Hi,
the scenario for my problem is the following:
x86 Linux 2.2.16
apache 1.3.12
mod_ssl 2.6.5
openssl 0.9.5a
netscape 4.7x
ie >= 5.0
ssl-connections with netscape work fine.
ssl-connections with ie don�t.
i have done the "SetEnvIf - Thing" in httpd.conf, and configured apache not
to require client certificates.
but it doesn�t work.
if if drive ie in "default-config" the ssl_engine_ssl_log says the following:
================================================================================================================================================================================
[07/Nov/2000 13:41:37 13519] [info] Connection to child 5 established
(server www2.xxx.yyy:443, client XXX.XXX.XXX.XXX)
[07/Nov/2000 13:41:37 13519] [info] Seeding PRNG with 1160 bytes of entropy
[07/Nov/2000 13:41:37 13519] [trace] OpenSSL: Handshake: start
[07/Nov/2000 13:41:37 13519] [trace] OpenSSL: Loop: before/accept
initialization
[07/Nov/2000 13:41:37 13519] [debug] OpenSSL: read 11/11 bytes from
BIO#081F30C0 [mem: 081FA820] (BIO dump follows)
+-------------------------------------------------------------------------+
| 0000: 80 6a 01 03 01 00 51 00-00 00 10 .j....Q.... |
+-------------------------------------------------------------------------+
[07/Nov/2000 13:41:37 13519] [debug] OpenSSL: read 97/97 bytes from
BIO#081F30C0 [mem: 081FA82B] (BIO dump follows)
+-------------------------------------------------------------------------+
| 0000: 8f 80 01 80 00 03 80 00-01 81 00 01 81 00 03 82 ................ |
| 0010: 00 01 00 00 04 00 00 05-00 00 0a 83 00 04 84 80 ................ |
| 0020: 40 01 00 80 07 00 c0 03-00 80 00 00 09 06 00 40 @..............@ |
| 0030: 00 00 64 00 00 62 00 00-03 00 00 06 83 00 04 84 ..d..b.......... |
| 0040: 28 40 02 00 80 04 00 80-00 00 13 00 00 12 00 00 (@.............. |
| 0050: 63 18 9c 3e 82 01 35 de-6d aa cb 10 63 b8 99 ad c..>..5.m...c... |
| 0060: ba . |
+-------------------------------------------------------------------------+
[07/Nov/2000 13:41:37 13519] [trace] OpenSSL: Loop: SSLv3 read client hello A
[07/Nov/2000 13:41:37 13519] [trace] OpenSSL: Loop: SSLv3 write server hello A
[07/Nov/2000 13:41:37 13519] [trace] OpenSSL: Loop: SSLv3 write certificate A
[07/Nov/2000 13:41:37 13519] [trace] OpenSSL: Loop: SSLv3 write server done A
[07/Nov/2000 13:41:37 13519] [debug] OpenSSL: write 842/842 bytes to
BIO#081F30C0 [mem: 08207CB8] (BIO dump follows)
+-------------------------------------------------------------------------+
| 0000: 16 03 01 00 4a 02 00 00-46 03 01 3a 07 f8 81 72 ....J...F..:...r |
| 0010: 0d 7a 76 fd d6 18 5d b5-c2 f5 ea 9b 25 61 66 d3 .zv...].....%af. |
| 0020: f0 c0 10 6d ba fe ef 01-10 37 89 20 22 7e 37 34 ...m.....7. "~74 |
| 0030: 75 8a 7a 31 67 f9 71 4a-f8 78 e5 d4 a4 0c 59 8d u.z1g.qJ.x....Y. |
