Hi,
Thanks for the info. Indeed the cert shows this:
X509v3 Extended Key Usage:
Netscape Server Gated Crypto
Signature Algorithm: md5WithRSAEncryption
Tried what you suggested with no better luck. I'm also seeing this error
in the site's error log:
[error] mod_ssl: SSL handshake failed
[error] OpenSSL: error:0407106B:rsa routines:RSA_padding_check_PKCS1_type_2:
block type is not 02
[error] OpenSSL: error:04065072:rsa routines:RSA_EAY_
PRIVATE_DECRYPT:padding check failed
[error] OpenSSL: error:1408B076:SSLroutines:SSL3_GET_CLIENT_KEY_EXCHANGE:
bad rsa decrypt
Any further light you can shed is much appreciated.
--
Jeff
On Thu, 9 Mar 2000, Dr Stephen Henson wrote:
> Jeff Stewart wrote:
> >
> > Hi,
> >
> > I've seen this issue raised before but have been unable to find an
> > answer. I have an SSL enabled Apache server running on Solaris.
> >
> > Details: Solaris 2.6, Apache 1.3.12 + openssl-0.9.5 + mod_ssl-2.6.2
> > running on a Sun Netra T1.
> >
> > We have a Verisign Global ID. Any/all netscape clients have no
> > problem. Mac IE4.01 has no problems. Haven't been able to test the x86
> > version of IE4.x.
> >
>
> Have a look at the server certificate with:
>
> openssl x509 -in cert.pem -text
>
> There should be an extension called "extended key usage": check to see
> what it says. If it says Microsoft SGC and Netscape SGC then there
> shouldn't be a problem. If it just says Netscape SGC then you may hit an
> IE5 bug.
>
> When IE5 uses Netscape SGC (more correctly called "step up") it doesn't
> always work unless it switches from 40 bit RC4 to 128 bit RC4. If it
> tries via the new 56 bit ciphers or using 3DES it may well fail.
>
> The solution is to disable all but 40 and 128 bit RC4 in the server. You
> can do this by setting the cipher string to:
>
> RC4:!EXP56:@STRENGTH
>
> Steve.
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
