Re: SSL Session Caching... an ongoing story? - MSIE again.
I've sussed the problem, and thought I'd feed the result back, in case someone else is similarly stumped. Issue 1: I removed gdbm from the apache build, and got 'mm' added. This resolved (by me simple guessing analysis) about 5-10 % of the cache misses. Possible gdbm on my box has issues? I didn't have mm as when I last did a build there was some compile issue I never followed up...? Issue 2: This was the killer - MSIE clients were getting asked for their certs every couple of minutes, forcing them to switch security down low. Some reseach showed up doument q265369 on support.microsoft.com. The gist of the article is that SSL negotiation has been screwed in IE5, 5.01, 5.01SP1, 5.5 on windows NT. Renegotiation timing is set to 2 minutes by default in these versions. Doing the registry change from the doco appears to have removed the issue from my test systems. L8r, ##Previously sam_campbell wrote: Hi, (This time I might remember to set a subject field) I am runing Apache/1.3.12 mod_ssl/2.6.6 OpenSSL/0.9.5a) running on 64bit HPUX 11.00. I continue to have issues with session caching. I have logging below that shows the behaviour. Basically it shows a session (SET) and a MISS about a minute later. All I can see is the pid's of the threads are different, so it apears that one of the threads cannot get a session from the gdbm database (?). I am using gdbm 1.8 if this is relevent. a grep on MISSED in the logs show that all httpd threads have MISSED the cache at some stage. I've noticed that the protocol used (sslv3/tls) doesn't appear to have a bearing on the gdbm misses. Because we are using user certs, this is making the access to the website unpleasant (to say the least :) Any ideas?? Here are the logs, (note all are within 1 minute - I've removed the times to make it more legible. [ 04452] [trace] Certificate Verification: depth: 3, subject: /O=xxx [ 04452] [trace] Certificate Verification: depth: 2, subject: /C=xxx [ 04452] [trace] Certificate Verification: depth: 1, subject: /C=xxx [ 04452] [trace] Certificate Verification: depth: 0, subject: /C=xxxTEST2/Email=xxx@workcover. [ 04452] [trace] OpenSSL: Loop: SSLv3 read client certificate A [ 04452] [trace] OpenSSL: Loop: SSLv3 read client key exchange A [ 04452] [trace] OpenSSL: Loop: SSLv3 read certificate verify A [ 04452] [trace] OpenSSL: Loop: SSLv3 read finished A [ 04452] [trace] OpenSSL: Loop: SSLv3 write change cipher spec A [ 04452] [trace] OpenSSL: Loop: SSLv3 write finished A [ 04452] [trace] OpenSSL: Loop: SSLv3 flush data [ 04452] [trace] Inter-Process Session Cache: request=SET status=OK id=4259EB615AAD42EC44217EC51E5EB76EE703B9D7F0042BA6BE81311C453AF43E timeout=3582s (session caching) [ 04452] [trace] OpenSSL: Handshake: done [ 04452] [info] Connection: Client IP: 172.20.11.220, Protocol: TLSv1, Cipher: RC4-MD5 (128/128 bits) [ 04452] [info] Initial (No.1) HTTPS request received for child 9 (server aaa.com:443) ...snip... logs not needed anymore ...snip... __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: MSIE *Again*
William, That *DID* workdo you happen to have any explaination as to why? It doesn't make sense that having to turn on revocation checking would allow it to work? Is this true for all Verisign certs? If so, why do I not get that error when going to other sites with a Verisign cert using IE? - Bob -Original Message- From: Wallace, William [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 27, 2000 10:17 AM To: '[EMAIL PROTECTED]' Subject: RE: MSIE *Again* Does changing the "Check for server certificate revocation (requires restart)" advanced security setting in IE change the behavior? -Original Message- From: Burns, Robert [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 26, 2000 10:38 AM To: '[EMAIL PROTECTED]' Subject: MSIE *Again* Folks, I