Hello Christopher,
I looked around on the www and this is our official statement towards our customers.
Maybe
you can re-use it :-)
----
SSL Problem with certain versions of Internet Explorer / Internet Information Server
Certain versions of Internet Explorer contain bugs which
cause an incompatibility with all servers having an SSL implementation based on
openssl.
This includes all Apache webservers and commercial products based on Apache, such
as certain Oracle servers, Ubizen DMZ/Shield 3.0 and higher, and many other products.
This bug may also affect certain low-crypto distributions of Internet Information
Server.
Typical error messages experienced by the clients are :
Internet Explorer 4.x
The server returned an invalid or unrecognized response
Internet Explorer 5.x
Cannot find server or DNS Error
The bugs are caused by a certain Windows dll file, which influences all SSL software
on the client machines (or on the IIS server machine). The bug has been around for
more than two years, and Microsoft is well aware of this problem. They admit their
mistake
and have an entire support page dedicated to it, containing a patch.
Customers experiencing problems with Internet Explorer when using SSL, are recommended
to go to the Microsoft patch page, and to install the fix.
The bug and its patch are very clearly documented at
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q247367
---
Greetings,
Carl
Christopher Taranto wrote:
> Hi Carl,
>
> Unfortunately, I have had no luck in tracking down or fixing this
> problem. And it's really a big problem in my opinion. I haven't had
> enough time to really dig deep on the using openssl to debug the connection
> - but I don't really know what I would be looking for
> specifically. Fortunately (I guess otherwise I would have a special bald
> spot on my head!), I have access to a broken MSIE browser available in my
> office that I can use to repeatedly test the server for errors - so there
> is a way of trying to find the problem.
>
> Here is what I have tried:
>
> openssl s_server -accept 4443 -WWW -cert
> /usr/local/apache/conf/ssl.crt/www.condoms.net.crt -key
> /usr/local/apache/conf/ssl.key/www.condoms.net.key -state -debug
>
> When I use this, I get this:
>
> Using default temp DH parameters
> ACCEPT
>
> and the system waits for me forever - and I am not sure what to put in.
>
> openssl s_client -connect condoms.net:443
>
> CONNECTED(00000003)
> depth=0 /C=US/ST=California/L=San Francisco/O=Condom
> Sense/OU=DN/CN=www.condoms.net
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 /C=US/ST=California/L=San Francisco/O=Condom
> Sense/OU=DN/CN=www.condoms.net
> verify error:num=27:certificate not trusted
> verify return:1
> depth=0 /C=US/ST=California/L=San Francisco/O=Condom
> Sense/OU=DN/CN=www.condoms.net
> verify error:num=21:unable to verify the first certificate
> verify return:1
> ---
> Certificate chain
> 0 s:/C=US/ST=California/L=San Francisco/O=Condom
> Sense/OU=DN/CN=www.condoms.net
> i:/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> MIID0zCCA0CgAwIBAgIQWlU/retDZkl/izm7HTNt4TANBgkqhkiG9w0BAQQFADBf
> MQswCQYDVQQGEwJVUzEgMB4GA1UEChMXUlNBIERhdGEgU2VjdXJpdHksIEluYy4x
> LjAsBgNVBAsTJVNlY3VyZSBTZXJ2ZXIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw
> HhcNMDExMTI1MDAwMDAwWhcNMDIxMTI4MjM1OTU5WjB4MQswCQYDVQQGEwJVUzET
> MBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxQNU2FuIEZyYW5jaXNjbzEVMBMG
> A1UEChQMQ29uZG9tIFNlbnNlMQswCQYDVQQLFAJETjEYMBYGA1UEAxQPd3d3LmNv
> bmRvbXMubmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC91jpQDQ/gzKLn
> u4BLU9rkzp9RPVSTo10u/A7j4nBGHv9oJrswuNxJA5oyNF/naTHX0xNuzWK9LL7A
> cK/VwciZIHRCXkQq7Xh4pWbdOjRFBhKRmgt0L2roBggPx+ecaH+sUdNOqQvDq68n
> 0iyVCgnNEmGzTfIKiBN5dVJbHNTOnwIDAQABo4IBeTCCAXUwCQYDVR0TBAIwADAL
> BgNVHQ8EBAMCBaAwPAYDVR0fBDUwMzAxoC+gLYYraHR0cDovL2NybC52ZXJpc2ln
> bi5jb20vUlNBU2VjdXJlU2VydmVyLmNybDCBrAYDVR0gBIGkMIGhMIGeBgtghkgB
> hvhFAQcBATCBjjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29t
> L0NQUzBiBggrBgEFBQcCAjBWMBUWDlZlcmlTaWduLCBJbmMuMAMCAQEaPVZlcmlT
> aWduJ3MgQ1BTIGluY29ycC4gYnkgcmVmZXJlbmNlIGxpYWIuIGx0ZC4gKGMpOTcg
> VmVyaVNpZ24wHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBkGCmCGSAGG
> +EUBBg8ECxYJOTI2MDIyNDI3MDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYY
> aHR0cDovL29jc3AudmVyaXNpZ24uY29tMA0GCSqGSIb3DQEBBAUAA34APutHvd2q
> aMtbW9hBuGRxGdMie9mgwQgcJC+8TX24M8eg9xKGHdk3u5sURI+I1tNgPRoeeVB0
> TKSgiIHkkYhiCEoQD6aJyRisaVeI4wI8NC1qXSSRcuDDra+52lPUQK9hMIpvzENo
> XV0Cj0KnaPVqkfr/4zRrU9UTE370Jqg=
> -----END CERTIFICATE-----
> subject=/C=US/ST=California/L=San Francisco/O=Condom
> Sense/OU=DN/CN=www.condoms.net
> issuer=/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 1539 bytes and written 314 bytes
> ---
> New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
> Server public key is 1024 bit
> SSL-Session:
> Protocol : TLSv1
> Cipher : EDH-RSA-DES-CBC3-SHA
> Session-ID:
> 2917B720C36856CC4B2CB63951F9502C449D28905F58FFFF56BF2418AA916E74
> Session-ID-ctx:
> Master-Key:
>
>8DB2F877627C8AEE402DBC388F9ACB72C397637E70C87D43AFD7735E2949827C4AAFA6903D88BA7F3B99AFBFAD5BECE4
> Key-Arg : None
> Start Time: 1015525852
> Timeout : 300 (sec)
> Verify return code: 21 (unable to verify the first certificate)
> ---
>
> >>Seems like Microsoft deliberately put some broken SSL implementation in
>
> Seems pretty amazing to me that all of the commercial servers that use
> mod_ssl as a base would or wouldn't have this same issue - but I have not
> heard of any problems like this with other apache servers like Raven,
> Stronghold, etc... Maybe there are problems - but I have not been able to
> find any mention of them. And, it seems very convenient to MS in light of
> their IIS market share :-)
>
> My server configuration has already been posted in a previous message (let
> me know if you need me to repost it).
>
> Let me know if any of this makes sense to you or if you have any ideas.
>
> Sincerely,
>
> Christopher Taranto
>
> At 10:52 AM 3/6/02 +0100, you wrote:
> >Hello,
> >
> >I read your entries in a newsgroup.
> >I am having exactly the same problem, and I don't want to tell my users
> >"upgrade your browser, or use netscape".
> >
> >I wonder whether you finally found a solution to this embarassing
> >problem.
> >Seems like Microsoft deliberately put some broken SSL implementation in
> >their browser, in order to kill apache / openssl...
> >
> >Thx
> >
> >Carl D'Halluin
> >Security Engineer.
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
