Hello Bertie,
Thanks for providing this patch!
I've been testing it but have been unsuccessful in getting it
to work. I'll provide my setup here perhaps somebody could
point out some things I've been doing wrong?
Server: Apache 1.3.9/mod_ssl 2.4.9/OpenSSL 0.9.4 on NT4SP6a
Client: IE501 on NT4SP6a
We've a top root signed by the Microsoft SGC root in all IE5.01s
(or SP6). I issued a certificate (sgctest.globalsign.net) under
our Secure Server root (signed by Primary Secure Server,
this signed by GlobalSign top root and finally signed by
Microsoft SGC). I modified the hosts file (\winnt\system32\drivers\etc)
to have a mapping for sgctest.globalsign.net. All root
certificates and the final server certificate have the required extension
extended key usage with the correct values (I think).
I've included the interesting parts of httpd.conf and ssl_engine.log
at the end...
Could anybody provide help here?
Thanks,
Christian.
httpd.conf (interesting parts)
SSLPassPhraseDialog builtin
SSLSessionCache dbm:logs/ssl_scache
SSLSessionCacheTimeout 300
SSLMutex sem
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLLog logs/ssl_engine_log
SSLLogLevel info
<VirtualHost 192.168.255.1:443>
ServerAdmin [EMAIL PROTECTED]
DocumentRoot c:\Apache\htdocs
ServerName sgctest.globalsign.net
ErrorLog c:\Apache\logs\error.log
CustomLog c:\Apache\logs\access.log combined
SSLEngine on
SSLCertificateFile c:\Apache\conf\ssl.crt\sgctestglobalsignnet.crt
SSLCertificateKeyFile c:\Apache\conf\ssl.key\sgctestglobalsignnet.key
SSLCertificateChainFile c:\Apache\conf\ssl.crt\sgcca.crt
SSLVerifyClient none
SSLOptions +ExportCertData +StdEnvVars +StrictRequire +OptRenegotiate
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
SSLLog c:\Apache\logs\ssl_engine.log
SSLLogLevel debug
SSL logfile (interesting part)
[01/Jan/2000 15:28:56 00045] [info] Init: Loading certificate & private key
of SSL-aware server sgctest.globalsign.net:443
[01/Jan/2000 15:28:56 00045] [trace] Init: (sgctest.globalsign.net:443)
unencrypted RSA private key - pass phrase not required
[01/Jan/2000 15:29:03 00045] [info] Init: Configuring server
sgctest.globalsign.net:443 for SSL protocol
[01/Jan/2000 15:29:03 00045] [trace] Init: (sgctest.globalsign.net:443)
Creating new SSL context (protocols: SSLv2, SSLv3, TLSv1)
[01/Jan/2000 15:29:03 00045] [trace] Init: (sgctest.globalsign.net:443)
Configuring RSA server certificate
[01/Jan/2000 15:29:03 00045] [info] Init: (sgctest.globalsign.net:443) RSA
server certificate enables Server Gated Cryptography (SGC)
[01/Jan/2000 15:29:03 00045] [trace] Init: (sgctest.globalsign.net:443)
Configuring RSA server private key
[01/Jan/2000 15:29:03 00045] [trace] Init: (sgctest.globalsign.net:443)
Configuring server certificate chain (3 CA certificates)
[01/Jan/2000 15:29:04 00045] [info] Init: Configuring server
sgctest.globalsign.net:443 for SSL protocol
[01/Jan/2000 15:29:04 00045] [trace] Init: (sgctest.globalsign.net:443)
Creating new SSL context (protocols: SSLv2, SSLv3, TLSv1)
[01/Jan/2000 15:29:04 00045] [trace] Init: (sgctest.globalsign.net:443)
Configuring RSA server certificate
[01/Jan/2000 15:29:04 00045] [info] Init: (sgctest.globalsign.net:443) RSA
server certificate enables Server Gated Cryptography (SGC)
[01/Jan/2000 15:29:04 00045] [trace] Init: (sgctest.globalsign.net:443)
Configuring RSA server private key
[01/Jan/2000 15:29:04 00045] [trace] Init: (sgctest.globalsign.net:443)
Configuring server certificate chain (3 CA certificates)
