I am not sure if this is indeed the source of the problem, but to deal with export browsers with a 1024-bit certificate, one needs to generate a temporary key 512-bits long, since that's all those browsers can handle. In openssl, one does this using SSL_CTX_set_tmp_rsa_callback(...) Arun. "If you torture data long enough, it will admit anything you want.." **************************************************************** This message is for the named person(s) use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. SPEEDERA NETWORKS, INC. reserves the right to monitor all e-mail communications through its network. -----Original Message----- From: Levy itai <[EMAIL PROTECTED]> To: 'openssl' <[EMAIL PROTECTED]> Date: Thursday, August 24, 2000 6:15 AM Subject: RE: Netscape 4.5 Bug ? >Hi, > >I investigated this issue a little bit more. >With a certificate that was generated form a 512 bit RSA key everything is >working fine. >With 1024 bit certificates there is a bug. > >Does anyone has an idea why ? > >Itai Levy, >Software Developer R&D >Algorithmic Research Ltd. ( Data Security Across the Enterprise ) >10 Nevatim st., Kiryat Matalon >Petah Tikva 49561 >Israel > >Tel: +972-3-9279514 >e-mail:[EMAIL PROTECTED] >http://www.arx.com > > > >-----Original Message----- >From: Alex Gulyansky [mailto:[EMAIL PROTECTED]] >Sent: Wednesday, August 23, 2000 10:40 PM >To: [EMAIL PROTECTED] >Subject: Re: Netscape 4.5 Bug ? > > >Hi, > >I'm getting the same error with 4.5, 4.73, and 4.74 versions of the >Netscape browser. >MS IE seems to be working normally. > >This occurs with any newly generated certificate that is not included >with the OpenSSL distribution. If the server.pem certificate is used, >then both browsers work normally. > >If I find something, I'll let you know! >Thanks >Alex > > >--------------------------------------------------------------------------- - >---- > >Hi, >I need help very urgent !!! > >I have a problem connecting with a Netscape 4.5 browser to an Openssl >server >using ssl v.23. > >I get the following error on the browser: "Netscape has encountered bad >data >from the server". > >When I run the s_server from apps in the following way: openssl s_server > >-cert webcert.pem -debug -key webkey.pem -accept 443 -www >in order to debug the problem, I get the same symptoms and the same >error on >the browser. > >With other Netscape and IE browsers eberything is working fine. > >Is there a known bug using Netscape version 4.5 ? > >If I enable only SSL 2 on the browser then everything works fine. > >Following the output debug information I get: > >Using default temp DH parameters >ACCEPT >read from 00CFCA00 [010E9A58] (11 bytes => 11 (0xB)) >0000 - 80 25 01 03 00 00 0c 00-00 00 10 .%......... >read from 00CFCA00 [010E9A63] (28 bytes => 28 (0x1C)) >0000 - 02 00 80 04 00 80 00 00-03 00 00 06 7f a2 d0 52 >...............R >0010 - c9 2b 86 2c 5b a1 00 e9-93 cc 65 .