Oct/2000 10:19:47 18193] [error] Re-negotiation handshake failed: Not
accepted by client!?
[10/Oct/2000 10:19:47 18193] [trace] OpenSSL: Read: SSLv3 read client hello
C
[10/Oct/2000 10:19:47 18193] [trace] OpenSSL: Exit: failed in SSLv3 read
client hello C
[10/Oct/2000 10:19:47 18193] [error] SSL error on writing data (OpenSSL
library error follows)
[10/Oct/2000 10:19:47 18193] [error] OpenSSL: error:1409E0E5:SSL
routines:SSL3_WRITE_BYTES:ssl handshake failure
[10/Oct/2000 10:19:47 18193] [info] Connection to child 0 closed with
standard shutdown (server foo:443, client 172.30.128.127)
+++++++++++++++++++++++++++++++++
++++++ extract from httpd.conf ++++++
<IfModule mod_ssl.c>
SSLPassPhraseDialog builtin
SSLSessionCache dbm:/var/run/ssl_scache
SSLSessionCacheTimeout 300
SSLMutex file:/var/run/ssl_mutex
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
<IfDefine SSL>
Listen 172.30.4.201:80
Listen 172.30.4.201:443
NameVirtualHost 172.30.4.201:443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
<VirtualHost 172.30.4.201:443>
DocumentRoot "/usr/local/apache/htdocs/ssl/"
ServerName foo.bar.com
ServerAdmin [EMAIL PROTECTED]
ErrorLog /var/log/httpd/error_log
TransferLog /var/log/httpd/access_log
SSLEngine on
SSLVerifyClient none
#Thawte-SuperCert
SSLCertificateFile /etc/httpd/ssl.crt/foo.bar.com.crt
SSLCertificateKeyFile /etc/httpd/ssl.key/foo.bar.com.key
SSLCACertificatePath /etc/httpd/ssl.crt/
SSLCACertificateFile /etc/httpd/ssl.crt/ca-bundle.crt
SSLCARevocationPath /etc/httpd/ssl.crl/
SSLCARevocationFile /etc/httpd/ssl.crl/thawte.pem.crl
SSLProtocol All
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
<Directory "/usr/local/apache/htdocs/ssl">
Options Indexes FollowSymLinks
AllowOverride None
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:+SSLv2:-EXP:+eNULL
SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
SSLLogLevel trace
SSLLog /var/log/httpd/ssl_engine_log
CustomLog /var/log/httpd/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x %{SSL_CIPHER_USEKEYSIZE}x
\"%r\" %b"
</VirtualHost>
</IfDefine>
+++++++++++++++++++++++++++++++++
I know this problem sounds like the known "IE-56-bit-trouble", but the error
occurs also with the 40-bit-IE-versions and with 40-/56-bit-Netscape (4.x)
too.
If you have any idea(s), suggestion(s), solution(s), please let me know.
Thanx
Andreas Schlenk
GFT Technologies AG
--
PGP-Public-Key available at http://www.fh-furtwangen.de/~schlenk
Internet: The biggest peace of pc-peripheral, on market.
WWW: The slowest peace of pc-peripheral, on market.
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