[01/Jan/2000 15:29:04 00267] [info] Init: Loading certificate & private key
of SSL-aware server sgctest.globalsign.net:443
[01/Jan/2000 15:29:04 00267] [trace] Init: (sgctest.globalsign.net:443)
unencrypted RSA private key - pass phrase not required
[01/Jan/2000 15:29:17 00267] [info] Init: Configuring server
sgctest.globalsign.net:443 for SSL protocol
[01/Jan/2000 15:29:17 00267] [trace] Init: (sgctest.globalsign.net:443)
Creating new SSL context (protocols: SSLv2, SSLv3, TLSv1)
[01/Jan/2000 15:29:17 00267] [trace] Init: (sgctest.globalsign.net:443)
Configuring RSA server certificate
[01/Jan/2000 15:29:17 00267] [info] Init: (sgctest.globalsign.net:443) RSA
server certificate enables Server Gated Cryptography (SGC)
[01/Jan/2000 15:29:17 00267] [trace] Init: (sgctest.globalsign.net:443)
Configuring RSA server private key
[01/Jan/2000 15:29:17 00267] [trace] Init: (sgctest.globalsign.net:443)
Configuring server certificate chain (3 CA certificates)
[01/Jan/2000 15:29:59 00267] [info] Connection to child 0 established
(server sgctest.globalsign.net:443, client 192.168.255.1)
[01/Jan/2000 15:29:59 00267] [trace] Seeding PRNG with 1032 bytes of entropy
[01/Jan/2000 15:29:59 00267] [trace] OpenSSL: Handshake: start
[01/Jan/2000 15:29:59 00267] [trace] OpenSSL: Loop: before/accept
initialization
[01/Jan/2000 15:29:59 00267] [debug] OpenSSL: read 7/7 bytes from
BIO#00546C50 [mem: 00A24218] (BIO dump follows)
+-------------------------------------------------------------------------+
| 0000: 80 2b 01 03 01 00 12 .+..... |
+-------------------------------------------------------------------------+
[01/Jan/2000 15:29:59 00267] [debug] OpenSSL: read 38/38 bytes from
BIO#00546C50 [mem: 00A2421F] (BIO dump follows)
+-------------------------------------------------------------------------+
| 0000: 00 00 00 10 00 00 64 00-00 62 00 00 03 00 00 06 ......d..b...... |
| 0010: 02 00 80 04 00 80 80 e2-c8 7b 7f 7f b5 7c e9 36 .........{...|.6 |
| 0020: 37 92 d8 bf 3c d3 7...<. |
+-------------------------------------------------------------------------+
[01/Jan/2000 15:29:59 00267] [trace] OpenSSL: Loop: SSLv3 read client hello
A
[01/Jan/2000 15:29:59 00267] [trace] OpenSSL: Loop: SSLv3 write server hello
A
[01/Jan/2000 15:29:59 00267] [debug] OpenSSL: write 1024/1024 bytes to
BIO#00546C50 [mem: 00A31248] (BIO dump follows)
+-------------------------------------------------------------------------+
| 0000: 16 03 01 00 4a 02 00 00-46 03 01 38 6e 0f 67 9a ....J...F..8n.g. |
| 0010: 0c ef d9 e4 17 cc e5 db-3e 62 c1 22 cd fa 33 fb ........>b."..3. |
| 0020: fe 81 d6 f4 e3 81 53 dd-42 77 9a 20 5d 7a 8b d9 ......S.Bw. ]z.. |
| 0030: b7 c7 40 e9 e0 b0 b6 4c-cf 2c af 59 45 73 19 da ..@....L.,.YEs.. |
| 0040: df 03 0c b0 c1 5e 39 25-53 74 15 0e 00 03 00 16 .....^9%St...... |
| 0050: 03 01 0d a7 0b 00 0d a3-00 0d a0 00 02 b1 30 82 ..............0. |
| 0060: 02 ad 30 82 02 16 a0 03-02 01 02 02 0b 01 00 00 ..0............. |
| 0070: 00 00 00 db e3 45 8e 55-30 0d 06 09 2a 86 48 86 .....E.U0...*.H. |
| 0080: f7 0d 01 01 04 05 00 30-69 31 0b 30 09 06 03 55 .......0i1.0...U |
| 0090: 04 06 13 02 42 45 31 19-30 17 06 03 55 04 0a 13 ....BE1.0...U... |
| 00a0: 10 47 6c 6f 62 61 6c 53-69 67 6e 20 6e 76 2d 73 .GlobalSign nv-s |
| 00b0: 61 31 19 30 17 06 03 55-04 0b 13 10 53 65 63 75 a1.0...U....Secu |
| 00c0: 72 65 20 53 65 72 76 65-72 20 43 41 31 24 30 22 re Server CA1$0" |
| 00d0: 06 03 55 04 03 13 1b 47-6c 6f 62 61 6c 53 69 67 ..U....GlobalSig |
