Can you comment out SSLCertificateKeyFile?
How was the certifcate generated?
-Dave
On Thu, Nov 16, 2000 at 01:22:54AM -0600, Brendon Maragia wrote:
> Thanks everyone for your suggestions :) but its still not working :( I
> will do anything to get this working :( here is my new virtual host i took
> your suggestions to heart, however, some of them are giving me errors. For
> instance if I try to use strictly sslv2 I get this error when trying to
> connect with a msie5.x brower...
>
> [error] OpenSSL: error:1407D0AF:SSL routines:SSL2_READ:non sslv2 initial
> packet
>
> here are some additional errors i've recieved when using sslv3..
>
> [error] OpenSSL: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
> unknown ca
>
> ok here is the most important part of my httpd.conf... again hehe
>
> <IfDefine SSL>
> Listen 216.186.181.230:443
> NameVirtualHost 216.186.181.230:443
> </IfDefine>
>
> <VirtualHost 216.186.181.230:443>
>
> DocumentRoot /home/commaflex/public_html/checkout
> ServerAdmin [EMAIL PROTECTED]
> ServerName checkout.commaflex.com
> ErrorLog /home/commaflex/public_html/checkout/.error.log
> TransferLog /home/commaflex/public_html/checkout/.transfer.log
>
> SSLEngine on
> SSLCertificateFile
> /usr/local/ssl.keys/checkout.commaflex.com/ssl.csr/server.crt
> SSLCertificateKeyFile
> /usr/local/ssl.keys/checkout.commaflex.com/ssl.key/server.key
> SSLCipherSuite
>
>!EXP1024-RC4-SHA:!EXP1024-DES-CBC-SHA:ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
> SSLCertificateChainFile
> /usr/local/ssl.keys/checkout.commaflex.com/ssl.crt/ca.crt
>
> SetEnvIf User-Agent ".*MSIE.*" \
> nokeepalive ssl-unclean-shutdown \
> downgrade-1.0 force-response-1.0
>
> <Files ~ "\.(cgi|shtml)$">
> SSLOptions +StdEnvVars
> </Files>
>
> <Directory "/usr/local/apache/htdocs/cgi-bin">
> SSLOptions +StdEnvVars
> </Directory>
>
> CustomLog /var/log/apache_ssl_request_log \
> "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
>
> SSLLogLevel debug
>
> </VirtualHost>
>
>
> ..I went ahead and 'deleted the SSLCertificateChainFile', 'deleted the
> SSLCipherSuite', and changed it to SSLProtocol SSLv2, however all these
> resulted in where errors :(. I would appreciate so very much any more
> suggestions that anyone has.
>
> P.S. with the virtual host configuration i'm using above, the server
> reports NO errors it completess the hand shake successfully and then shuts
> the connection leaving me with a 'page cannot be displayed'.
>
> brendon
>
> >From: Austin Gonyou <[EMAIL PROTECTED]>
> >Reply-To: [EMAIL PROTECTED]
> >To: [EMAIL PROTECTED]
> >Subject: Re: somebody shoot me, please
> >Date: Wed, 15 Nov 2000 22:42:56 GMT
> >
> >Have you tried not loading the chain file and commentint out the
> >SSLCipherSuite stuff?
> >Austin
> >
> > >>>>>>>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<<
> >
> >On 11/15/00, 4:15:59 PM, Brendon Maragia <[EMAIL PROTECTED]> wrote
> >regarding Re: somebody shoot me, please:
> >
> >
> > > Thanks for the idea, Dan but it didn't work :( . Anybody else have any
> >
> > > suggestions? This is getting to be ridiculous lol :( Am I doomed? Am
> > > I
> > > going to have to use Apache-SSL? Ahh god please say no!!!
> >
> >
> > > >From: Dan Roscigno <[EMAIL PROTECTED]>
> > > >Reply-To: [EMAIL PROTECTED]
> > > >To: [EMAIL PROTECTED]
> > > >Subject: Re: somebody shoot me, please
> > > >Date: Wed, 15 Nov 2000 08:05:00 -0800 (PST)
> > > >
> > > >
> > > >I think you might need to limit the ciphers you accept. To get all of
> > > my
> > > >(known) clients working I wathed my logs to see what cipher was being
> > > used
> > > >by the clients which failed and then removed that from the list (with a
> > > >`!'). Here is what I ended up with:
> > > >
> > > >SSLCipherSuite
> > > >!EXP1024-RC4-SHA:!EXP1024-DES-CBC-SHA:ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+ME
> > > DIUM:+LOW:+SSLv2:+EXP:+eNULL
> > > >
> > > >The EXP1024-* ciphers were my problems.
