I'm not really sure whether this qualifies as -dev or -users, since its
code related, but..oh well, I flipped a coin and you guys won (lost?) the
toss.
Back story:
I have a 128bit (SGC enabled) key from verisign, running under Apache
using mod_ssl and the SSLCertificateChainFile command to get the
intermediate certificate in place. This works perfectly with no problems.
However I need to be able to use this key under stunnel or similar now,
and this is where problems arise. Initially stunnel had no equivalent to
the SSLCertificateChainFile command/switch. This was easily solved by
hunting throught the mod_ssl code, checking what it did, checking back a
few other places and then patching the code into stunnel. This works fine,
with the intermediate cert being added in correctly. Netscape promptly has
no problems and accesses the connection without issue, stepping up to
128bit.
Problem:
However, as per usual, IE is not willing to play ball. Netscape, when
connecting (40bit or 128bit) produces the following log output:
LOG7[25000:5122]: Remote host connected
LOG7[25000:5122]: server connection
LOG7[25000:5122]: before/accept initialization
LOG7[25000:5122]: before/accept initialization
LOG7[25000:5122]: SSLv3 read client hello A
LOG7[25000:5122]: SSLv3 write server hello A
LOG7[25000:5122]: SSLv3 write certificate A
LOG7[25000:5122]: SSLv3 write server done A
It then proceeds with the rest of the connection. IE (version 4.72, 40bit)
generates the following:
LOG7[24957:2050]: Remote host connected
LOG7[24957:2050]: server connection
LOG7[24957:2050]: before/accept initialization
LOG7[24957:2050]: before/accept initialization
LOG7[24957:2050]: SSLv3 read client hello B
LOG7[24957:2050]: SSLv3 read client hello B
LOG7[24957:2050]: SSLv3 read client hello B
LOG3[24957:2050]: SSL_accept: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no
shared cipher
LOG7[24957:2050]: 192.168.1.3.85 finished (0 left)
and fails to work :) (The key is RSA, changing the list of ciphers makes no difference)
I have several questions, while I am aware that it can't really be the
fault of openssl, since mod_ssl uses that and it manages to work, you guys
know this stuff way better than me and it has proved hard going to figure
out what has gone wrong. I attempted to invesitage the difference in
negotiation within the openssl code, but could not for the life of me
figure out how the state could switch from begin/accept to hello B without
first passing through hello A, so I concluded that the code requires more
understanding of the process than I currently have.
My primary question is, is there anything I might be failing to initialise
that might be causing this? it can't be anything I actually _do_ since I
just call SSL_accept and it breaks in there, but there must be something
I've failed to set up correctly. I have looked through the mod_ssl code to
see how they did it, but after several hours of trying various things I
have not found the cause of the problem, despite both programs proving to
be fairly easy to follow (mod_ssl is pretty big tho, so I could quite
easily have missed something).
My other question is, is there anything I could do to generate more
accurate logs to diagnose the problem. There doesn't seem to be within
stunnel, I could get a packet dump but then I'd have to figure out how to
read it, and the openssl s_client program connects perfectly, depriving me
of the logs I would need. I couldn't get s_server working with the
intermediate key in order to try and get a trace off that.
Richard.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
