Greetings!
We use openssl 0.9.8a, apache 1.3.34 with mod_ssl 2.8.25 (Debian etch).
The URL we request requires client certificate.
The command is:
zsh% openssl s_client -cipher DHE-DSS-AES256-SHA -cert
U_x_dsa_dsaparams.pem/cert.pem -key U_x_dsa_dsaparams.pem/seckey.pem -CAfile
ca_dsa.pem -connect b-etch.vm.cryptocom.ru:444 -ign_eof
The result is:
CONNECTED(00000003)
depth=1 /C=RU/L=Moscow/CN=DSA Test CA/O=Cryptocom/OU=OpenSSL CA/[EMAIL
PROTECTED]
verify return:1
depth=0 /C=RU/O=Cryptocom/OU=OpenSSL team/CN=b-etch.vm.cryptocom.ru/[EMAIL
PROTECTED]
verify return:1
---
Certificate chain
0 s:/C=RU/O=Cryptocom/OU=OpenSSL team/CN=b-etch.vm.cryptocom.ru/[EMAIL
PROTECTED]
i:/C=RU/L=Moscow/CN=DSA Test CA/O=Cryptocom/OU=OpenSSL CA/[EMAIL PROTECTED]
1 s:/C=RU/L=Moscow/CN=DSA Test CA/O=Cryptocom/OU=OpenSSL CA/[EMAIL PROTECTED]
i:/C=RU/L=Moscow/CN=DSA Test CA/O=Cryptocom/OU=OpenSSL CA/[EMAIL PROTECTED]
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDMDCCAvCgAwIBAgICAPYwCQYHKoZIzjgEAzCBgDELMAkGA1UEBhMCUlUxDzAN
BgNVBAcTBk1vc2NvdzEUMBIGA1UEAxMLRFNBIFRlc3QgQ0ExEjAQBgNVBAoTCUNy
eXB0b2NvbTETMBEGA1UECxMKT3BlblNTTCBDQTEhMB8GCSqGSIb3DQEJARYSdml0
dXNAY3J5cHRvY29tLnJ1MB4XDTA1MTEyODEzMzUxNVoXDTA2MTEyODEzMzUxNVow
fDELMAkGA1UEBhMCUlUxEjAQBgNVBAoTCUNyeXB0b2NvbTEVMBMGA1UECxMMT3Bl
blNTTCB0ZWFtMR8wHQYDVQQDExZiLWV0Y2gudm0uY3J5cHRvY29tLnJ1MSEwHwYJ
KoZIhvcNAQkBFhJ2aXR1c0BjcnlwdG9jb20ucnUwggG3MIIBLAYHKoZIzjgEATCC
AR8CgYEAyBVEivTrdfcSjI7eva1z9iuzeJphZ3BCkvR3HIEAiDHDZrMLqTjTs/cn
UbfzVsTELUE+OHp6k+GCa1ejqnHEvA2TlofU3kY2KnvCDsbOZkkL1EltnT/Tvrpm
gtMDWZqlJNKTEun5Y7+rvZ7c7WKcd/WDTfNxwQVlczoB+hnkozUCFQCiqb/SJFJ5
CykhPPOQ4eyXad4eTwKBgQCtzKpmgy6+4NEAaVt5qP0CaqqysBTslwdiyzJ7iuc/
SCBpzd2tur4ntBg6X3vPkU7nckJluXUudwc+wvCoXzE6cKAZkUdxEUwVTg8NW2dD
B7FXgMglr0gCWb373wc+f9xlX6zk8g1rKKmgouxk2Cq180Kpqevhk3RV9hWw66bP
bQOBhAACgYAxvt282siMxPPNIJzK/tN8qG11PFfnYLkH94GjKSS30NY8zwnK0W+s
VrsHNyComxnp3MqHLVq+KH/6WAGETwCLtH5FepcRxp+hwib6wki7Kklj1xXx24Kr
Nd0iLSLJovOBrXfWFJrEK31YU/qp7ROS/hSdGORMvc3+9IlUye2LJjAJBgcqhkjO
OAQDAy8AMCwCFCPEhKtJ35S1RhKscutAmmrVSX40AhQEZKhZG1Pg6mTP8kO4CHet
cr4jhA==
-----END CERTIFICATE-----
subject=/C=RU/O=Cryptocom/OU=OpenSSL team/CN=b-etch.vm.cryptocom.ru/[EMAIL
PROTECTED]
issuer=/C=RU/L=Moscow/CN=DSA Test CA/O=Cryptocom/OU=OpenSSL CA/[EMAIL PROTECTED]
---
No client certificate CA names sent
---
SSL handshake has read 2126 bytes and written 247 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-DSS-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-DSS-AES256-SHA
Session-ID: E3EAF6401AF1F8157A2653118728FE9A15322C97FDCC8AFCB084326CE1C9C227
Session-ID-ctx:
Master-Key:
DABB6DC00DA8A621316F9711263F13D9ED8DE59CC6A5F33800A4D7DCE0135132FF8D30148363A33CDF1C978CD4B974E2
Key-Arg : None
Start Time: 1133270656
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
GET /ssl_auth_test.html
depth=1 /C=RU/L=Moscow/CN=DSA Test CA/O=Cryptocom/OU=OpenSSL CA/[EMAIL
PROTECTED]
verify return:1
depth=0 /C=RU/O=Cryptocom/OU=OpenSSL team/CN=b-etch.vm.cryptocom.ru/[EMAIL
PROTECTED]
verify return:1
4119:error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad
record mac:s3_pkt.c:426:
The bug is reproduced about 4 times from 5.
When I add -ssl3 key to command line, I successfully get the page I
request.
openssl-0.9.7 s_client doesn't get an error anyway.
What's wrong?
Thank you!
--
SY, Dmitry Belyavsky (ICQ UIN 11116575)
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