| 0040: 35 53 ef 7a 90 ca d1 43-53 24 c1 8c 00 04 00 16 5S.z...CS$...... |
| 0050: 03 01 02 ed 0b 00 02 e9-00 02 e6 00 02 e3 30 82 ..............0. |
| 0060: 02 df 30 82 02 48 a0 03-02 01 02 02 03 01 5e be ..0..H........^. |
| 0070: 30 0d 06 09 2a 86 48 86-f7 0d 01 01 04 05 00 30 0...*.H........0 |
| 0080: 81 c4 31 0b 30 09 06 03-55 04 06 13 02 5a 41 31 ..1.0...U....ZA1 |
| 0090: 15 30 13 06 03 55 04 08-13 0c 57 65 73 74 65 72 .0...U....Wester |
| 00a0: 6e 20 43 61 70 65 31 12-30 10 06 03 55 04 07 13 n Cape1.0...U... |
| 00b0: 09 43 61 70 65 20 54 6f-77 6e 31 1d 30 1b 06 03 .Cape Town1.0... |
| 00c0: 55 04 0a 13 14 54 68 61-77 74 65 20 43 6f 6e 73 U....Thawte Cons |
| 00d0: 75 6c 74 69 6e 67 20 63-63 31 28 30 26 06 03 55 ulting cc1(0&..U |
| 00e0: 04 0b 13 1f 43 65 72 74-69 66 69 63 61 74 69 6f ....Certificatio |
| 00f0: 6e 20 53 65 72 76 69 63-65 73 20 44 69 76 69 73 n Services Divis |
| 0100: 69 6f 6e 31 19 30 17 06-03 55 04 03 13 10 54 68 ion1.0...U....Th |
| 0110: 61 77 74 65 20 53 65 72-76 65 72 20 43 41 31 26 awte Server CA1& |
| 0120: 30 24 06 09 2a 86 48 86-f7 0d 01 09 01 16 17 73 0$..*.H........s |
| 0130: 65 72 76 65 72 2d 63 65-72 74 73 40 74 68 61 77 erver-certs@thaw |
| 0140: 74 65 2e 63 6f 6d 30 1e-17 0d 30 30 30 39 31 38 te.com0...000918 |
| 0150: 30 38 31 34 31 37 5a 17-0d 30 31 31 30 30 32 30 081417Z..0110020 |
| 0160: 38 31 34 31 37 5a 30 6e-31 0b 30 09 06 03 55 04 81417Z0n1.0...U. |
| 0170: 06 13 02 41 54 31 0d 30-0b 06 03 55 04 08 13 04 ...XX1.0...U.... |
| 0180: 57 49 45 4e 31 0d 30 0b-06 03 55 04 07 13 04 57 XXXX1.0...U....X |
| 0190: 49 45 4e 31 1a 30 18 06-03 55 04 0a 13 11 4c 4f XXX1.0...U....XX |
| 01a0: 4d 4f 47 52 41 50 48 49-53 43 48 45 20 41 47 31 XXXXXXXXXXXXXXX1 |
| 01b0: 0e 30 0c 06 03 55 04 0b-13 05 53 41 4c 45 53 31 .0...U....SALES1 |
| 01c0: 15 30 13 06 03 55 04 03-13 0c 77 77 77 2e 6c 6f .0...U....www.XX |
| 01d0: 6d 6f 2e 63 6f 6d 30 81-a3 30 0d 06 09 2a 86 48 XXXXXX0..0...*.H |
| 01e0: 86 f7 0d 01 01 01 05 00-03 81 91 00 30 81 8d 02 ............0... |
| 01f0: 81 81 00 e1 6c de 1a 01-0c a8 04 c5 47 03 65 ba ....l.......G.e. |
| 0200: c1 ad 1d 36 8c f2 59 57-4a e4 2f 53 0d 86 89 d2 ...6..YWJ./S.... |
| 0210: a2 a6 12 58 ac c2 55 ab-7d 04 e0 f1 4c 47 41 73 ...X..U.}...LGAs |
| 0220: 41 43 bd 22 cb da be 48-eb 04 bd 91 44 2b b5 14 AC."...H....D+.. |
| 0230: af e3 5a 0f 3c 15 51 69-47 70 77 b6 38 1e 2e 50 ..Z.<.QiGpw.8..P |
| 0240: 62 76 08 80 c4 79 06 b2-51 55 83 f8 01 a0 65 42 bv...y..QU....eB |
| 0250: ca 93 c2 a9 84 90 86 78-e2 9b 74 c5 b5 fe 83 f5 .......x..t..... |
| 0260: 19 67 1c 67 f3 68 53 c7-3a cf e2 6b 83 b8 6f 7f .g.g.hS.:..k..o. |
| 0270: a3 25 43 02 07 01 00 01-00 01 00 01 a3 30 30 2e .%C..........00. |
| 0280: 30 1e 06 03 55 1d 25 04-17 30 15 06 08 2b 06 01 0...U.%..0...+.. |