| 00e0: 6e 20 53 65 63 75 72 65-20 53 65 72 76 65 72 20 n Secure Server |
| 00f0: 43 41 30 1e 17 0d 39 39-31 32 30 35 31 36 32 30 CA0...9912051620 |
| 0100: 32 34 5a 17 0d 30 30 31-32 30 34 31 36 32 30 32 24Z..00120416202 |
| 0110: 34 5a 30 5c 31 0b 30 09-06 03 55 04 06 13 02 42 4Z0\1.0...U....B |
| 0120: 45 31 11 30 0f 06 03 55-04 07 13 08 42 72 75 73 E1.0...U....Brus |
| 0130: 73 65 6c 73 31 19 30 17-06 03 55 04 0a 13 10 47 sels1.0...U....G |
| 0140: 6c 6f 62 61 6c 53 69 67-6e 20 6e 76 2d 73 61 31 lobalSign nv-sa1 |
| 0150: 1f 30 1d 06 03 55 04 03-13 16 73 67 63 74 65 73 .0...U....sgctes |
| 0160: 74 2e 67 6c 6f 62 61 6c-73 69 67 6e 2e 6e 65 74 t.globalsign.net |
| 0170: 30 81 9f 30 0d 06 09 2a-86 48 86 f7 0d 01 01 01 0..0...*.H...... |
| 0180: 05 00 03 81 8d 00 30 81-89 02 81 81 00 f0 63 0b ......0.......c. |
| 0190: 01 52 b7 60 2e b8 f4 21-02 50 ee 21 50 10 30 a8 .R.`...!.P.!P.0. |
| 01a0: 29 3c 2c 48 89 93 54 77-a3 fc 93 0a e9 73 fa 0a )<,H..Tw.....s.. |
| 01b0: c9 95 c8 33 a1 c7 87 71-d3 aa a1 7b de e8 b9 4e ...3...q...{...N |
| 01c0: a9 30 e6 46 c2 e6 4d be-5f cf ae d3 92 c1 76 01 .0.F..M._.....v. |
| 01d0: 63 ad bb 1f c1 22 56 d4-fc ef d2 4c 9f 84 4b 04 c...."V....L..K. |
| 01e0: 70 71 15 af 98 74 f6 77-76 77 24 d0 d3 63 04 ce pq...t.wvw$..c.. |
| 01f0: 9e ed a1 ff c7 69 0d 14-4c fd 81 7e 62 32 d8 9c .....i..L..~b2.. |
| 0200: 02 bb 02 e7 d4 af 4d e7-29 0e b3 ed a7 02 03 01 ......M.)....... |
| 0210: 00 01 a3 68 30 66 30 11-06 09 60 86 48 01 86 f8 ...h0f0...`.H... |
| 0220: 42 01 01 04 04 03 02 06-40 30 0e 06 03 55 1d 0f [EMAIL PROTECTED] |
| 0230: 01 01 ff 04 04 03 02 04-f0 30 1f 06 03 55 1d 23 .........0...U.# |
| 0240: 04 18 30 16 80 14 85 ae-4b 9e eb 65 2c dd fc fd ..0.....K..e,... |
| 0250: c2 b3 e6 03 31 c6 85 54-31 32 30 20 06 03 55 1d ....1..T120 ..U. |
| 0260: 25 04 19 30 17 06 0a 2b-06 01 04 01 82 37 0a 03 %..0...+.....7.. |
| 0270: 03 06 09 60 86 48 01 86-f8 42 04 01 30 0d 06 09 ...`.H...B..0... |
| 0280: 2a 86 48 86 f7 0d 01 01-04 05 00 03 81 81 02 a2 *.H............. |
| 0290: 44 9f ac e4 d2 97 28 41-3e 61 7e 6b 19 01 e9 12 D.....(A>a~k.... |
| 02a0: bd b5 0e 01 cf a8 8f c5-23 0a ba 36 a5 4a f1 d7 ........#..6.J.. |
| 02b0: 66 16 ea ce d0 32 a6 2b-97 69 88 f1 27 45 35 23 f....2.+.i..'E5# |
| 02c0: e7 bc 30 3b f5 79 25 50-d0 bd 78 06 7b d6 38 e9 ..0;.y%P..x.{.8. |
| 02d0: d1 ed 0d 88 9d 9d f1 ce-d0 56 9e e8 16 5d 2f 32 .........V...]/2 |
| 02e0: bf 51 88 f8 dd 01 87 9c-8b cc 39 b2 4c 12 a0 96 .Q........9.L... |
| 02f0: bf 56 96 b4 09 36 67 44-93 16 58 91 65 5f 76 08 .V...6gD..X.e_v. |
| 0300: cf 59 4b e6 71 60 06 17-d1 88 1d 17 6c 76 ac 00 .YK.q`......lv.. |
| 0310: 03 84 30 82 03 80 30 82-02 68 a0 03 02 01 02 02 ..0...0..h...... |
| 0320: 0b 01 00 00 00 00 00 db-ed ae 00 31 30 0d 06 09 ...........10... |
| 0330: 2a 86 48 86 f7 0d 01 01-04 05 00 30 79 31 0b 30 *.H........0y1.0 |
| 0340: 09 06 03 55 04 06 13 02-42 45 31 19 30 17 06 03 ...U....BE1.0... |
| 0350: 55 04 0a 13 10 47 6c 6f-62 61 6c 53 69 67 6e 20 U....GlobalSign |
| 0360: 6e 76 2d 73 61 31 21 30-1f 06 03 55 04 0b 13 18 nv-sa1!0...U.... |
| 0370: 50 72 69 6d 61 72 79 20-53 65 63 75 72 65 20 53 Primary Secure S |
| 0380: 65 72 76 65 72 20 43 41-31 2c 30 2a 06 03 55 04 erver CA1,0*..U. |
| 0390: 03 13 23 47 6c 6f 62 61-6c 53 69 67 6e 20 50 72 ..#GlobalSign Pr |
| 03a0: 69 6d 61 72 79 20 53 65-63 75 72 65 20 53 65 72 imary Secure Ser |
| 03b0: 76 65 72 20 43 41 30 1e-17 0d 39 39 30 31 32 38 ver CA0...990128 |