+.,[.....e >001c - <SPACES/NULS> >before ssl3_get_client_hello() >after ssl3_get_client_hello() success >before ssl3_send_server_hello() >after ssl3_send_server_hello() success >write to 00CFCA00 [00CD61F0] (79 bytes => 79 (0x4F)) >0000 - 16 03 00 00 4a 02 00 00-46 03 00 39 97 d1 e4 cd >....J...F..9.... >0010 - f4 57 d3 60 25 50 1c 74-64 7b e4 fe 86 cd 22 34 >.W.`%P.td{...."4 >0020 - 4a 79 fd 1b 02 9b 07 40-da 76 84 20 c2 db 76 97 Jy.....@.v. >..v. >0030 - ba c3 07 05 88 cb 84 6d-8f 72 f0 4b dd b5 2f f2 >.......m.r.K../. >0040 - f1 f9 09 95 96 4c 84 e4-2a 42 9b f8 00 03 .....L..*B.... >004f - <SPACES/NULS> >before ssl3_send_server_certificate() >before ssl3_send_server_certificate() success >write to 00CFCA00 [00CD61F0] (769 bytes => 769 (0x301)) >0000 - 16 03 00 02 fc 0b 00 02-f8 00 02 f5 00 02 f2 30 >...............0 >0010 - 82 02 ee 30 82 02 57 a0-03 02 01 02 02 03 01 32 >...0..W........2 >0020 - 8a 30 0d 06 09 2a 86 48-86 f7 0d 01 01 04 05 00 >.0...*.H........ >0030 - 30 81 c4 31 0b 30 09 06-03 55 04 06 13 02 5a 41 >0..1.0...U....ZA >0040 - 31 15 30 13 06 03 55 04-08 13 0c 57 65 73 74 65 >1.0...U....Weste >0050 - 72 6e 20 43 61 70 65 31-12 30 10 06 03 55 04 07 rn >Cape1.0...U.. >0060 - 13 09 43 61 70 65 20 54-6f 77 6e 31 1d 30 1b 06 ..Cape >Town1.0.. >0070 - 03 55 04 0a 13 14 54 68-61 77 74 65 20 43 6f 6e .U....Thawte >Con >0080 - 73 75 6c 74 69 6e 67 20-63 63 31 28 30 26 06 03 sulting >cc1(0&.. >0090 - 55 04 0b 13 1f 43 65 72-74 69 66 69 63 61 74 69 >U....Certificati >00a0 - 6f 6e 20 53 65 72 76 69-63 65 73 20 44 69 76 69 on Services >Divi >00b0 - 73 69 6f 6e 31 19 30 17-06 03 55 04 03 13 10 54 >sion1.0...U....T >00c0 - 68 61 77 74 65 20 53 65-72 76 65 72 20 43 41 31 hawte Server >CA1 >00d0 - 26 30 24 06 09 2a 86 48-86 f7 0d 01 09 01 16 17 >&0$..*.H........ >00e0 - 73 65 72 76 65 72 2d 63-65 72 74 73 40 74 68 61 >server-certs@tha >00f0 - 77 74 65 2e 63 6f 6d 30-1e 17 0d 30 30 30 37 31 >wte.com0...00071 >0100 - 39 31 32 31 35 35 31 5a-17 0d 30 31 30 38 30 32 >9121551Z..010802 >0110 - 31 32 31 35 35 31 5a 30-81 80 31 0b 30 09 06 03 >121551Z0..1.0... >0120 - 55 04 06 13 02 49 4c 31-0f 30 0d 06 03 55 04 08 >U....IL1.0...U.. >0130 - 13 06 49 73 72 61 65 6c-31 14 30 12 06 03 55 04 >..Israel1.0...U. >0140 - 07 13 0b 50 65 74 61 68-20 54 69 6b 76 61 31 1e ...Petah >Tikva1. >0150 - 30 1c 06 03 55 04 0a 13-15 41 6c 67 6f 72 69 74 >0...U....Algorit >0160 - 68 6d 69 63 20 52 65 73-65 61 72 63 68 20 31 14 hmic Research >1. >0170 - 30 12 06 03 55 04 0b 13-0b 50 72 69 76 61 74 65 >0...U....Private >0180 - 57 69 72 65 31 14 30 12-06 03 55 04 03 13 0b 77 >Wire1.0...U....w >0190 - 65 62 2e 61 72 78 2e 63-6f 6d 30 81 9f 30 0d 06 >eb.arx.com0..0.. >01a0 - 09 2a 86 48 86 f7 0d 01-01 01 05 00 03 81 8d 00 >.*.H............ >01b0 - 30 81 89 02 81 81 00 e7-bb 50 55 cf d6 10 28 4a >0........PU...