believe I'm experiencing the same MSIE problems that have been discussed on this list over the past few weeks, but with a little more information. Perhaps it will help. I'm running Apache 1.3.12 + modssl 2.6.4 + openssl 0.9.5a on an UltraSparc 10 + Solaris7. First, I created a dummy certificate (i.e. signed by Snake-Oil CA) and everything works just fine. Both IE and Netscape connect without incident. Next, I got a generated new keys and got a Verisign certificate. I installed this certificate (along with the intermediate certificate) and that's when things started breaking for IE only. Netscape will connect just fine, but IE gives that 'very informative' error screen. Here is the tail end of the log with debug turned on: [26/Jul/2000 09:55:20 27052] [debug] OpenSSL: write 67/67 bytes to BIO#0014D048 [mem: 001749F0] (BIO dump follows) +- + | : 14 03 00 00 01 01 16 03-00 00 38 7c 9b f8 cc 94 ..8| | | 0010: 73 0a b9 2b e8 ec 32 91-c2 88 86 52 2b d6 f3 12 s..+..2R+... | | 0020: 8c 67 0d 7a f9 c2 0c 1e-4c c8 6d 7a 95 3e 21 d9 .g.zL.mz.!. | | 0030: 02 16 c0 7d 94 4d 47 7d-70 49 9a 4c d6 db 82 c9 ...}.MG}pI.L | | 0040: 72 09 17 r.. | +- + [26/Jul/2000 09:55:20 27052] [trace] OpenSSL: Loop: SSLv3 flush data [26/Jul/2000 09:55:20 27052] [trace] Inter-Process Session Cache: request=SET status=OK id=460730715DA5C519241676A466979A8EC3B3813DC8A8803C81BCA4658A094BD8 timeout=299s (session caching) [26/Jul/2000 09:55:20 27052] [trace] OpenSSL: Handshake: done [26/Jul/2000 09:55:20 27052] [info] Connection: Client IP: 192.168.8.109, Protocol: SSLv3, Cipher: RC4-MD5 (128/128 bits) [26/Jul/2000 09:55:20 27052] [debug] OpenSSL: read 0/18437 bytes from BIO#0014D048 [mem: 001675C8] (BIO dump follows) +- + +- + [26/Jul/2000 09:55:20 27052] [debug] OpenSSL: write 23/23 bytes to BIO#0014D048 [mem: 0016FDD8] (BIO dump follows) +- + | : 15 03 00 00 12 d4 c5 65-6a a4 01 3f bd 11 49 75 ...ej..?..Iu | | 0010: 12 43 94 83 8f 2c a5 .C...,. | +- + [26/Jul/2000 09:55:20 27052] [trace] OpenSSL: Write: SSL negotiation finished successfully [26/Jul/2000 09:55:20 27052] [info] Connection to child 1 closed with standard shutdown (server 192.168.8.84:443, client 192.168.8.109) It appears that in the line above (read 0/18437 bytes from...) that IE shutdown the TCP/IP connection, forcing the SSL connection to be closed by the server. The question is, why does IE shutdown the connection, but Netscape continued on without problem? I'm going to try to sniff the TCP line to see what is actually happening, but until then, any additional insight would be helpfull. Thanks, - Bob -- Bob BurnsZaxus [EMAIL PROTECTED] 1-888-744-4976, X6510 (local) 1-954-846-6510 -- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL
RE: MSIE *Again*
Sorry Robert, I don't have any explaination. I discovered the same problem mid-June and have only just got around to investigating it. I've done the same SSL log analysis as you and a packet trace as well. At the packet level what happens is as soon as the handshake completes IE closes the connections (it sends a FIN). It seems to only happen with the X509 v3 certificates from Verisign so perhaps it's something to do with the x509 version or the fact that their v3 certificates have an additional certificate in the chain. I've seen similar certificates work though with IE (but a different web server). On a somewhat wierd note, we both have famous Scottish names! -Original Message- From: Burns, Robert [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 27, 2000 10:33 AM To: '[EMAIL PROTECTED]' Subject: RE: MSIE *Again* William, That *DID* workdo you happen to have any explaination as to why? It doesn't make sense that having to turn on revocation checking would allow it to work? Is this true for all Verisign certs? If so, why do I not get that error when going to other sites with a Verisign cert using