| 03c0: 31 32 30 30 30 31 5a 17-0d 30 34 30 31 32 38 31 120001Z..0401281 |
| 03d0: 32 30 30 30 30 5a 30 69-31 0b 30 09 06 03 55 04 20000Z0i1.0...U. |
| 03e0: 06 13 02 42 45 31 19 30-17 06 03 55 04 0a 13 10 ...BE1.0...U.... |
| 03f0: 47 6c 6f 62 61 6c 53 69-67 6e 20 6e 76 2d 73 61 GlobalSign nv-sa |
+-------------------------------------------------------------------------+
[01/Jan/2000 15:30:00 00267] [debug] OpenSSL: write 2555/2555 bytes to
BIO#00546C50 [mem: 00A2CDE1] (BIO dump follows)
+-------------------------------------------------------------------------+
| 0000: 31 19 30 17 06 03 55 04-0b 13 10 53 65 63 75 72 1.0...U....Secur |
| 0010: 65 20 53 65 72 76 65 72-20 43 41 31 24 30 22 06 e Server CA1$0". |
| 0020: 03 55 04 03 13 1b 47 6c-6f 62 61 6c 53 69 67 6e .U....GlobalSign |
| 0030: 20 53 65 63 75 72 65 20-53 65 72 76 65 72 20 43 Secure Server C |
| 0040: 41 30 81 9f 30 0d 06 09-2a 86 48 86 f7 0d 01 01 A0..0...*.H..... |
| 0050: 01 05 00 03 81 8d 00 30-81 89 02 81 81 00 b3 cc .......0........ |
| 0060: 66 bb 3b 9b a2 45 dd a9-e0 3c f7 c0 56 62 5b f2 f.;..E...<..Vb[. |
| 0070: 4d 39 a1 8c 32 c5 83 4f-2d 50 15 f8 07 30 7e a6 M9..2..O-P...0~. |
| 0080: 04 1c 69 66 66 1d c4 e8-35 9a 39 c3 0e 90 57 2c ..iff...5.9...W, |
| 0090: f1 87 7e 79 aa 8b 8c c3-fa 0c 12 f4 88 ed 8e d4 ..~y............ |
| 00a0: 6c 50 08 84 72 73 ea fe-55 6e 8b 70 8c dc c0 66 lP..rs..Un.p...f |
| 00b0: 90 c5 fc 48 46 2e 91 1c-92 6c 19 ac 3e c6 5e 0f ...HF....l..>.^. |
| 00c0: 6e b6 21 5b f8 a4 42 a2-ec 37 9e e1 b0 da d6 a4 n.![..B..7...... |
| 00d0: d0 d2 9e f0 16 59 a5 54-84 65 af 68 c6 2f 02 03 .....Y.T.e.h./.. |
| 00e0: 01 00 01 a3 81 9c 30 81-99 30 0e 06 03 55 1d 0f ......0..0...U.. |
| 00f0: 01 01 ff 04 04 03 02 01-06 30 1d 06 03 55 1d 0e .........0...U.. |
| 0100: 04 16 04 14 85 ae 4b 9e-eb 65 2c dd fc fd c2 b3 ......K..e,..... |
| 0110: e6 03 31 c6 85 54 31 32-30 1f 06 03 55 1d 23 04 ..1..T120...U.#. |
| 0120: 18 30 16 80 14 d1 66 83-f5 89 5e d0 be 7f 61 d2 .0....f...^...a. |
| 0130: dd a8 ca fa 2b 7a 4a 7f-31 30 11 06 09 60 86 48 ....+zJ.10...`.H |
| 0140: 01 86 f8 42 01 01 04 04-03 02 02 04 30 12 06 03 ...B........0... |
| 0150: 55 1d 13 01 01 ff 04 08-30 06 01 01 ff 02 01 00 U.......0....... |
| 0160: 30 20 06 03 55 1d 25 04-19 30 17 06 0a 2b 06 01 0 ..U.%..0...+.. |
| 0170: 04 01 82 37 0a 03 03 06-09 60 86 48 01 86 f8 42 ...7.....`.H...B |
| 0180: 04 01 30 0d 06 09 2a 86-48 86 f7 0d 01 01 04 05 ..0...*.H....... |
| 0190: 00 03 82 01 01 00 c2 7e-15 df 0b a6 0b d0 60 08 .......~......`. |
| 01a0: b1 86 ef 08 51 c7 a7 32-9c 11 24 8c 25 3f 23 67 ....Q..2..$.%?#g |
| 01b0: 5d 01 b2 f2 e4 ec 15 b0-5a 87 f2 03 e5 cf 21 e2 ].......Z.....!. |
| 01c0: 2c fa cd 6b 96 01 28 ea-45 5f 6f 25 32 6e b3 af ,..k..(.E_o%2n.. |
| 01d0: b1 c5 2f 3f ea 8d 0d 92-fe 1a 72 13 77 87 dc 15 ../?......r.w... |
| 01e0: 26 f8 91 36 2f ad 5e 12-2f 9c 65 87 a5 61 be 07 &..6/.^./.e..a.. |
| 01f0: 04 90 25 11 31 34 c3 6d-dd 08 fa ee 31 e0 73 f2 ..%.14.m....1.s. |
| 0200: 54 83 7e 60 91 24 14 cf-58 d2 a0 f9 26 08 47 9d T.~`.$..X...&.G. |
| 0210: 24 e1 f3 54 f2 7e f9 b3-ab 1b ba 0f b8 e6 f6 66 $..T.~.........f |
| 0220: 31 af 8a 92 a0 3c 71 01-d8 e2 b4 5f 67 bc db ab 1....<q...._g... |
| 0230: ee 7e 75 23 76 03 68 a6-1f d1 76 34 73 26 9a 13 .~u#v.h...v4s&.. |
| 0240: d5 7e b1 d1 d3 76 d2 8c-9a 4f 03 16 6c 0c cf 73 .~...v...O..l..s |
| 0250: 66 63 a9 70 ad 7f 83 28-50 f6 e6 f7 9c 79 2f c1 fc.p...(P....y/. |
| 0260: b7 4f 48 57 7f 72 c0 00-d2 fc b4 f9 f4 0d dc c2 .OHW.r.......... |