| 0290: 05 05 07 03 01 06 09 60-86 48 01 86 f8 42 04 01 .......`.H...B.. |
| 02a0: 30 0c 06 03 55 1d 13 01-01 ff 04 02 30 00 30 0d 0...U.......0.0. |
| 02b0: 06 09 2a 86 48 86 f7 0d-01 01 04 05 00 03 81 81 ..*.H........... |
| 02c0: 00 39 5a a3 f5 10 a0 74-52 c0 dd 8f a7 22 5a 99 .9Z....tR...."Z. |
| 02d0: 42 dd 92 31 bd 13 3a f1-10 09 37 1d 4d 7b f5 bc B..1..:...7.M{.. |
| 02e0: 3d e0 d9 a5 1d 4f 63 0e-02 68 dd 7d 34 fe 34 0b =....Oc..h.}4.4. |
| 02f0: cf b8 5f 1f cd 58 7d 34-5d e0 27 1d 68 dd 07 79 .._..X}4].'.h..y |
| 0300: cc 5c b5 1f 3f 3c ad fc-64 98 a6 32 77 3f 85 f7 .\..?<..d..2w?.. |
| 0310: a2 ab 65 3d 08 05 04 e7-b4 f4 d8 87 a3 50 98 5e ..e=.........P.^ |
| 0320: 5a 5d 2c 49 e5 48 9a d1-e2 b1 d9 f4 ae ef 1f e6 Z],I.H.......... |
| 0330: 8a f3 6b 1a b0 05 f1 01-a0 4a fe 9b de 52 ae 38 ..k......J...R.8 |
| 0340: 5a 16 03 01 00 04 0e Z...... |
| 034a - <SPACES/NULS>
+-------------------------------------------------------------------------+
[07/Nov/2000 13:41:37 13519] [trace] OpenSSL: Loop: SSLv3 flush data
[07/Nov/2000 13:41:37 13519] [debug] OpenSSL: read 0/5 bytes from
BIO#081F30C0 [mem: 081FA820] (BIO dump follows)
+-------------------------------------------------------------------------+
+-------------------------------------------------------------------------+
[07/Nov/2000 13:41:37 13519] [trace] OpenSSL: Exit: failed in SSLv3 read
client certificate A
[07/Nov/2000 13:41:37 13519] [info] Spurious SSL handshake interrupt[Hint:
Usually just one of those OpenSSL confusions!?]
================================================================================================================================================================================
if i configure ie to use only sslv2, it says:
================================================================================================================================================================================
[07/Nov/2000 13:43:22 13520] [info] Connection to child 6 established
(server www2.xxx.yyy:443, client xxx.xxx.xxx.xxx)
[07/Nov/2000 13:43:22 13520] [info] Seeding PRNG with 1160 bytes of entropy
[07/Nov/2000 13:43:22 13520] [trace] OpenSSL: Handshake: start
[07/Nov/2000 13:43:22 13520] [trace] OpenSSL: Loop: before/accept
initialization
[07/Nov/2000 13:43:22 13520] [debug] OpenSSL: read 11/11 bytes from
BIO#081F30C0 [mem: 081F8808] (BIO dump follows)
+-------------------------------------------------------------------------+
| 0000: 80 2b 01 00 02 00 12 00-00 00 10 .+......... |
+-------------------------------------------------------------------------+
[07/Nov/2000 13:43:22 13520] [debug] OpenSSL: read 34/34 bytes from
BIO#081F30C0 [mem: 0820595B] (BIO dump follows)
+-------------------------------------------------------------------------+