IE? - Bob -Original Message- From: Wallace, William [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 27, 2000 10:17 AM To: '[EMAIL PROTECTED]' Subject: RE: MSIE *Again* Does changing the "Check for server certificate revocation (requires restart)" advanced security setting in IE change the behavior? -Original Message- From: Burns, Robert [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 26, 2000 10:38 AM To: '[EMAIL PROTECTED]' Subject: MSIE *Again* Folks, I believe I'm experiencing the same MSIE problems that have been discussed on this list over the past few weeks, but with a little more information. Perhaps it will help. I'm running Apache 1.3.12 + modssl 2.6.4 + openssl 0.9.5a on an UltraSparc 10 + Solaris7. First, I created a dummy certificate (i.e. signed by Snake-Oil CA) and everything works just fine. Both IE and Netscape connect without incident. Next, I got a generated new keys and got a Verisign certificate. I installed this certificate (along with the intermediate certificate) and that's when things started breaking for IE only. Netscape will connect just fine, but IE gives that 'very informative' error screen. Here is the tail end of the log with debug turned on: [26/Jul/2000 09:55:20 27052] [debug] OpenSSL: write 67/67 bytes to BIO#0014D048 [mem: 001749F0] (BIO dump follows) +- + | : 14 03 00 00 01 01 16 03-00 00 38 7c 9b f8 cc 94 ..8| | | 0010: 73 0a b9 2b e8 ec 32 91-c2 88 86 52 2b d6 f3 12 s..+..2R+... | | 0020: 8c 67 0d 7a f9 c2 0c 1e-4c c8 6d 7a 95 3e 21 d9 .g.zL.mz.!. | | 0030: 02 16 c0 7d 94 4d 47 7d-70 49 9a 4c d6 db 82 c9 ...}.MG}pI.L | | 0040: 72 09 17 r.. | +- + [26/Jul/2000 09:55:20 27052] [trace] OpenSSL: Loop: SSLv3 flush data [26/Jul/2000 09:55:20 27052] [trace] Inter-Process Session Cache: request=SET status=OK id=460730715DA5C519241676A466979A8EC3B3813DC8A8803C81BCA4658A094BD8 timeout=299s (session caching) [26/Jul/2000 09:55:20 27052] [trace] OpenSSL: Handshake: done [26/Jul/2000 09:55:20 27052] [info] Connection: Client IP: 192.168.8.109, Protocol: SSLv3, Cipher: RC4-MD5 (128/128 bits) [26/Jul/2000 09:55:20 27052] [debug] OpenSSL: read 0/18437 bytes from BIO#0014D048 [mem: 001675C8] (BIO dump follows) +- + +- + [26/Jul/2000 09:55:20 27052] [debug] OpenSSL: write 23/23 bytes to BIO#0014D048 [mem: 0016FDD8] (BIO dump follows) +- + | : 15 03 00 00 12 d4 c5 65-6a a4 01 3f bd 11 49 75 ...ej..?..Iu | | 0010: 12 43 94 83 8f 2c a5 .C...,. | +- + [26/Jul/2000 09:55:20 27052] [trace] OpenSSL: Write: SSL negotiation finished successfully [26/Jul/2000 09:55:20 27052] [info] Connection to child 1 closed with standard shutdown (server 192.168.8.84:443, client 192.168.8.109) It appears that in the line above (read 0/18437 bytes from...) that IE shutdown the TCP/IP connection, forcing the SSL connection to be closed by the server. The question is, why does IE shutdown the connection, but Netscape continued on without problem? I'm going to tr
MSIE *Again*
Folks, I believe I'm experiencing the same MSIE problems that have been discussed on this list over the past few weeks, but with a little more information. Perhaps it will help. I'm running Apache 1.3.12 + modssl 2.6.4 + openssl 0.9.5a on an UltraSparc 10 + Solaris7. First, I created a dummy certificate (i.e. signed by Snake-Oil CA) and everything works just fine. Both IE and Netscape connect without incident. Next, I got a generated new keys and got a Verisign certificate. I installed this certificate (along with the intermediate certificate) and that's when things started breaking for IE only. Netscape will connect just fine, but IE gives that 'very informative' error screen. Here is the tail end of the log with debug turned on: [26/Jul/2000 09:55:20 27052] [debug] OpenSSL: write 67/67 bytes to BIO#0014D048 [mem: 001749F0] (BIO dump follows) +-+ | : 14 03 00 00 01 01 16 03-00 00 38 7c 9b f8 cc 94 ..8| | | 0010: 73 0a b9 2b e8 ec 32 91-c2 88 86 52 2b d6 f3 12 s..