Thanks Carl, I've noticed my problem goes away when I add the host name that matches the host name on the crt installed on the ssl server (tintagel) into the window's "hosts" file. As currently the crt I am using is on the test host (and will move to the production host). So when I fool the client that tintagel is really www.barwonwater.vic.gov.au. All works.
Thanks for the info. I'll use it. Carl D'Halluin wrote: >Hello Christopher, > >I looked around on the www and this is our official statement towards our customers. >Maybe >you can re-use it :-) > >---- >SSL Problem with certain versions of Internet Explorer / Internet Information Server > >Certain versions of Internet Explorer contain bugs which >cause an incompatibility with all servers having an SSL implementation based on >openssl. >This includes all Apache webservers and commercial products based on Apache, such >as certain Oracle servers, Ubizen DMZ/Shield 3.0 and higher, and many other products. > >This bug may also affect certain low-crypto distributions of Internet Information >Server. > >Typical error messages experienced by the clients are : > Internet Explorer 4.x > The server returned an invalid or unrecognized response > Internet Explorer 5.x > Cannot find server or DNS Error > >The bugs are caused by a certain Windows dll file, which influences all SSL software >on the client machines (or on the IIS server machine). The bug has been around for >more than two years, and Microsoft is well aware of this problem. They admit their >mistake >and have an entire support page dedicated to it, containing a patch. > >Customers experiencing problems with Internet Explorer when using SSL, are recommended >to go to the Microsoft patch page, and to install the fix. > >The bug and its patch are very clearly documented at >http://support.microsoft.com/default.aspx?scid=kb;EN-US;q247367 >--- > >Greetings, > >Carl > > >Christopher Taranto wrote: > >>Hi Carl, >> >>Unfortunately, I have had no luck in tracking down or fixing this >>problem. And it's really a big problem in my opinion. I haven't had >>enough time to really dig deep on the using openssl to debug the connection >>- but I don't really know what I would be looking for >>specifically. Fortunately (I guess otherwise I would have a special bald >>spot on my head!), I have access to a broken MSIE browser available in my >>office that I can use to repeatedly test the server for errors - so there >>is a way of trying to find the problem. >> >>Here is what I have tried: >> >>openssl s_server -accept 4443 -WWW -cert >>/usr/local/apache/conf/ssl.crt/www.condoms.net.crt -key >>/usr/local/apache/conf/ssl.key/www.condoms.net.key -state -debug >> >>When I use this, I get this: >> >>Using default temp DH parameters >>ACCEPT >> >>and the system waits for me forever - and I am not sure what to put in. >> >>openssl s_client -connect condoms.net:443 >> >>CONNECTED(00000003) >>depth=0 /C=US/ST=California/L=San Francisco/O=Condom >>Sense/OU=DN/CN=www.condoms.net >>verify error:num=20:unable to get local issuer certificate >>verify return:1 >>depth=0 /C=US/ST=California/L=San Francisco/O=Condom >>Sense/OU=DN/CN=www.condoms.net >>verify error:num=27:certificate not trusted >>verify return:1 >>depth=0 /C=US/ST=California/L=San Francisco/O=Condom >>Sense/OU=DN/CN=www.condoms.net >>verify error:num=21:unable to verify the first certificate >>verify return:1 >>--- >>Certificate chain >> 0 s:/C=US/ST=California/L=San Francisco/O=Condom >>Sense/OU=DN/CN=www.condoms.net >> i:/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority >>--- >>Server certificate >>-----BEGIN CERTIFICATE----- >>MIID0zCCA0CgAwIBAgIQWlU/retDZkl/izm7HTNt4TANBgkqhkiG9w0BAQQFADBf >>MQswCQYDVQQGEwJVUzEgMB4GA1UEChMXUlNBIERhdGEgU2VjdXJpdHksIEluYy4x >>LjAsBgNVBAsTJVNlY3VyZSBTZXJ2ZXIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw >>HhcNMDExMTI1MDAwMDAwWhcNMDIxMTI4MjM1OTU5WjB4MQswCQYDVQQGEwJVUzET >>MBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxQNU2FuIEZyYW5jaXNjbzEVMBMG >>A1UEChQMQ29uZG9tIFNlbnNlMQswCQYDVQQLFAJETjEYMBYGA1UEAxQPd3d3LmNv >>bmRvbXMubmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC91jpQDQ/gzKLn >>u4BLU9rkzp9RPVSTo10u/A7j4nBGHv9oJrswuNxJA5oyNF/naTHX0xNuzWK9LL7A >>cK/VwciZIHRCXkQq7Xh4pWbdOjRFBhKRmgt0L2roBggPx+ecaH+sUdNOqQvDq68n >>0iyVCgnNEmGzTfIKiBN5dVJbHNTOnwIDAQABo4IBeTCCAXUwCQYDVR0TBAIwADAL >>BgNVHQ8EBAMCBaAwPAYDVR0fBDUwMzAxoC+gLYYraHR0cDovL2NybC52ZXJpc2ln >>bi5jb20vUlNBU2VjdXJlU2VydmVyLmNybDCBrAYDVR0gBIGkMIGhMIGeBgtghkgB >>hvhFAQcBATCBjjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29t >>L0NQUzBiBggrBgEFBQcCAjBWMBUWDlZlcmlTaWduLCBJbmMuMAMCAQEaPVZlcmlT >>aWduJ3MgQ1BTIGluY29ycC4gYnkgcmVmZXJlbmNlIGxpYWIuIGx0ZC4gKGMpOTcg >>VmVyaVNpZ24wHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBkGCmCGSAGG >>+EUBBg8ECxYJOTI2MDIyNDI3MDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYY >>aHR0cDovL29jc3AudmVyaXNpZ24uY29tMA0GCSqGSIb3DQEBBAUAA34APutHvd2q >>aMtbW9hBuGRxGdMie9mgwQgcJC+8TX24M8eg9xKGHdk3u5sURI+I1tNgPRoeeVB0 >>TKSgiIHkkYhiCEoQD6aJyRisaVeI4wI8NC1qXSSRcuDDra+52lPUQK9hMIpvzENo >>XV0Cj0KnaPVqkfr/4zRrU9UTE370Jqg= >>-----END CERTIFICATE----- >>subject=/C=US/ST=California/L=San Francisco/O=Condom >>Sense/OU=DN/CN=www.condoms.net >>issuer=/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority >>--- >>No client certificate CA names sent >>--- >>SSL handshake has read 1539 bytes and written 314 bytes >>--- >>New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA >>Server public key is 1024 bit >>SSL-Session: >> Protocol : TLSv1 >> Cipher : EDH-RSA-DES-CBC3-SHA >> Session-ID: >>2917B720C36856CC4B2CB63951F9502C449D28905F58FFFF56BF2418AA916E74 >> Session-ID-ctx: >> Master-Key: >>8DB2F877627C8AEE402DBC388F9ACB72C397637E70C87D43AFD7735E2949827C4AAFA6903D88BA7F3B99AFBFAD5BECE4 >> Key-Arg : None >> Start Time: 1015525852 >> Timeout : 300 (sec) >> Verify return code: 21 (unable to verify the first certificate) >>--- >> >> >>Seems like Microsoft deliberately put some broken SSL implementation in >> >>Seems pretty amazing to me that all of the commercial servers that use >>mod_ssl as a base would or wouldn't have this same issue - but I have not >>heard of any problems like this with other apache servers like Raven, >>Stronghold, etc... Maybe there are problems - but I have not been able to >>find any mention of them. And, it seems very convenient to MS in light of >>their IIS market share :-) >> >>My server configuration has already been posted in a previous message (let >>me know if you need me to repost it). >> >>Let me know if any of this makes sense to you or if you have any ideas. >> >>Sincerely, >> >>Christopher Taranto >> >>At 10:52 AM 3/6/02 +0100, you wrote: >> >>>Hello, >>> >>>I read your entries in a newsgroup. >>>I am having exactly the same problem, and I don't want to tell my users >>>"upgrade your browser, or use netscape". >>> >>>I wonder whether you finally found a solution to this embarassing >>>problem. >>>Seems like Microsoft deliberately put some broken SSL implementation in >>>their browser, in order to kill apache / openssl... >>> >>>Thx >>> >>>Carl D'Halluin >>>Security Engineer. >>> >______________________________________________________________________ >Apache Interface to OpenSSL (mod_ssl) www.modssl.org >User Support Mailing List [EMAIL PROTECTED] >Automated List Manager [EMAIL PROTECTED] > -- regards, Christopher Welsh System Administrator, Voice:+61 03 52262385 Barwon Water, Geelong, Mobile: 0409 562968 3220, Vic, Australia Fax: +61 03 52210094 ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