| 0270: 17 9d 7c 62 c4 17 30 1d-ba d5 c9 ae e6 98 b3 36 ..|b..0........6 |
| 0280: e3 e6 44 a0 aa 7c 59 d9-c9 7c 8c d5 ff 39 d9 8d ..D..|Y..|...9.. |
| 0290: 00 d1 a7 18 ab ad 00 03-e0 30 82 03 dc 30 82 02 .........0...0.. |
| 02a0: c4 a0 03 02 01 02 02 0b-01 00 00 00 00 00 db ed ................ |
| 02b0: aa 75 28 30 0d 06 09 2a-86 48 86 f7 0d 01 01 04 .u(0...*.H...... |
| 02c0: 05 00 30 57 31 0b 30 09-06 03 55 04 06 13 02 42 ..0W1.0...U....B |
| 02d0: 45 31 19 30 17 06 03 55-04 0a 13 10 47 6c 6f 62 E1.0...U....Glob |
| 02e0: 61 6c 53 69 67 6e 20 6e-76 2d 73 61 31 10 30 0e alSign nv-sa1.0. |
| 02f0: 06 03 55 04 0b 13 07 52-6f 6f 74 20 43 41 31 1b ..U....Root CA1. |
| 0300: 30 19 06 03 55 04 03 13-12 47 6c 6f 62 61 6c 53 0...U....GlobalS |
| 0310: 69 67 6e 20 52 6f 6f 74-20 43 41 30 1e 17 0d 39 ign Root CA0...9 |
| 0320: 39 30 31 32 38 31 32 30-30 30 30 5a 17 0d 30 39 90128120000Z..09 |
| 0330: 30 31 32 38 31 32 30 30-30 30 5a 30 79 31 0b 30 0128120000Z0y1.0 |
| 0340: 09 06 03 55 04 06 13 02-42 45 31 19 30 17 06 03 ...U....BE1.0... |
| 0350: 55 04 0a 13 10 47 6c 6f-62 61 6c 53 69 67 6e 20 U....GlobalSign |
| 0360: 6e 76 2d 73 61 31 21 30-1f 06 03 55 04 0b 13 18 nv-sa1!0...U.... |
| 0370: 50 72 69 6d 61 72 79 20-53 65 63 75 72 65 20 53 Primary Secure S |
| 0380: 65 72 76 65 72 20 43 41-31 2c 30 2a 06 03 55 04 erver CA1,0*..U. |
| 0390: 03 13 23 47 6c 6f 62 61-6c 53 69 67 6e 20 50 72 ..#GlobalSign Pr |
| 03a0: 69 6d 61 72 79 20 53 65-63 75 72 65 20 53 65 72 imary Secure Ser |
| 03b0: 76 65 72 20 43 41 30 82-01 22 30 0d 06 09 2a 86 ver CA0.."0...*. |
| 03c0: 48 86 f7 0d 01 01 01 05-00 03 82 01 0f 00 30 82 H.............0. |
| 03d0: 01 0a 02 82 01 01 00 f6-6a ed a8 6b 30 a3 2d ac ........j..k0.-. |
| 03e0: e9 42 9e 18 35 c0 1e f7-6f 74 cb b7 42 24 53 ad .B..5...ot..B$S. |
| 03f0: 31 cb ef a5 c9 c5 3d 03-5e a5 9d 76 cd 19 e2 e1 1.....=.^..v.... |
| 0400: 16 2d a4 2d 44 20 f1 1a-1f f7 7d 60 cd a6 c7 15 .-.-D ....}`.... |
| 0410: a9 ab 8a a2 c9 66 6c dd-10 a3 d8 9b 77 29 ee a6 .....fl.....w).. |
| 0420: 40 cd 2f 34 36 7f a3 17-05 0b cb 58 a5 22 a6 7c @./46......X.".| |
| 0430: 35 e6 8d 5d a1 53 c2 9a-c5 da 5d fe d8 0e 7d 3b 5..].S....]...}; |
| 0440: 22 97 52 2c dd b2 3c 0b-90 dc 05 fd b2 e5 0a 55 ".R,..<........U |
| 0450: 1e 5d 9e 62 fb 7f e3 b8-96 f4 9f 26 ac a2 5c 84 .].b.......&..\. |
| 0460: d9 82 ba e0 e8 f5 95 6e-04 0a 96 64 49 a3 0f 9e .......n...dI... |
| 0470: 83 a9 63 e7 c9 21 99 6b-a0 16 91 25 c8 14 d9 bd ..c..!.k...%.... |
| 0480: dc ec 3c 77 53 47 56 43-84 7e d6 63 e5 e3 28 af ..<wSGVC.~.c..(. |
| 0490: 3c 4f c0 7d b4 18 f6 d7-be 57 0b 89 db d6 c1 83 <O.}.....W...... |
| 04a0: 92 92 e3 9c 30 d1 59 4c-a5 71 90 5f 86 07 70 e8 ....0.YL.q._..p. |
| 04b0: 4e 94 14 c9 f2 4e a3 80-c2 5a 11 a9 e8 e8 e2 bc N....N...Z...... |
| 04c0: 02 9c bf 38 4d 7a da 3c-51 63 ee bc f8 7c 51 7e ...8Mz.<Qc...|Q~ |
| 04d0: a0 b8 e0 48 a9 af ad 02-03 01 00 01 a3 81 86 30 ...H...........0 |
| 04e0: 81 83 30 0e 06 03 55 1d-0f 01 01 ff 04 04 03 02 ..0...U......... |
| 04f0: 01 06 30 1d 06 03 55 1d-0e 04 16 04 14 d1 66 83 ..0...U.......f. |
| 0500: f5 89 5e d0 be 7f 61 d2-dd a8 ca fa 2b 7a 4a 7f ..^...a.....+zJ. |
| 0510: 31 30 1f 06 03 55 1d 23-04 18 30 16 80 14 60 7b 10...U.#..0...`{ |
| 0520: 66 1a 45 0d 97 ca 89 50-2f 7d 04 cd 34 a8 ff fc f.E....P/}..4... |
| 0530: fd 4b 30 0f 06 03 55 1d-13 01 01 ff 04 05 30 03 .K0...U.......0. |
| 0540: 01 01 ff 30 20 06 03 55-1d 25 04 19 30 17 06 0a ...0 ..U.%..0... |
