Is there nobody in this list who can help me?
I _guess_ it's a simple configuration problem,
but I didn't find an answer in the FAQ or in the mailing-list archive.
pls help
Henning
> -----Urspr�ngliche Nachricht-----
> Von: Henning von Bargen [SMTP:[EMAIL PROTECTED]]
> Gesendet am: Mittwoch, 9. Mai 2001 11:23
> An: [EMAIL PROTECTED]
> Betreff: RE: Network Error: Connection refused
>
> I discovered that I could partially work around this problem by
configuring
> the Netscape browser as follows:
> In Security Info / Navigator / Configure SSL v3 :
> [x] RC4 encryption with a 128-bit key and an MD5 MAC (When
> permitted)
> [x] FIPS 140-1 compliant triple DES encryption and SHA-1 MAC (When
> permitted)
> [x] Triple DES encryption with a 168-bit key and a SHA-1 MAC (When
> permitted)
> [ ] RC4 encryption with a 56-bit key and a SHA-1 MAC
> [ ] DES encryption in CBC mode with a 56-bit key and a SHA-1 MAC
> [ ] RC4 encryption with a 40-bit key and an MD5 MAC
> [ ] RC2 encryption with a 40-bit key and an MD5 MAC
> [ ] No encryption with an MD5 MAC
> That is, I cleared the checkboxes 4,5,6,7 which were checked by default.
>
> However, when I open the page now, I get a messagebox:
> New Site Certificate
> Certificate for: ...
> Signed by: Verisign Trust Network
> Encryption: Export Grade (RC4-Export with 40-bit
> secret key)
>
> shouldn't it be possible with a Verisign Global Server ID to
> have 128 bit encryption with Netscape 4.7, too?
> And why does Netscape Navigator complain about the certificate at all
> whereas Internet Explorer doesn't?
>
> Please help.
>
> Henning
>
> > -----Urspr�ngliche Nachricht-----
> > Von: Henning von Bargen [SMTP:[EMAIL PROTECTED]]
> > Gesendet am: Dienstag, 8. Mai 2001 16:13
> > An: [EMAIL PROTECTED]
> > Betreff: Network Error: Connection refused
> >
> > We have a web site running
> > Oracle iAS 1.0.1 for NT alias Apache 1.3.12 / mod_ssl 2.6.4 / OpenSSL
> 0.9.5a
> > on a Windows NT 4 workstation.
> > It has a Verisign Global Server ID installed.
> > I can access the SSL pages fine with Microsoft IE 5.0, 5.5 and KDE 2.1
> > Konqueror.
> >
> > However, when I try to access an SSL page with Netscape 4.7,
> > I get the following error message box:
> > Netscape
> > A network error occured while Netscape was receiving data.
> > (Network Error: Connection refused)
> > Try connecting again.
> >
> > Is this a Netscape bug or a server mis-configuration?
> >
> > One perhaps unusual thing is that we have a start page at
> > http://xxx.xxx.de/index.html
> > that redirects to https://xxx.xxx.de/ucl/html with
> > <meta http-equiv="refresh" content="1;
URL="https://xxx.xxx.de/ucl/html";>
> >
> > The Apache httpd.conf looks like this (excerpt).
> > I didn't change anything from the defaults except
> > ServerName, ServerAdmin, and the various certificate file locations.
> >
> > Any help is highly appreciated...
> >
> > Henning
> >
> >
> > ##
> > ## SSL Virtual Host Context
> > ##
> >
> > <VirtualHost _default_:443>
> >
> > # General setup for the virtual host
> > DocumentRoot "D:\iAS_101\Apache\Apache\htdocs"
> > ServerName xxx.xxx.de
> > ServerAdmin [EMAIL PROTECTED]
> > ErrorLog logs/error_log
> > TransferLog logs/access_log
> >
> > # SSL Engine Switch:
> > # Enable/Disable SSL for this virtual host.
> > SSLEngine on
> >
> > # SSL Cipher Suite:
> > # List the ciphers that the client is permitted to negotiate.
> > # See the mod_ssl documentation for a complete list.
> > #SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
> >
> > # Server Certificate:
> > # Point SSLCertificateFile at a PEM encoded certificate. If
> > # the certificate is encrypted, then you will be prompted for a
> > # pass phrase. Note that a kill -HUP will prompt again. A test
> > # certificate can be generated with `make certificate' under
> > # built time. Keep in mind that if you've both a RSA and a DSA
> > # certificate you can configure both in parallel (to also allow
> > # the use of DSA ciphers, etc.)
> > #SSLCertificateFile \conf\ssl.crt\server.crt
> > SSLCertificateFile \conf\ssl.crt\tup.crt
> >
> > # Server Private Key:
> > # If the key is not combined with the certificate, use this
> > # directive to point at the key file. Keep in mind that if
> > # you've both a RSA and a DSA private key you can configure
> > # both in parallel (to also allow the use of DSA ciphers, etc.)
> > #SSLCertificateKeyFile conf\ssl.key\server.key
> > SSLCertificateKeyFile conf\ssl.key\key-tup
> >
> > # Server Certificate Chain:
> > # Point SSLCertificateChainFile at a file containing the
> > # concatenation of PEM encoded CA certificates which form the
> > # certificate chain for the server certificate. Alternatively
> > # the referenced file can be the same as SSLCertificateFile
> > # when the CA certificates are directly appended to the server
> > # certificate for convinience.