(J >01c0 - 90 ed 30 34 2d ce e9 bc-2f 5e be 43 73 6f 1b 1c >..04-.../^.Cso.. >01d0 - 91 98 dc 9c b2 fe 3f 63-1a 5a c7 da 19 92 bc 85 >......?c.Z...... >01e0 - ec c7 ee a2 d9 85 7d bd-ff d8 f1 7f f6 5a 70 7e >......}......Zp~ >01f0 - 95 73 b3 36 1d 64 ca 92-71 dd 83 eb 50 16 a2 8f >.s.6.d..q...P... >0200 - 7f 4d 13 3d fd b5 8f 14-1e d3 77 3c a7 f9 c7 94 >.M.=......w<.... >0210 - ac 08 b7 42 f3 58 34 e6-fa a6 4a 41 33 1f a2 8a >...B.X4...JA3... >0220 - d7 27 89 4b c0 59 d5 5c-ac 4a a8 ad fc 72 c0 23 >.'.K.Y.\.J...r.# >0230 - 79 2d 45 ec 00 53 e7 02-03 01 00 01 a3 30 30 2e >y-E..S.......00. >0240 - 30 1e 06 03 55 1d 25 04-17 30 15 06 08 2b 06 01 >0...U.%..0...+.. >0250 - 05 05 07 03 01 06 09 60-86 48 01 86 f8 42 04 01 >.......`.H...B.. >0260 - 30 0c 06 03 55 1d 13 01-01 ff 04 02 30 00 30 0d >0...U.......0.0. >0270 - 06 09 2a 86 48 86 f7 0d-01 01 04 05 00 03 81 81 >..*.H........... >0280 - 00 bc 4a 9d 31 26 fb 82-9d 13 26 b2 03 21 a8 f0 >..J.1&....&..!.. >0290 - 77 f1 bc 0a 73 41 f2 95-80 44 e5 14 36 47 ab 0b >w...sA...D..6G.. >02a0 - 32 57 b2 fb 36 e0 69 7a-72 01 c3 a2 e1 75 56 39 >2W..6.izr....uV9 >02b0 - 07 a3 36 ce 68 60 27 f7-1c dd d4 6f e5 c9 18 5b >..6.h`'....o...[ >02c0 - 23 7d 05 d1 cf 37 57 b0-27 6e 0a 4d 95 6d ea 46 >#}...7W.'n.M.m.F >02d0 - c7 19 a4 7a 42 a9 bb 8f-d2 28 9c 4a eb f3 23 c1 >...zB....(.J..#. >02e0 - 26 32 12 f7 ef f1 f9 28-58 c2 19 2a f2 d4 62 19 >&2.....(X..*..b. >02f0 - c9 74 14 17 be 8c df 8a-61 0f 60 15 34 d1 d5 67 >.t......a.`.4..g >0300 - e3 . >before ssl3_send_server_done() >after ssl3_send_server_done() success >write to 00CFCA00 [00CD61F0] (9 bytes => 9 (0x9)) >0000 - 16 03 00 00 04 0e ...... >0009 - <SPACES/NULS> >before ssl3_check_client_hello() >read from 00CFCA00 [010E9A58] (5 bytes => 5 (0x5)) >0000 - 15 03 00 00 02 ..... >read from 00CFCA00 [010E9A5D] (2 bytes => 2 (0x2)) >0000 - 01 . >0002 - <SPACES/NULS> > ERROR !!! >131:error:140780E5:SSL routines:SSL23_READ:ssl handshake >failure:.\ssl\s23_lib.c >:186: >ACCEPT > 0 items in the session cache > 0 client connects (SSL_connect()) > 0 client renegotiates (SSL_connect()) > 0 client connects that finished > 1 server accepts (SSL_accept()) > 0 server renegotiates (SSL_accept()) > 0 server accepts that finished > 0 session cache hits > 0 session cache misses > 0 session cache timeouts > 0 callback cache hits > 0 cache full overflows (128 allowed) > > >Please help !!! > >Itai Levy, >Software Developer R&D >Algorithmic Research Ltd. ( Data Security Across the Enterprise ) >10 Nevatim st., Kiryat Matalon >Petah Tikva 49561 >Israel > >Tel: +972-3-9279514 >e-mail:[EMAIL PROTECTED] >http://www.arx.com > > >______________________________________________________________________ >OpenSSL Project http://www.openssl.org >User Support Mailing List [EMAIL PROTECTED] >Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