| 0550: 2b 06 01 04 01 82 37 0a-03 03 06 09 60 86 48 01 +.....7.....`.H. |
| 0560: 86 f8 42 04 01 30 0d 06-09 2a 86 48 86 f7 0d 01 ..B..0...*.H.... |
| 0570: 01 04 05 00 03 82 01 01-00 8c aa b0 5d 24 a9 49 ............]$.I |
| 0580: 70 90 a6 31 5a 40 d1 ca-ff a1 7f e4 28 72 9d f1 p..1Z@......(r.. |
| 0590: c8 66 f0 86 bd 2b 8a 42-57 c2 5a f8 6c e6 ce 5c .f...+.BW.Z.l..\ |
| 05a0: 6b 8a 17 4c 93 01 b7 3e-cd a9 b1 b7 ff c5 47 f7 k..L...>......G. |
| 05b0: 75 ea 9f e4 81 2f 4f 03-da 7f 79 2a d4 42 bc 98 u..../O...y*.B.. |
| 05c0: 59 ba 0b 8f 39 a4 71 fe-4a e8 c1 f0 0f bd 89 97 Y...9.q.J....... |
| 05d0: c3 ee 69 5d ca 8d 37 1a-72 76 36 e5 5d 31 86 57 ..i]..7.rv6.]1.W |
| 05e0: 38 ab de ad ac 46 0c b6-aa 05 23 31 34 64 70 03 8....F....#14dp. |
| 05f0: f7 08 ab 33 f8 44 28 d3-95 83 72 87 1e df cf 7a ...3.D(...r....z |
| 0600: 2f 41 78 d1 b3 5a 73 44-51 da 97 e7 7a 83 d5 fd /Ax..ZsDQ...z... |
| 0610: a7 d3 46 13 6d 52 37 b8-1a 22 09 d3 01 1a a7 cb ..F.mR7.."...... |
| 0620: 11 9e 38 69 c6 e5 ec 00-af f2 96 86 2d 44 b5 13 ..8i........-D.. |
| 0630: 9d a8 d3 17 1d c9 63 36-93 47 b2 8d 40 0c 4c ae ......c6.G..@.L. |
| 0640: 49 b4 bb c5 75 c6 27 0b-7c 83 5a 28 84 bd e8 cf I...u.'.|.Z(.... |
| 0650: aa 9e 61 f9 10 5b 08 bb-d3 04 53 61 a7 3f 0c 49 ..a..[....Sa.?.I |
| 0660: 6c b9 67 9c 07 22 36 b7-11 7f e2 99 92 27 1d 76 l.g.."6......'.v |
| 0670: 9a 8b 69 0c b9 ed 26 75-67 00 03 7f 30 82 03 7b ..i...&ug...0..{ |
| 0680: 30 82 02 63 a0 03 02 01-02 02 10 c4 bb d8 c0 ca 0..c............ |
| 0690: ff 56 a5 11 d3 56 96 61-99 22 30 30 0d 06 09 2a .V...V.a."00...* |
| 06a0: 86 48 86 f7 0d 01 01 04-05 00 30 1d 31 1b 30 19 .H........0.1.0. |
| 06b0: 06 03 55 04 03 13 12 52-6f 6f 74 20 53 47 43 20 ..U....Root SGC |
| 06c0: 41 75 74 68 6f 72 69 74-79 30 1e 17 0d 39 39 30 Authority0...990 |
| 06d0: 38 32 30 30 30 33 30 30-31 5a 17 0d 31 34 30 31 820003001Z..1401 |
| 06e0: 32 38 30 37 30 30 30 30-5a 30 57 31 0b 30 09 06 28070000Z0W1.0.. |
| 06f0: 03 55 04 06 13 02 42 45-31 19 30 17 06 03 55 04 .U....BE1.0...U. |
| 0700: 0a 13 10 47 6c 6f 62 61-6c 53 69 67 6e 20 6e 76 ...GlobalSign nv |
| 0710: 2d 73 61 31 10 30 0e 06-03 55 04 0b 13 07 52 6f -sa1.0...U....Ro |
| 0720: 6f 74 20 43 41 31 1b 30-19 06 03 55 04 03 13 12 ot CA1.0...U.... |
| 0730: 47 6c 6f 62 61 6c 53 69-67 6e 20 52 6f 6f 74 20 GlobalSign Root |
| 0740: 43 41 30 82 01 22 30 0d-06 09 2a 86 48 86 f7 0d CA0.."0...*.H... |
| 0750: 01 01 01 05 00 03 82 01-0f 00 30 82 01 0a 02 82 ..........0..... |
| 0760: 01 01 00 da 0e e6 99 8d-ce a3 e3 4f 8a 7e fb f1 ...........O.~.. |
| 0770: 8b 83 25 6b ea 48 1f f1-2a b0 b9 95 11 04 bd f0 ..%k.H..*....... |
| 0780: 63 d1 e2 67 66 cf 1c dd-cf 1b 48 2b ee 8d 89 8e c..gf.....H+.... |
| 0790: 9a af 29 80 65 ab e9 c7-2d 12 cb ab 1c 4c 70 07 ..).e...-....Lp. |
| 07a0: a1 3d 0a 30 cd 15 8d 4f-f8 dd d4 8c 50 15 1c ef .=.0...O....P... |
| 07b0: 50 ee c4 2e f7 fc e9 52-f2 91 7d e0 6d d5 35 30 P......R..}.m.50 |
| 07c0: 8e 5e 43 73 f2 41 e9 d5-6a e3 b2 89 3a 56 39 38 .^Cs.A..j...:V98 |
| 07d0: 6f 06 3c 88 69 5b 2a 4d-c5 a7 54 b8 6c 89 cc 9b o.<.i[*M..T.l... |
| 07e0: f9 3c ca e5 fd 89 f5 12-3c 92 78 96 d6 dc 74 6e .<......<.x...tn |
| 07f0: 93 44 61 d1 8d c7 46 b2-75 0e 86 e8 19 8a d5 6d .Da...F.u......m |
| 0800: 6c d5 78 16 95 a2 e9 c8-0a 38 eb f2 24 13 4f 73 l.x......8..$.Os |
| 0810: 54 93 13 85 3a 1b bc 1e-34 b5 8b 05 8c b9 77 8b T...:...4.....w. |
| 0820: b1 db 1f 20 91 ab 09 53-6e 90 ce 7b 37 74 b9 70 ... ...Sn..{7t.p |
