Why is mod_ssl OK with NN 4.5?!

Thu, 15 Feb 2001 08:47:42 -0800 


Hi,

This is NOT a bug report for mod_ssl - apologies in advance for asking a 
slightly odd question.

I have some server code that uses openSSL.  During testing we have found a 
problem with Netscape Navigator 4.5 on NT.  The browser connects to Apache 
(openSA, using mod_ssl and openSSL 0.9.5) with (almost - see below) no 
problems.  However, the same browser will not connect to my server.

After spending the day trying to find differences in the code I am starting 
to wonder whether mod_ssl has a patch applied that is not in OpenSSL.  Is 
that possible?  (the mod_ssl I am using comes precompiled from 
openSA).  Can anyone suggest any other possible difference (see details below)?

OK, in more detail:
- my "server" is not a general HTTP server (we use Apache for that), so we 
can't just switch to Apache.
- both Apache/mod_ssl and my server are presenting the same certificate + key
- other browsers (NN 4.7 (high security), IE 5.0 (low security), IE 5.5 
(high security)) work just fine with both
- I am using OpenSSL 0.9.5 (I downgraded so that I could be sure I was 
comparing like with like)
- I am using all cipher suites, with the same cipher select ("ALL:...") 
statement for both servers
- I am using SSLv3_method in my code and SSLProtocol: SSLv3 in Apache/mod_ssl
- SSL diagnostics from my own server indicate that SSL3_GET_RECORD is 
seeing the wrong version
- NN reports "connection refused"
- If I change to SSLv2_method then I can get NN 4.5 to work (but we need v3)
- Apache/mod_ssl is negotiating a v3 cipher (EXP-RC4-MD5)
- The only slight wrinkle in the Apache/mod_ssl engine log is an 
intermittent read error in BIO (5 bytes not read), but this appears to be 
caught immediately and re-read (and also occurs during data transfer, after 
the SSL handshake has completed).

So can anyone shed any light on this?  As you can imagine, I'm frustrated 
and confused.  How does mod_ssl manage to work?! :-)

Thanks,
Andrew

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]

Reply via email to