HTTPS Unknown Error
Hi All, I receive this error "HTTPS Unknown Error" with error code 500 from the apache server when i try to make a PUT request through HTTPS. Are their any specific reasons of that ? I have a test application which gets 204 response from the same server but our live application gets 500 response code. This seems confusing - anyone with help will be highly appreciated. Regards, NK -Original Message- From: Boyle Owen [mailto:[EMAIL PROTECTED] Sent: Thursday, August 21, 2003 7:43 AM To: [EMAIL PROTECTED] Subject: RE: >-Original Message- >From: Dave Paris [mailto:[EMAIL PROTECTED] > > snip... You claim to >have spent two MONTHS trying to find what I found in under 10 >SECONDS. Er... the difference is that you recognised the problem immediately because you have seen it before. So you knew exactly what to type into Google. If you put yourself in Ian's shoes, he was using the NBVH mechanism for ages and became very familiar with it. He then tried to extend it to SSL, which is a reasonable thing to do, and then was suprised that it didn't work. It is not blindingly obvious, a priori, what the problem is. In that case, it is not so obvious what to type into Google - you might not necessarily realise that the problem is to do with NBVH, especially if that is not the only thing you changed. I am making this comment because I followed a very similar route to Ian in discovering this SSL limitation. In my case, I was tasked by my boss, who is a competent programmer, to "set up some NBVHs under SSL". It never occurred to me that my boss could have handed me an impossible task and I spent weeks trying to get it to work. In the end, it was this mailing list which enlightened me. Since then, I've tried to help out on the list, initially by explaining this issue whenever it came up but lately (since others also now do this quite ably), by chipping in whenever some bright spark reckons that he's found a workaround (it's a bit like debunking perpetual motion machine designs). Usually, he's forgotten about authentication and is using the same cert in all VHs... Anyway, the point I'm making is that the original poster is obviously a seasoned hacker (he uses openssl from the command line!) and as such should be welcome on this list and congratulated for using mod_ssl... So could we be a bit friendlier please? Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. >That doesn't make me one bit of a better person than you... it just >says that my mind works in a way that is different from yours. I'd >wager there are certain tasks you accomplish quite easily that would >take me some effort. It's the way us humans seem to be designed. > >Every once in awhile, it's a good thing to look at who we are >and what >we're good at and then review what we've chosen to do in life. > Doing a >job that meshes well with how you think can be all the difference >between looking forward to an rewarding day at the office and >a bruised >forehead from repeatedly smashing your head against a wall in >self-frustration. [ of course, I'm omitting the forehead bruising >caused by external influences like PHBs ;-) ] As for the >tone of your >note .. life's tough, grab a helmet. > >Kind Regards, >-dsp > >On Thursday, Aug 21, 2003, at 00:05 US/Eastern, Ian Newlands wrote: > >> If I hadn't already exhausted resources I would not have made this >> post in the first place. I have tried 3 different versions >of apache, >> searched through previous postings, used search engines etc. >bought 2 >> books on apache and have been attempting to get this going >for almost >> 2 months now. >> >> I'm glad you're amused by my frustration here. >> >> If there is anyone out there that is willing to submit a serious >> response to this I would appreciate it greatly. >> >> Regards, >> >> Ian Newlands >> >> >> - Original Message - >> From: "Dave Paris" <[EMAIL PROTECTED]> >> To: <[EMAIL PROTECTED]> >> Cc: "Ian Newlands" <[EMAIL PROTECTED]> >> Sent: Thursday, August 21, 2003 11:58 AM >> Subject: Re: virtual hosting >> >> >>> geeze. is it that time of the month already for this question? >>> seems like it was just yesterday when it was asked last .. >maybe I'm >>> just thinking of the other 100,000 times it was asked. >>> >>> in all seriousness, this dead horse has been beaten so many >times on >>> this list there isn't even a carcass left to hit at this point. >>> please go dig through the mail list archives to see why name-based >>> virtual hosts don't work with SSL. >>> >>> yes, that's a flippant answer. no, you're not likely to >get a reply >>> any more serious. >>> >>> -dsp >>> >>> On Wednesday, Aug 20, 2003, at 22:09 US/Eastern, Ian Newlands wrote: >>> >>> > I am currently running about 15 virtual hosts using name >based on >>> port > 80, and 1 virtual host using SSL. >>> > >>> > My SSL host is currently working with the following: >
File Acknowledgement
Hi All, How can we know at server side in apache that a GET or PUT request has been received and it was failed or successfull ? Can we get somehow the response code so that some script and/or tool at Server side can delete/archive the file which have been retrieved by the client in some specific folders?. Is there any industry standard for such file acknowledgement. Regards, Nauman __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: SSL throws SSL23_GET_SERVER_HELLO error
Please see following links http://www.mail-archive.com/[EMAIL PROTECTED]/msg16205.html http://forums.devshed.com/archive/15/2001/11/4/25897 Hope they help. Regards, Nauman ___ Citibank N.A., 111 Wall St., New York, NY Ph: +1-212-657-1070 (w), +1-718-951-0508 (h) Fax: +1-212-657-1645 -Original Message- From: Arthur Chan [mailto:[EMAIL PROTECTED] Sent: Thursday, August 07, 2003 5:10 AM To: [EMAIL PROTECTED] Subject: SSL throws SSL23_GET_SERVER_HELLO error Hi All. When I run the following line command : [ssl] # openssl s_client -connect localhost:443 -state -debug I get this error message : ... SSL_connect:error in SSLv2/v3 read server hello A 1565:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:460: ... Looking at line 460 of the source, it is exactly that error, no further clues available. Does anyone know more about it and want to help out ??? CHeers. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Handshake Failed
Hi, Please help on this issue with client authentication. I have made sure the client Issuer is in trusted CA list of server. All the certificates involved are correct, valid. ssl log [info] Connection to child 0 established (server cddfs1.nj.ssmb.com:443, client 199.67.140.20) [info] Seeding PRNG with 1160 bytes of entropy [error] Certificate Verification: Error (20): unable to get local issuer certificate [error] SSL handshake failed (server cddfs1.nj.ssmb.com:443, client 199.67.140.20) (OpenSSL library error follows) [error] OpenSSL: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned error log Certificate Verification: Error (20): unable to get local issuer certificate SSL handshake failed (server wert.npo.dfssmfrb.com:443, client abc.def.140.20) (OpenSSL library error follows) OpenSSL: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned Regards, Nauman ___ Citibank N.A., 111 Wall St., New York, NY Ph: +1-212-657-1070 (w), +1-718-951-0508 (h) Fax: +1-212-657-1645 Regards, Nauman ___ Citibank N.A., 111 Wall St., New York, NY Ph: +1-212-657-1070 (w), +1-718-951-0508 (h) Fax: +1-212-657-1645 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Handshake Issue ?
