Hi Carl,
Unfortunately, I have had no luck in tracking down or fixing this
problem. And it's really a big problem in my opinion. I haven't had
enough time to really dig deep on the using openssl to debug the connection
- but I don't really know what I would be looking for
specifically. Fortunately (I guess otherwise I would have a special bald
spot on my head!), I have access to a broken MSIE browser available in my
office that I can use to repeatedly test the server for errors - so there
is a way of trying to find the problem.
Here is what I have tried:
openssl s_server -accept 4443 -WWW -cert
/usr/local/apache/conf/ssl.crt/www.condoms.net.crt -key
/usr/local/apache/conf/ssl.key/www.condoms.net.key -state -debug
When I use this, I get this:
Using default temp DH parameters
ACCEPT
and the system waits for me forever - and I am not sure what to put in.
openssl s_client -connect condoms.net:443
CONNECTED(00000003)
depth=0 /C=US/ST=California/L=San Francisco/O=Condom
Sense/OU=DN/CN=www.condoms.net
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/ST=California/L=San Francisco/O=Condom
Sense/OU=DN/CN=www.condoms.net
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=US/ST=California/L=San Francisco/O=Condom
Sense/OU=DN/CN=www.condoms.net
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=US/ST=California/L=San Francisco/O=Condom
Sense/OU=DN/CN=www.condoms.net
i:/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIID0zCCA0CgAwIBAgIQWlU/retDZkl/izm7HTNt4TANBgkqhkiG9w0BAQQFADBf
MQswCQYDVQQGEwJVUzEgMB4GA1UEChMXUlNBIERhdGEgU2VjdXJpdHksIEluYy4x
LjAsBgNVBAsTJVNlY3VyZSBTZXJ2ZXIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw
HhcNMDExMTI1MDAwMDAwWhcNMDIxMTI4MjM1OTU5WjB4MQswCQYDVQQGEwJVUzET
MBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxQNU2FuIEZyYW5jaXNjbzEVMBMG
A1UEChQMQ29uZG9tIFNlbnNlMQswCQYDVQQLFAJETjEYMBYGA1UEAxQPd3d3LmNv
bmRvbXMubmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC91jpQDQ/gzKLn
u4BLU9rkzp9RPVSTo10u/A7j4nBGHv9oJrswuNxJA5oyNF/naTHX0xNuzWK9LL7A
cK/VwciZIHRCXkQq7Xh4pWbdOjRFBhKRmgt0L2roBggPx+ecaH+sUdNOqQvDq68n
0iyVCgnNEmGzTfIKiBN5dVJbHNTOnwIDAQABo4IBeTCCAXUwCQYDVR0TBAIwADAL
BgNVHQ8EBAMCBaAwPAYDVR0fBDUwMzAxoC+gLYYraHR0cDovL2NybC52ZXJpc2ln
bi5jb20vUlNBU2VjdXJlU2VydmVyLmNybDCBrAYDVR0gBIGkMIGhMIGeBgtghkgB
hvhFAQcBATCBjjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29t
L0NQUzBiBggrBgEFBQcCAjBWMBUWDlZlcmlTaWduLCBJbmMuMAMCAQEaPVZlcmlT
aWduJ3MgQ1BTIGluY29ycC4gYnkgcmVmZXJlbmNlIGxpYWIuIGx0ZC4gKGMpOTcg
VmVyaVNpZ24wHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBkGCmCGSAGG
+EUBBg8ECxYJOTI2MDIyNDI3MDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYY
aHR0cDovL29jc3AudmVyaXNpZ24uY29tMA0GCSqGSIb3DQEBBAUAA34APutHvd2q
aMtbW9hBuGRxGdMie9mgwQgcJC+8TX24M8eg9xKGHdk3u5sURI+I1tNgPRoeeVB0
TKSgiIHkkYhiCEoQD6aJyRisaVeI4wI8NC1qXSSRcuDDra+52lPUQK9hMIpvzENo
XV0Cj0KnaPVqkfr/4zRrU9UTE370Jqg=
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=San Francisco/O=Condom
Sense/OU=DN/CN=www.condoms.net
issuer=/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
---
No client certificate CA names sent
---
SSL handshake has read 1539 bytes and written 314 bytes
---
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : EDH-RSA-DES-CBC3-SHA
Session-ID:
2917B720C36856CC4B2CB63951F9502C449D28905F58FFFF56BF2418AA916E74
Session-ID-ctx:
Master-Key:
8DB2F877627C8AEE402DBC388F9ACB72C397637E70C87D43AFD7735E2949827C4AAFA6903D88BA7F3B99AFBFAD5BECE4
Key-Arg : None
Start Time: 1015525852
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
>>Seems like Microsoft deliberately put some broken SSL implementation in
Seems pretty amazing to me that all of the commercial servers that use
mod_ssl as a base would or wouldn't have this same issue - but I have not
heard of any problems like this with other apache servers like Raven,
Stronghold, etc... Maybe there are problems - but I have not been able to
find any mention of them. And, it seems very convenient to MS in light of
their IIS market share :-)
My server configuration has already been posted in a previous message (let
me know if you need me to repost it).
Let me know if any of this makes sense to you or if you have any ideas.
Sincerely,
Christopher Taranto
At 10:52 AM 3/6/02 +0100, you wrote:
>Hello,
>
>I read your entries in a newsgroup.
>I am having exactly the same problem, and I don't want to tell my users
>"upgrade your browser, or use netscape".
>
>I wonder whether you finally found a solution to this embarassing
>problem.
>Seems like Microsoft deliberately put some broken SSL implementation in
>their browser, in order to kill apache / openssl...
>
>Thx
>
>Carl D'Halluin
>Security Engineer.
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