> > #SSLCertificateChainFile conf\ssl.crt\ca.crt
> >
> > # Certificate Authority (CA):
> > # Set the CA certificate verification path where to find CA
> > # certificates for client authentication or alternatively one
> > # huge file containing all of them (file must be PEM encoded)
> > # Note: Inside SSLCACertificatePath you need hash symlinks
> > # to point to the certificate files. Use the provided
> > # Makefile to update the hash symlinks after changes.
> > #SSLCACertificateFile conf\ssl.crt\ca-bundle.crt
> >
> > # Certificate Revocation Lists (CRL):
> > # Set the CA revocation path where to find CA CRLs for client
> > # authentication or alternatively one huge file containing all
> > # of them (file must be PEM encoded)
> > # Note: Inside SSLCARevocationPath you need hash symlinks
> > # to point to the certificate files. Use the provided
> > # Makefile to update the hash symlinks after changes.
> > #SSLCARevocationFile conf\ssl.crl\ca-bundle.crl
> >
> > # Client Authentication (Type):
> > # Client certificate verification type and depth. Types are
> > # none, optional, require and optional_no_ca. Depth is a
> > # number which specifies how deeply to verify the certificate
> > # issuer chain before deciding the certificate is not valid.
> > #SSLVerifyClient require
> > #SSLVerifyDepth 10
> >
> > # Access Control:
> > # With SSLRequire you can do per-directory access control based
> > # on arbitrary complex boolean expressions containing server
> > # variable checks and other lookup directives. The syntax is a
> > # mixture between C and Perl. See the mod_ssl documentation
> > # for more details.
> > #<Location />
> > #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ \
> > # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
> > # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
> > # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
> > # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
> > # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
> > #</Location>
> >
> > # SSL Engine Options:
> > # Set various options for the SSL engine.
> > # o FakeBasicAuth:
> > # Translate the client X.509 into a Basic Authorisation. This means
> > that
> > # the standard Auth/DBMAuth methods can be used for access control.
> The
> > # user name is the `one line' version of the client's X.509
> certificate.
> > # Note that no password is obtained from the user. Every entry in
the
> > user
> > # file needs this password: `xxj31ZMTZzkVA'.
> > # o ExportCertData:
> > # This exports two additional environment variables: SSL_CLIENT_CERT
> and
> > # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
> > # server (always existing) and the client (only existing when client
> > # authentication is used). This can be used to import the
certificates
> > # into CGI scripts.
> > # o StdEnvVars:
> > # This exports the standard SSL/TLS related `SSL_*' environment
> > variables.
> > # Per default this exportation is switched off for performance
> reasons,
> > # because the extraction step is an expensive operation and is
usually
> > # useless for serving static content. So one usually enables the
> > # exportation for CGI and SSI requests only.
> > # o CompatEnvVars:
> > # This exports obsolete environment variables for backward
> compatibility
> > # to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x.
Use
> > this
> > # to provide compatibility to existing CGI scripts.
> > # o StrictRequire:
> > # This denies access when "SSLRequireSSL" or "SSLRequire" applied
even
> > # under a "Satisfy any" situation, i.e. when it applies access is
> denied
> > # and no other module can change it.
> > # o OptRenegotiate:
> > # This enables optimized SSL connection renegotiation handling when
> SSL
> > # directives are used in per-directory context.
> > #SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
> > <Files ~ "\.(cgi|shtml)$">
> > SSLOptions +StdEnvVars
> > </Files>
> > <Directory "cgi-bin">
> > SSLOptions +StdEnvVars
> > </Directory>
> >
> > # SSL Protocol Adjustments:
> > # The safe and default but still SSL/TLS standard compliant shutdown
> > # approach is that mod_ssl sends the close notify alert but doesn't
wait
> > for
> > # the close notify alert from client. When you need a different
shutdown
> > # approach you can use one of the following variables:
> > # o ssl-unclean-shutdown:
> > # This forces an unclean shutdown when the connection is closed,
i.e.
> no
> > # SSL close notify alert is send or allowed to received. This
> violates
> > # the SSL/TLS standard but is needed for some brain-dead browsers.
Use
> > # this when you receive I/O errors because of the standard approach
> > where
> > # mod_ssl sends the close notify alert.
> > # o ssl-accurate-shutdown:
> > # This forces an accurate shutdown when the connection is closed,
i.e.
> a
> > # SSL close notify alert is send and mod_ssl waits for the close
> notify
> > # alert of the client. This is 100% SSL/TLS standard compliant, but
in
> > # practice often causes hanging connections with brain-dead
browsers.
> > Use
> > # this only for browsers where you know that their SSL
implementation
> > # works correctly.
> > # Notice: Most problems of broken clients are also related to the HTTP
> > # keep-alive facility, so you usually additionally want to disable
> > # keep-alive for those clients, too. Use variable "nokeepalive" for
> this.
> > SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
> >
> > # Per-Server Logging:
> > # The home of a custom SSL log file. Use this when you want a
> > # compact non-error SSL logfile on a virtual host basis.
> > CustomLog logs/ssl_request_log \
> > "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
> >
> > </VirtualHost>
> > ______________________________________________________________________
> > Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> > User Support Mailing List [EMAIL PROTECTED]
> > Automated List Manager [EMAIL PROTECTED]
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