| 0830: 47 91 22 51 63 16 79 ae-b1 ae 41 26 08 c8 19 2b G."Qc.y...A&...+ |
| 0840: d1 46 aa 48 d6 64 2a d7-83 34 ff 2c 2a c1 6c 19 .F.H.d*..4.,*.l. |
| 0850: 43 4a 07 85 e7 d3 7c f6-21 68 ef ea f2 52 9f 7f CJ....|.!h...R.. |
| 0860: 93 90 cf 02 03 01 00 01-a3 7d 30 7b 30 0d 06 03 .........}0{0... |
| 0870: 55 1d 0a 04 06 30 04 03-02 07 80 30 20 06 03 55 U....0.....0 ..U |
| 0880: 1d 25 04 19 30 17 06 0a-2b 06 01 04 01 82 37 0a .%..0...+.....7. |
| 0890: 03 03 06 09 60 86 48 01-86 f8 42 04 01 30 48 06 ....`.H...B..0H. |
| 08a0: 03 55 1d 01 04 41 30 3f-80 10 0d 27 29 e4 05 2a .U...A0?...')..* |
| 08b0: 97 b4 77 58 35 47 93 2d-06 b8 a1 1f 30 1d 31 1b ..wX5G.-....0.1. |
| 08c0: 30 19 06 03 55 04 03 13-12 52 6f 6f 74 20 53 47 0...U....Root SG |
| 08d0: 43 20 41 75 74 68 6f 72-69 74 79 82 0a 20 9d 11 C Authority.. .. |
| 08e0: d1 0e 7f 7b 85 74 80 30-0d 06 09 2a 86 48 86 f7 ...{.t.0...*.H.. |
| 08f0: 0d 01 01 04 05 00 03 82-01 01 00 d2 82 ee 55 36 ..............U6 |
| 0900: 25 57 42 b9 cb a8 70 9c-42 8e 46 a7 d7 99 91 d2 %WB...p.B.F..... |
| 0910: cc a2 db f2 a0 c6 bf c6-db 45 f1 7a 8e dc 03 63 .........E.z...c |
| 0920: 4a 9b 94 99 a6 0f bd 4c-ca 6d e4 31 61 6a 08 10 J......L.m.1aj.. |
| 0930: 4d 1e 47 d4 11 59 33 02-65 69 ae 13 db f1 65 79 M.G..Y3.ei....ey |
| 0940: 72 25 79 21 c4 b4 25 c2-6c ff 8c 7e 96 df 69 c0 r%y!..%.l..~..i. |
| 0950: 45 24 a1 69 4b a6 a6 04-e7 81 de ca db 88 a3 a6 E$.iK........... |
| 0960: 7c 91 cf 86 47 76 97 e6-97 f7 1a 2e d7 03 f0 37 |...Gv.........7 |
| 0970: 3b dd 76 95 6d 26 74 51-49 44 d6 3e 84 b7 03 74 ;.v.m&tQID.>...t |
| 0980: 6d 66 67 a2 36 8b 84 f3-ed f9 a8 9d e4 a8 1a 09 mfg.6........... |
| 0990: dc d2 01 92 4f 1f 3d 58-41 bb e9 ac 03 9b e8 f0 ....O.=XA....... |
| 09a0: 96 c0 cd 7e 01 db e2 a9-3e 66 e0 24 e6 ec 7f 6d ...~....>f.$...m |
| 09b0: 18 53 39 9d c0 89 bf 60-78 be cb 07 37 77 9d 7d .S9....`x...7w.} |
| 09c0: 8e 8d 17 0a d7 6f 17 da-e5 8a e1 e7 08 c4 13 e5 .....o.......... |
| 09d0: 7a 2b 5c 6d f7 9e 20 c4-8d 4f ed 06 29 07 af 79 z+\m.. ..O..)..y |
| 09e0: 92 f2 5f f9 aa 21 15 cb-66 39 77 d3 2d 19 24 68 .._..!..f9w.-.$h |
| 09f0: 84 5f a9 48 46 5a db 1d-b4 41 1f ._.HFZ...A. |
+-------------------------------------------------------------------------+
[01/Jan/2000 15:30:02 00267] [trace] OpenSSL: Loop: SSLv3 write certificate
A
[01/Jan/2000 15:30:02 00267] [trace] OpenSSL: Loop: SSLv3 write key exchange
A
[01/Jan/2000 15:30:02 00267] [trace] OpenSSL: Loop: SSLv3 write server done
A
[01/Jan/2000 15:30:02 00267] [debug] OpenSSL: write 219/219 bytes to
BIO#00546C50 [mem: 00A31248] (BIO dump follows)
+-------------------------------------------------------------------------+
| 0000: 16 03 01 00 cd 0c 00 00-c9 00 40 d4 c1 f4 0b 60 ..........@....` |
| 0010: 09 b2 cf 00 f2 66 3c 10-42 5e 24 1c ac 5c 65 65 .....f<.B^$..\ee |
| 0020: da 03 97 26 3a 29 7a 9c-16 c8 8b 25 9c d8 22 d0 ...&:)z....%..". |
| 0030: 50 d4 ac 4b f5 d1 c6 5c-00 4c 9b 55 b0 66 f2 50 P..K...\.L.U.f.P |
| 0040: 36 1b 4c 0b 50 2a bf 24-3a ae e3 00 03 01 00 01 6.L.P*.$:....... |
| 0050: 00 80 32 2a 51 8e 79 3e-13 66 9c a0 b6 1b dd 84 ..2*Q.y>.f...... |
| 0060: 24 75 46 8c ce 45 45 54-7a d3 c1 63 33 7c e2 c0 $uF..EETz..c3|.. |
| 0070: 36 bb b9 a1 36 9e 58 16-89 51 ba 19 23 83 af 4d 6...6.X..Q..#..M |
| 0080: 2b 2b 95 aa 42 ed 6e c0-cb 88 33 dd 64 97 ef 35 ++..B.n...3.d..5 |
| 0090: 89 72 a4 56 e6 20 f5 d0-3b 38 6f c6 a8 5f 7d a2 .r.V. ..;8o.._}. |
| 00a0: 19 f7 56 45 3e 9c d9 28-40 47 d0 e6 5b 26 24 4e ..VE>..(@G..[&$N |