| 0000: 01 00 80 07 00 c0 03 00-80 06 00 40 02 00 80 04 ...........@.... |
| 0010: 00 80 6e b0 f0 6a 62 a7-a9 5b b9 51 cc eb d9 da ..n..jb..[.Q.... |
| 0020: f6 cc .. |
+-------------------------------------------------------------------------+
[07/Nov/2000 13:43:22 13520] [trace] OpenSSL: Loop: SSLv2 read client hello A
[07/Nov/2000 13:43:22 13520] [debug] OpenSSL: write 786/786 bytes to
BIO#081F30C0 [mem: 0820D959] (BIO dump follows)
+-------------------------------------------------------------------------+
| 0000: 83 10 04 00 01 00 02 02-e3 00 12 00 10 30 82 02 .............0.. |
| 0010: df 30 82 02 48 a0 03 02-01 02 02 03 01 5e be 30 .0..H........^.0 |
| 0020: 0d 06 09 2a 86 48 86 f7-0d 01 01 04 05 00 30 81 ...*.H........0. |
| 0030: c4 31 0b 30 09 06 03 55-04 06 13 02 5a 41 31 15 .1.0...U....ZA1. |
| 0040: 30 13 06 03 55 04 08 13-0c 57 65 73 74 65 72 6e 0...U....Western |
| 0050: 20 43 61 70 65 31 12 30-10 06 03 55 04 07 13 09 Cape1.0...U.... |
| 0060: 43 61 70 65 20 54 6f 77-6e 31 1d 30 1b 06 03 55 Cape Town1.0...U |
| 0070: 04 0a 13 14 54 68 61 77-74 65 20 43 6f 6e 73 75 ....Thawte Consu |
| 0080: 6c 74 69 6e 67 20 63 63-31 28 30 26 06 03 55 04 lting cc1(0&..U. |
| 0090: 0b 13 1f 43 65 72 74 69-66 69 63 61 74 69 6f 6e ...Certification |
| 00a0: 20 53 65 72 76 69 63 65-73 20 44 69 76 69 73 69 Services Divisi |
| 00b0: 6f 6e 31 19 30 17 06 03-55 04 03 13 10 54 68 61 on1.0...U....Tha |
| 00c0: 77 74 65 20 53 65 72 76-65 72 20 43 41 31 26 30 wte Server CA1&0 |
| 00d0: 24 06 09 2a 86 48 86 f7-0d 01 09 01 16 17 73 65 $..*.H........se |
| 00e0: 72 76 65 72 2d 63 65 72-74 73 40 74 68 61 77 74 rver-certs@thawt |
| 00f0: 65 2e 63 6f 6d 30 1e 17-0d 30 30 30 39 31 38 30 e.com0...0009180 |
| 0100: 38 31 34 31 37 5a 17 0d-30 31 31 30 30 32 30 38 81417Z..01100208 |
| 0110: 31 34 31 37 5a 30 6e 31-0b 30 09 06 03 55 04 06 1417Z0n1.0...U.. |
| 0120: 13 02 41 54 31 0d 30 0b-06 03 55 04 08 13 04 57 ..XX1.0...U....X |
| 0130: 49 45 4e 31 0d 30 0b 06-03 55 04 07 13 04 57 49 XXX1.0...U....XX |
| 0140: 45 4e 31 1a 30 18 06 03-55 04 0a 13 11 4c 4f 4d XX1.0...U....XXX |
| 0150: 4f 47 52 41 50 48 49 53-43 48 45 20 41 47 31 0e XXXXXXXXXXXXXX1. |
| 0160: 30 0c 06 03 55 04 0b 13-05 53 41 4c 45 53 31 15 0...U....SALES1. |
| 0170: 30 13 06 03 55 04 03 13-0c 77 77 77 2e 6c 6f 6d 0...U....www.XXX |
| 0180: 6f 2e 63 6f 6d 30 81 a3-30 0d 06 09 2a 86 48 86 XXXXX0..0...*.H. |
| 0190: f7 0d 01 01 01 05 00 03-81 91 00 30 81 8d 02 81 ...........0.... |
| 01a0: 81 00 e1 6c de 1a 01 0c-a8 04 c5 47 03 65 ba c1 ...l.......G.e.. |
| 01b0: ad 1d 36 8c f2 59 57 4a-e4 2f 53 0d 86 89 d2 a2 ..6..YWJ./S..... |
| 01c0: a6 12 58 ac c2 55 ab 7d-04 e0 f1 4c 47 41 73 41 ..X..U.}...LGAsA |
| 01d0: 43 bd 22 cb da be 48 eb-04 bd 91 44 2b b5 14 af C."...H....D+... |
