Good call. I'll bet that's it. If the certificate was generated for
snakeoil.dom and that is not the name of the site or IE does not have the
root certificate for the SnakeOil CA, IE will raise flags and have
problems. Try getting a test certificate from http://www.thawte.com (have
them sign your .csr file and copy the result into your .crt)
Have you tried connecting with Netscape 4.x? What were the results?
Glenn Strauss
<[EMAIL PROTECTED]>
Systems Administrator, E-Quill Corporation
-------------------------------------------------------
Mark up and draw on web pages! http://www.e-quill.com/
On Thu, 16 Nov 2000, David Rees wrote:
> Can you comment out SSLCertificateKeyFile?
>
> How was the certifcate generated?
>
> -Dave
>
> On Thu, Nov 16, 2000 at 01:22:54AM -0600, Brendon Maragia wrote:
> > Thanks everyone for your suggestions :) but its still not working :( I
> > will do anything to get this working :( here is my new virtual host i took
> > your suggestions to heart, however, some of them are giving me errors. For
> > instance if I try to use strictly sslv2 I get this error when trying to
> > connect with a msie5.x brower...
> >
> > [error] OpenSSL: error:1407D0AF:SSL routines:SSL2_READ:non sslv2 initial
> > packet
> >
> > here are some additional errors i've recieved when using sslv3..
> >
> > [error] OpenSSL: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
> > unknown ca
> >
> > ok here is the most important part of my httpd.conf... again hehe
> >
> > <IfDefine SSL>
> > Listen 216.186.181.230:443
> > NameVirtualHost 216.186.181.230:443
> > </IfDefine>
> >
> > <VirtualHost 216.186.181.230:443>
> >
> > DocumentRoot /home/commaflex/public_html/checkout
> > ServerAdmin [EMAIL PROTECTED]
> > ServerName checkout.commaflex.com
> > ErrorLog /home/commaflex/public_html/checkout/.error.log
> > TransferLog /home/commaflex/public_html/checkout/.transfer.log
> >
> > SSLEngine on
> > SSLCertificateFile
> > /usr/local/ssl.keys/checkout.commaflex.com/ssl.csr/server.crt
> > SSLCertificateKeyFile
> > /usr/local/ssl.keys/checkout.commaflex.com/ssl.key/server.key
> > SSLCipherSuite
> >
>!EXP1024-RC4-SHA:!EXP1024-DES-CBC-SHA:ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
> > SSLCertificateChainFile
> > /usr/local/ssl.keys/checkout.commaflex.com/ssl.crt/ca.crt
> >
> > SetEnvIf User-Agent ".*MSIE.*" \
> > nokeepalive ssl-unclean-shutdown \
> > downgrade-1.0 force-response-1.0
> >
> > <Files ~ "\.(cgi|shtml)$">
> > SSLOptions +StdEnvVars
> > </Files>
> >
> > <Directory "/usr/local/apache/htdocs/cgi-bin">
> > SSLOptions +StdEnvVars
> > </Directory>
> >
> > CustomLog /var/log/apache_ssl_request_log \
> > "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
> >
> > SSLLogLevel debug
> >
> > </VirtualHost>
> >
> >
> > ..I went ahead and 'deleted the SSLCertificateChainFile', 'deleted the
> > SSLCipherSuite', and changed it to SSLProtocol SSLv2, however all these
> > resulted in where errors :(. I would appreciate so very much any more
> > suggestions that anyone has.
> >
> > P.S. with the virtual host configuration i'm using above, the server
> > reports NO errors it completess the hand shake successfully and then shuts
> > the connection leaving me with a 'page cannot be displayed'.
> >
> > brendon
> >
> > >From: Austin Gonyou <[EMAIL PROTECTED]>
> > >Reply-To: [EMAIL PROTECTED]
> > >To: [EMAIL PROTECTED]
> > >Subject: Re: somebody shoot me, please
> > >Date: Wed, 15 Nov 2000 22:42:56 GMT
> > >
> > >Have you tried not loading the chain file and commentint out the
> > >SSLCipherSuite stuff?
> > >Austin
> > >
> > > >>>>>>>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<<
> > >
> > >On 11/15/00, 4:15:59 PM, Brendon Maragia <[EMAIL PROTECTED]> wrote
> > >regarding Re: somebody shoot me, please:
> > >
> > >
> > > > Thanks for the idea, Dan but it didn't work :( . Anybody else have any
> > >
> > > > suggestions? This is getting to be ridiculous lol :( Am I doomed? Am
> > > > I
> > > > going to have to use Apache-SSL? Ahh god please say no!!!
> > >
> > >
> > > > >From: Dan Roscigno <[EMAIL PROTECTED]>
> > > > >Reply-To: [EMAIL PROTECTED]
> > > > >To: [EMAIL PROTECTED]
> > > > >Subject: Re: somebody shoot me, please
> > > > >Date: Wed, 15 Nov 2000 08:05:00 -0800 (PST)
> > > > >
> > > > >
> > > > >I think you might need to limit the ciphers you accept. To get all of
> > > > my
> > > > >(known) clients working I wathed my logs to see what cipher was being
> > > > used
> > > > >by the clients which failed and then removed that from the list (with a
> > > > >`!'). Here is what I ended up with:
> > > > >
> > > > >SSLCipherSuite
> > > > >!EXP1024-RC4-SHA:!EXP1024-DES-CBC-SHA:ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+ME
> > > > DIUM:+LOW:+SSLv2:+EXP:+eNULL
> > > > >
> > > > >The EXP1024-* ciphers were my problems.