> > > >
> > > >Dan Roscigno [EMAIL PROTECTED]
> > > >(425)864-5540
> > > >
> > > >On Wed, 15 Nov 2000, Brendon Maragia wrote:
> > > >
> > > > > First i'd like to thank everyone for their advice about my MOD_SSL +
> >
> > > >MSIE5.x
> > > > > problem. I recompiled everything WITHOUT rsaref-2.0 and I still
> > > cannot
> > > >get
> > > > > a connection with MSIE5.5 only MSIE4.0 & 5.0. Heres a quick run
> > > down of
> > > > > what i'm running and the virtual host i'm trying to connect to...
> > > > >
> > > > > apache_1.3.14
> > > > > mod_ssl-2.7.1-1.3.14
> > > > > openssl-0.9.6
> > > > >
> > > > > My Virtual Host:
> > > > >
> > > > > <VirtualHost 216.186.181.230:443>
> > > > > DocumentRoot /home/commaflex/public_html/checkout
> > > > > ServerAdmin [EMAIL PROTECTED]
> > > > > ServerName checkout.commaflex.com
> > > > > ErrorLog /home/commaflex/public_html/checkout/.error.log
> > > > > TransferLog /home/commaflex/public_html/checkout/.transfer.log
> > > > > SSLEngine on
> > > > >
> > > > > SSLCertificateFile
> > > > > /usr/local/ssl.keys/checkout.commaflex.com/ssl.csr/server.crt
> > > > >
> > > > > SSLCertificateKeyFile
> > > > > /usr/local/ssl.keys/checkout.commaflex.com/ssl.key/server.key
> > > > >
> > > > > SSLCipherSuite
> > > ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
> > > > > SSLCertificateChainFile
> > > > > /usr/local/ssl.keys/checkout.commaflex.com/ssl.crt/ca.crt
> > > > >
> > > > > <Files ~ "\.(cgi|shtml)$">
> > > > > SSLOptions +StdEnvVars
> > > > > </Files>
> > > > > <Directory "/usr/local/apache/htdocs/cgi-bin">
> > > > > SSLOptions +StdEnvVars
> > > > > </Directory>
> > > > >
> > > > > SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
> > > > > downgrade-1.0 force-response-1.0
> > > > >
> > > > > CustomLog /var/log/apache_ssl_request_log \
> > > > > "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
> > > > > SSLLogLevel debug
> > > > > </VirtualHost>
> > > > >
> > > > > ...I've checked all my logs upon trying to connect with MSIE5.0 and
> > > the
> > > > > server seems to execute a standard hand shake, and then gracefully
> > > >execute a
> > > > > standard shutdown with no complaints.
> > > > >
> > > > > All I get from MSIE5.x is "Page Could Not Be Displayed". Could
> > > someone
> > > > > pleassee pleaseee help :)
> > > > >
> > > > > Brendon
> > > > >
> > > >_______________________________________________________________________
> > > __
> > > > > Get Your Private, Free E-mail from MSN Hotmail at
> > > >http://www.hotmail.com.
> > > > >
> > > > > Share information about yourself, create your own public profile at
> > > > > http://profiles.msn.com.
> > > > >
> > > > >
> > > ______________________________________________________________________
> > > > > Apache Interface to OpenSSL (mod_ssl)
> > > www.modssl.org
> > > > > User Support Mailing List
> > > [EMAIL PROTECTED]
> > > > > Automated List Manager
> > > [EMAIL PROTECTED]
> > > > >
> > > >
> > > >______________________________________________________________________
> > > >Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> > > >User Support Mailing List [EMAIL PROTECTED]
> > > >Automated List Manager [EMAIL PROTECTED]
> >
> > > ________________________________________________________________________
> > > _____________
> > > Get more from the Web. FREE MSN Explorer download :
> > > http://explorer.msn.com
> >
> > > ______________________________________________________________________
> > > Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> > > User Support Mailing List [EMAIL PROTECTED]
> > > Automated List Manager [EMAIL PROTECTED]
> >______________________________________________________________________
> >Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> >User Support Mailing List [EMAIL PROTECTED]
> >Automated List Manager [EMAIL PROTECTED]
>
> _________________________________________________________________________
> Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
>
> Share information about yourself, create your own public profile at
> http://profiles.msn.com.
>
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