| 00b0: cf 26 db 64 21 c4 5e 61-bd fb 0f e3 e7 bb 95 b2 .&.d!.^a........ |
| 00c0: d1 64 2b 40 92 9e 54 8b-58 5c 6a 34 12 3c e0 0f .d+@..T.X\j4.<.. |
| 00d0: a8 05 16 03 01 00 04 0e- ........ |
| 00db - <SPACES/NULS>
+-------------------------------------------------------------------------+
[01/Jan/2000 15:30:02 00267] [trace] OpenSSL: Loop: SSLv3 flush data
[01/Jan/2000 15:30:02 00267] [debug] OpenSSL: read 5/5 bytes from
BIO#00546C50 [mem: 00A24218] (BIO dump follows)
+-------------------------------------------------------------------------+
| 0000: 16 03 01 00 41 ....A |
+-------------------------------------------------------------------------+
[01/Jan/2000 15:30:02 00267] [debug] OpenSSL: read 65/65 bytes from
BIO#00546C50 [mem: 00A2421D] (BIO dump follows)
+-------------------------------------------------------------------------+
| 0000: 01 00 00 3d 03 01 05 a2-11 91 3d 24 ea b4 6f 96 ...=......=$..o. |
| 0010: 9e 7a df c5 c0 54 b3 3c-35 f4 b4 55 43 97 a9 75 .z...T.<5..UC..u |
| 0020: ef 5a 3f 32 d6 43 00 00-16 00 04 00 05 00 0a 00 .Z?2.C.......... |
| 0030: 80 00 81 00 80 00 09 00-64 00 62 00 03 00 06 01 ........d.b..... |
| 0041 - <SPACES/NULS>
+-------------------------------------------------------------------------+
[01/Jan/2000 15:30:02 00267] [debug] OpenSSL: write 7/7 bytes to
BIO#00546C50 [mem: 00A31248] (BIO dump follows)
+-------------------------------------------------------------------------+
| 0000: 15 03 01 00 02 02 0a ....... |
+-------------------------------------------------------------------------+
[01/Jan/2000 15:30:02 00267] [trace] OpenSSL: Write: SSLv3 read client
certificate B
[01/Jan/2000 15:30:02 00267] [trace] OpenSSL: Exit: error in SSLv3 read
client certificate B
[01/Jan/2000 15:30:02 00267] [trace] OpenSSL: Exit: error in SSLv3 read
client certificate B
[01/Jan/2000 15:30:02 00267] [error] SSL handshake failed (server
sgctest.globalsign.net:443, client 192.168.255.1) (OpenSSL library error
follows)
[01/Jan/2000 15:30:02 00267] [error] OpenSSL: error:14089106:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:wrong message type
</VirtualHost>
----- Original Message -----
From: "Adrian Peck" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Tuesday, December 21, 1999 6:23 PM
Subject: SGC support in OpenSSL
> Having found that the Microsoft SGC extensions to SSL were not implemented
> in openssl-0.9.4, I made some changes myself. However as you can see the
> changes are very hacky due to my wish to keep the changes as simple as
> possible.
>
> The basic problem is that IE4 or 5 will issue a client hello message
> immediately after receiving the server hello and server certificate if it
> finds that this certificate was a Server Gated Crypto ( SGC ) certificate.
> The 'point' of this is to change the cipher suites that are offered to the
> server without starting a new SSL session. My code peeks at the client
> message to check for a client hello and resets the SSL state to
> SSL_ST_ACCEPT if it spots one. The code is only visited if the SSL mode
> SSL_MODE_NCIPHER_SGC_HACK is set.
>
> I have supplied the 2 files which I have modified for your attention.
> Inorder to test any solution you will need to obtain an SGC certificate
> from Verisign with the CORRECT common name for the server it is running
on.
> You will need an export version of IE version >= 4.
>
> I hope this is of interest
> Bertie
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