> > > > >
> > > > >Dan Roscigno [EMAIL PROTECTED]
> > > > >(425)864-5540
> > > > >
> > > > >On Wed, 15 Nov 2000, Brendon Maragia wrote:
> > > > >
> > > > > > First i'd like to thank everyone for their advice about my MOD_SSL +
> > >
> > > > >MSIE5.x
> > > > > > problem. I recompiled everything WITHOUT rsaref-2.0 and I still
> > > > cannot
> > > > >get
> > > > > > a connection with MSIE5.5 only MSIE4.0 & 5.0. Heres a quick run
> > > > down of
> > > > > > what i'm running and the virtual host i'm trying to connect to...
> > > > > >
> > > > > > apache_1.3.14
> > > > > > mod_ssl-2.7.1-1.3.14
> > > > > > openssl-0.9.6
> > > > > >
> > > > > > My Virtual Host:
> > > > > >
> > > > > > <VirtualHost 216.186.181.230:443>
> > > > > > DocumentRoot /home/commaflex/public_html/checkout
> > > > > > ServerAdmin [EMAIL PROTECTED]
> > > > > > ServerName checkout.commaflex.com
> > > > > > ErrorLog /home/commaflex/public_html/checkout/.error.log
> > > > > > TransferLog /home/commaflex/public_html/checkout/.transfer.log
> > > > > > SSLEngine on
> > > > > >
> > > > > > SSLCertificateFile
> > > > > > /usr/local/ssl.keys/checkout.commaflex.com/ssl.csr/server.crt
> > > > > >
> > > > > > SSLCertificateKeyFile
> > > > > > /usr/local/ssl.keys/checkout.commaflex.com/ssl.key/server.key
> > > > > >
> > > > > > SSLCipherSuite
> > > > ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
> > > > > > SSLCertificateChainFile
> > > > > > /usr/local/ssl.keys/checkout.commaflex.com/ssl.crt/ca.crt
> > > > > >
> > > > > > <Files ~ "\.(cgi|shtml)$">
> > > > > > SSLOptions +StdEnvVars
> > > > > > </Files>
> > > > > > <Directory "/usr/local/apache/htdocs/cgi-bin">
> > > > > > SSLOptions +StdEnvVars
> > > > > > </Directory>
> > > > > >
> > > > > > SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
> > > > > > downgrade-1.0 force-response-1.0
> > > > > >
> > > > > > CustomLog /var/log/apache_ssl_request_log \
> > > > > > "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
> > > > > > SSLLogLevel debug
> > > > > > </VirtualHost>
> > > > > >
> > > > > > ...I've checked all my logs upon trying to connect with MSIE5.0 and
> > > > the
> > > > > > server seems to execute a standard hand shake, and then gracefully
> > > > >execute a
> > > > > > standard shutdown with no complaints.
> > > > > >
> > > > > > All I get from MSIE5.x is "Page Could Not Be Displayed". Could
> > > > someone
> > > > > > pleassee pleaseee help :)
> > > > > >
> > > > > > Brendon
> > > > > >
> > > > >_______________________________________________________________________
> > > > __
> > > > > > Get Your Private, Free E-mail from MSN Hotmail at
> > > > >http://www.hotmail.com.
> > > > > >
> > > > > > Share information about yourself, create your own public profile at
> > > > > > http://profiles.msn.com.
> > > > > >
> > > > > >
> > > > ______________________________________________________________________
> > > > > > Apache Interface to OpenSSL (mod_ssl)
> > > > www.modssl.org
> > > > > > User Support Mailing List
> > > > [EMAIL PROTECTED]
> > > > > > Automated List Manager
> > > > [EMAIL PROTECTED]
> > > > > >
> > > > >
> > > > >______________________________________________________________________
> > > > >Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> > > > >User Support Mailing List [EMAIL PROTECTED]
> > > > >Automated List Manager [EMAIL PROTECTED]
> > >
> > > > ________________________________________________________________________
> > > > _____________
> > > > Get more from the Web. FREE MSN Explorer download :
> > > > http://explorer.msn.com
> > >
> > > > ______________________________________________________________________
> > > > Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> > > > User Support Mailing List [EMAIL PROTECTED]
> > > > Automated List Manager [EMAIL PROTECTED]
> > >______________________________________________________________________
> > >Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> > >User Support Mailing List [EMAIL PROTECTED]
> > >Automated List Manager [EMAIL PROTECTED]
> >
> > _________________________________________________________________________
> > Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
> >
> > Share information about yourself, create your own public profile at
> > http://profiles.msn.com.
> >
> > ______________________________________________________________________
> > Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> > User Support Mailing List [EMAIL PROTECTED]
> > Automated List Manager [EMAIL PROTECTED]
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
>
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