| 01e0: e3 5a 0f 3c 15 51 69 47-70 77 b6 38 1e 2e 50 62 .Z.<.QiGpw.8..Pb |
| 01f0: 76 08 80 c4 79 06 b2 51-55 83 f8 01 a0 65 42 ca v...y..QU....eB. |
| 0200: 93 c2 a9 84 90 86 78 e2-9b 74 c5 b5 fe 83 f5 19 ......x..t...... |
| 0210: 67 1c 67 f3 68 53 c7 3a-cf e2 6b 83 b8 6f 7f a3 g.g.hS.:..k..o.. |
| 0220: 25 43 02 07 01 00 01 00-01 00 01 a3 30 30 2e 30 %C..........00.0 |
| 0230: 1e 06 03 55 1d 25 04 17-30 15 06 08 2b 06 01 05 ...U.%..0...+... |
| 0240: 05 07 03 01 06 09 60 86-48 01 86 f8 42 04 01 30 ......`.H...B..0 |
| 0250: 0c 06 03 55 1d 13 01 01-ff 04 02 30 00 30 0d 06 ...U.......0.0.. |
| 0260: 09 2a 86 48 86 f7 0d 01-01 04 05 00 03 81 81 00 .*.H............ |
| 0270: 39 5a a3 f5 10 a0 74 52-c0 dd 8f a7 22 5a 99 42 9Z....tR...."Z.B |
| 0280: dd 92 31 bd 13 3a f1 10-09 37 1d 4d 7b f5 bc 3d ..1..:...7.M{..= |
| 0290: e0 d9 a5 1d 4f 63 0e 02-68 dd 7d 34 fe 34 0b cf ....Oc..h.}4.4.. |
| 02a0: b8 5f 1f cd 58 7d 34 5d-e0 27 1d 68 dd 07 79 cc ._..X}4].'.h..y. |
| 02b0: 5c b5 1f 3f 3c ad fc 64-98 a6 32 77 3f 85 f7 a2 \..?<..d..2w?... |
| 02c0: ab 65 3d 08 05 04 e7 b4-f4 d8 87 a3 50 98 5e 5a .e=.........P.^Z |
| 02d0: 5d 2c 49 e5 48 9a d1 e2-b1 d9 f4 ae ef 1f e6 8a ],I.H........... |
| 02e0: f3 6b 1a b0 05 f1 01 a0-4a fe 9b de 52 ae 38 5a .k......J...R.8Z |
| 02f0: 01 00 80 07 00 c0 03 00-80 06 00 40 02 00 80 04 ...........@.... |
| 0300: 00 80 50 40 22 18 59 ba-28 e7 f7 2a 71 8d cd 8f ..P@".Y.(..*q... |
| 0310: c7 0e .. |
+-------------------------------------------------------------------------+
[07/Nov/2000 13:43:22 13520] [trace] OpenSSL: Loop: SSLv2 write server hello A
[07/Nov/2000 13:43:22 13520] [debug] OpenSSL: read 0/2 bytes from
BIO#081F30C0 [mem: 08205950] (BIO dump follows)
+-------------------------------------------------------------------------+
+-------------------------------------------------------------------------+
[07/Nov/2000 13:43:22 13520] [trace] OpenSSL: Exit: failed in SSLv2 read
client master key A
[07/Nov/2000 13:43:22 13520] [info] SSL handshake stopped: connection was
closed
================================================================================================================================================================================
because we are in setup phase, the servername differs from name in cert,
but it doesn�t matter, if i change ServerName-directive in httpd.conf to
match name in certificate.
i also think, ie should give a message, if names differ, and not display a
dns error ( can�t find server)
Thank you very much for your help.
IQENA GmbH
J�rg Jung
Customer Solutions
IQENA GmbH - Dechenstrasse 14 - 53115 Bonn - Germany
T +49. (0)228. 72620-524 - F +49. (0)228. 72620-580
mailto: [EMAIL PROTECTED] - http://www.iqena.com
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