Hi all, i am Using Apache/1.3.27 Server with mod ssl. I have following question and i will highly appreciate if someone of you can spare some time for the answers. 1- I have specified a SSLCACertificateFile directive and have also required for client authentication. When i try to access that directory through Internet Explorer, it does not ask me which client certificate to select but displays a message that i am accessing private item, then asks for user name and password and then shows Server Certificate Message - if i select YES then it displays the contents. As it is displaying the contents i am assuming that everything went fine. BUT why i am not getting selection of client certificates - i have three different certs installed for client. 2- How can i mention more than 1 CAs as trusted CAs in httpd.conf file ? The log shows following [18/Jul/2003 15:43:16 22122] [info] Connection to child 0 established (server cddfs1.nj.ssmb.com:8443, client 168.109.64.190) [18/Jul/2003 15:43:16 22123] [info] Seeding PRNG with 1160 bytes of entropy [18/Jul/2003 15:43:16 22122] [info] Seeding PRNG with 1160 bytes of entropy [18/Jul/2003 15:43:16 22122] [info] Connection: Client IP: 168.109.64.190, Protocol: SSLv3, Cipher: RC4-MD5 (128/128 bits) [18/Jul/2003 15:43:16 22122] [info] Initial (No.1) HTTPS request received for child 0 (server cddfs1.nj.ssmb.com:8443) [18/Jul/2003 15:43:16 22122] [info] Connection to child 0 closed with unclean shutdown (server cddfs1.nj.ssmb.com:8443, client 168.109.64.190) [18/Jul/2003 15:43:16 22123] [info] Connection: Client IP: 168.109.64.190, Protocol: SSLv3, Cipher: RC4-MD5 (128/128 bits) [18/Jul/2003 15:43:16 22123] [info] Initial (No.1) HTTPS request received for child 1 (server cddfs1.nj.ssmb.com:8443) [18/Jul/2003 15:43:16 22123] [info] Connection to child 1 closed with unclean shutdown (server cddfs1.nj.ssmb.com:8443, client 168.109.64.190) i don't see any SSL handshake or verification for this transaction ? Any help will be highly appreciated. Regards, Nauman -Original Message- From: Shaun T. Erickson [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 1:40 PM To: [EMAIL PROTECTED] Subject: Re: [ANNOUNCE] mod_ssl 2.8.15 for Apache 1.3.28 Ihor Bilyy wrote: > fix the link Where are your manners? Say please next time. -ste __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Erro Code: -8182
Ronald, The problem looks like your server SSL certificate does not have your server name say www.yoursite.com as CN="www.yoursite.com" in Subject Name. that is what bother client and server sides are showing in messages and logs. Can you please confirm if this is correct ? Regards Nauman -Original Message- From: Ronald Petty [mailto:[EMAIL PROTECTED] Sent: Monday, June 02, 2003 4:40 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Erro Code: -8182 I get the follow error in my browser "Could not establish an encrypted connection because certificate presented by test.example.dom is invalid or corrupted. Error Code: -8182" when I go to my server via https. I looked in the archive and found black magic like "restart your browser" I tried this spell, and alas, to no avail. This happened to me before and it worked by restarting the browser. Needless to say I don't like the idea of people having to do that. And better when I click on the ok button (even though it is really not ok) I get this in my logs [02/Jun/2003 15:25:47 01074] [info] Connection to child 5 established (server test.example.dom:443, client x.x.x.x) [02/Jun/2003 15:25:47 01074] [info] Seeding PRNG with 1160 bytes of entropy [02/Jun/2003 15:29:12 01074] [error] SSL handshake failed (server test.example.dom:443, client x.x.x.x) (OpenSSL library error follows) [02/Jun/2003 15:29:12 01074] [error] OpenSSL: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate [Hint: Subject CN in certificate not server name or identical to CA!?] I have changed the client and the server name for my own security (don't know if it matters). I heard that "CN in certificate not server name or identical to CA!?" means dns is messed up, however DNS is working fine for me (far as I can tell). I can pop/ssh/http to the test.example.dom just fine. (No its not set in my /etc/host) Any idea at what I am doing wrong? I have never done this before so please forgive my newby ways. Thanks Ron __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]