+..2R+... | | 0020: 8c 67 0d 7a f9 c2 0c 1e-4c c8 6d 7a 95 3e 21 d9 .g.zL.mz.!. | | 0030: 02 16 c0 7d 94 4d 47 7d-70 49 9a 4c d6 db 82 c9 ...}.MG}pI.L | | 0040: 72 09 17 r.. | +-+ [26/Jul/2000 09:55:20 27052] [trace] OpenSSL: Loop: SSLv3 flush data [26/Jul/2000 09:55:20 27052] [trace] Inter-Process Session Cache: request=SET status=OK id=460730715DA5C519241676A466979A8EC3B3813DC8A8803C81BCA4658A094BD8 timeout=299s (session caching) [26/Jul/2000 09:55:20 27052] [trace] OpenSSL: Handshake: done [26/Jul/2000 09:55:20 27052] [info] Connection: Client IP: 192.168.8.109, Protocol: SSLv3, Cipher: RC4-MD5 (128/128 bits) [26/Jul/2000 09:55:20 27052] [debug] OpenSSL: read 0/18437 bytes from BIO#0014D048 [mem: 001675C8] (BIO dump follows) +-+ +-+ [26/Jul/2000 09:55:20 27052] [debug] OpenSSL: write 23/23 bytes to BIO#0014D048 [mem: 0016FDD8] (BIO dump follows) +-+ | : 15 03 00 00 12 d4 c5 65-6a a4 01 3f bd 11 49 75 ...ej..?..Iu | | 0010: 12 43 94 83 8f 2c a5 .C...,. | +-+ [26/Jul/2000 09:55:20 27052] [trace] OpenSSL: Write: SSL negotiation finished successfully [26/Jul/2000 09:55:20 27052] [info] Connection to child 1 closed with standard shutdown (server 192.168.8.84:443, client 192.168.8.109) It appears that in the line above (read 0/18437 bytes from...) that IE shutdown the TCP/IP connection, forcing the SSL connection to be closed by the server. The question is, why does IE shutdown the connection, but Netscape continued on without problem? I'm going to try to sniff the TCP line to see what is actually happening, but until then, any additional insight would be helpfull. Thanks, - Bob -- Bob BurnsZaxus [EMAIL PROTECTED] 1-888-744-4976, X6510 (local) 1-954-846-6510 -- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: MSIE *Again*
Does changing the "Check for server certificate revocation (requires restart)" advanced security setting in IE change the behavior? -Original Message- From: Burns, Robert [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 26, 2000 10:38 AM To: '[EMAIL PROTECTED]' Subject: MSIE *Again* Folks, I believe I'm experiencing the same MSIE problems that have been discussed on this list over the past few weeks, but with a little more information. Perhaps it will help. I'm running Apache 1.3.12 + modssl 2.6.4 + openssl 0.9.5a on an UltraSparc 10 + Solaris7. First, I created a dummy certificate (i.e. signed by Snake-Oil CA) and everything works just fine. Both IE and Netscape connect without incident. Next, I got a generated new keys and got a Verisign certificate. I installed this certificate (along with the intermediate certificate) and that's when things started breaking for IE only. Netscape will connect just fine, but IE gives that 'very informative' error screen. Here is the tail end of the log with debug turned on: [26/Jul/2000 09:55:20 27052] [debug] OpenSSL: write 67/67 bytes to BIO#0014D048 [mem: 001749F0] (BIO dump follows) +- + | : 14 03 00 00 01 01 16 03-00 00 38 7c 9b f8 cc 94 ..8| | | 0010: 73 0a b9 2b e8 ec 32 91-c2 88 86 52 2b d6 f3 12 s..+..2R+... | | 0020: 8c 67 0d 7a f9 c2 0c 1e-4c c8 6d 7a 95 3e 21 d9 .g.zL.mz.!. | | 0030: 02 16 c0 7d 94 4d 47 7d-70 49 9a 4c d6 db 82 c9 ...}.MG}pI.L | | 0040: 72 09 17 r.. | +- + [26/Jul/2000 09:55:20 27052] [trace] OpenSSL: Loop: SSLv3 flush data [26/Jul/2000 09:55:20 27052] [trace] Inter-Process Session Cache: request=SET status=OK id=460730715DA5C519241676A466979A8EC3B3813DC8A8803C81BCA4658A094BD8 timeout=299s (session caching) [26/Jul/2000 09:55:20 27052] [trace] OpenSSL: Handshake: done [26/Jul/2000 09:55:20 27052] [info] Connection: Client IP: 192.168.8.109, Protocol: SSLv3, Cipher: RC4-MD5 (128/128 bits) [26/Jul/2000 09:55:20 27052] [debug] OpenSSL: read 0/18437 bytes from BIO#0014D048 [mem: 001675C8] (BIO dump follows) +- + +- + [26/Jul/2000 09:55:20 27052] [debug] OpenSSL: write 23/23 bytes to BIO#0014D048 [mem: 0016FDD8] (BIO dump follows) +- + | : 15 03 00 00 12 d4 c5 65-6a a4 01 3f bd 11 49 75 ...ej..?..Iu | | 0010: 12 43 94 83 8f 2c a5 .C...,. | +- + [26/Jul/2000 09:55:20 27052] [trace] OpenSSL: Write: SSL negotiation finished successfully [26/Jul/2000 09:55:20 27052] [info] Connection to child 1 closed with standard shutdown (server 192.168.8.84:443, client 192.168.8.109) It appears that in the line above (read 0/18437 bytes from...) that IE shutdown the TCP/IP connection, forcing the SSL connection to be closed by the server. The question is, why does IE shutdown the connection, but Netscape continued on without problem? I'm going to try to sniff the TCP line to see what is actually happening, but until then, any additional insight would be helpfull. Thanks, - Bob -- Bob BurnsZaxus [EMAIL PROTECTED] 1-888-744-4976, X6510 (local) 1-954-846-6510 -- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: msie AGAIN
At 09:16 17/07/00 -0600, you wrote: I'm about to install a new apache server, does anyone have any good documentation on the best way to install apache, ssl, php, and frontpage Start clean and simple. And check and check /etc/profile and your LD_LIBRARY_PATH and LD_RUN_PATH if you have 'em. Also, where do I go from here on my ie problem. I have pretty detailed information in my error_engine_ssl log. However, I am not sure what it means. Who knows who would understand this stuff? Certainly not Microsoft - judging from current performance on SSL!! ;-) Again, hijack an unused PC and start a clean install. regards -david Technical Director (CTO)mailto:[EMAIL PROTECTED] Carvel Solutions Ltd. http://www.carvel.co.uk Software, Internet E-Commerce Solutions Vindolanda, Abbeytown, Carlisle, Cumbria, CA5 4RG, UK. Tel/Fax: +44 16973 61173 Mobile: +44 411 125307 "Never be afraid to try something new. Remember, amateurs built the Ark; professionals built the Titanic." __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: msie AGAIN
Jeff, I'm unlikely to be much help on the SSL side (I'm still a newbie to this). I can get through on https://www.colosoft.com and https://www.coloinfotech.com using MS IE 5.01/128. How about revisiting the IE installations. Have any service packs undone anything - or do you need to reinstall service packs - I would always avoid reapplying SPs as it always breaks something to do with security. For example I have to reinstall Entrust Desktop and IE5/128 each time I reapply SP5 (no version control checks seemingly being done at installation). At 12:34 16/07/00 -0600, you wrote: hey all, if i tell ie to not use sslv3 or tlsv1 in the advanced options (theorizing that it would then use sslv2, which was enabled) I still do not connect, however I get very different errors in the ssl_engine_log than what I was getting when trying to connect via sslv3. I can post those errors if needed. - Original Message - From: "Jeff Gelina" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, July 16, 2000 12:28 PM Subject: Re: msie AGAIN Ok, when I put it in debug mode with the new configuration I found that one log file and only one file changes when i try to access the https site with IE. That file is ssl_engine_log and here is what changes minus the bio dumps which were just a bunch of hex. [16/Jul/2000 11:18:25 15029] [info] Seeding PRNG with 1160 bytes of entropy [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Handshake: start [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Loop: before/accept initialization [16/Jul/2000 11:18:25 15029] [debug] OpenSSL: read 11/11 bytes from BIO#080F4AA8 [mem: 080FA1F0] (BIO dump follows) [16/Jul/2000 11:18:25 15029] [trace] Inter-Process Session Cache: request=GET st atus=MISSED id=309590E9D2CA6A50F56AC3475AF55D91F0436BB996781DECB16C18A37AB60355 (session renewal) [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Loop: SSLv3 read client hello A [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Loop: SSLv3 write server hello A [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Loop: SSLv3 write certificate A [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Loop: SSLv3 write server done A [16/Jul/2000 11:18:25 15029] [debug] OpenSSL: write 876/876 bytes to BIO#080F4AA 8 [mem: 08107688] (BIO dump follows) [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Loop: SSLv3 flush data [16/Jul/2000 11:18:25 15029] [debug] OpenSSL: read 5/5 bytes from BIO#080F4AA8 [ mem: 080FA1F0] (BIO dump follows) [16/Jul/2000 11:18:25 15029] [debug] OpenSSL: read 134/134 bytes from BIO#080F4A A8 [mem: 080FA1F5] (BIO dump follows) [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Loop: SSLv3 read client key exchan ge A [16/Jul/2000 11:18:25 15029] [debug] OpenSSL: read 5/5 bytes from BIO#080F4AA8 [ mem: 080FA1F0] (BIO dump follows) [16/Jul/2000 11:18:25 15029] [debug] OpenSSL: read 1/1 bytes from BIO#080F4AA8 [ mem: 080FA1F5] (BIO dump follows) [16/Jul/2000 11:18:25 15029] [debug] OpenSSL: read 5/5 bytes from BIO#080F4AA8 [ mem: 080FA1F0] (BIO dump follows) [16/Jul/2000 11:18:25 15029] [debug] OpenSSL: read 36/36 bytes from BIO#080F4AA8 [mem: 080FA1F5] (BIO dump follows) [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Loop: SSLv3 read finished A [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Loop: SSLv3 write change cipher sp ec A [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Loop: SSLv3 write finished A [16/Jul/2000 11:18:25 15029] [debug] OpenSSL: write 47/47 bytes to BIO#080F4AA8 [mem: 08107688] (BIO dump follows) [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Loop: SSLv3 flush data [16/Jul/2000 11:18:25 15029] [trace] Inter-Process Session Cache: request=SET st atus=OK id=95F69C732CD78360E18A4C3E7786223C9117E932FB7848875B0892B06210F8A8 time out=300s (session caching) [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Handshake: done [16/Jul/2000 11:18:25 15029] [info] Connection: Client IP: 209.12.32.66, Protoc ol: TLSv1, Cipher: EXP1024-RC4-SHA (56/128 bits) [16/Jul/2000 11:18:25 15029] [debug] OpenSSL: read 0/18437 bytes from BIO#080F4A A8 [mem: 080FA1F0] (BIO dump follows) [16/Jul/2000 11:18:25 15029] [debug] OpenSSL: write 27/27 bytes to BIO#080F4AA8 [mem: 08102A00] (BIO dump follows) [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Write: SSL negotiation finished su ccessfully [16/Jul/2000 11:18:25 15029] [info] Connection to child 0 closed with standard shutdown (server minnesota.coinfotech.com:443, client 209.12.32.66) Can you decipher this??? - Original Message - From: "Martin Lichtin" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, July 15, 2000 7:18 PM Subject: Re: msie AGAIN Ok, I have done as you have requested (it was a pain in the butt) you will see the new page at http://minnesota.coinfotech.com but you will not be able to access the https with any ie browser. Netscape will see it just fine. Hence, same problem. What messages do you see in the ssl.log when you incr
Re: msie AGAIN
SP would be a good idea except that this is Linux 6.2. I'm about to install a new apache server, does anyone have any good documentation on the best way to install apache, ssl, php, and frontpage Also, where do I go from here on my ie problem. I have pretty detailed information in my error_engine_ssl log. However, I am not sure what it means. Who knows who would understand this stuff? Jeff Gelina ISP "Little Blade of Grass" Colorado Information Technologies - Original Message - From: "David Leeson" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, July 17, 2000 3:24 AM Subject: Re: msie AGAIN Jeff, I'm unlikely to be much help on the SSL side (I'm still a newbie to this). I can get through on https://www.colosoft.com and https://www.coloinfotech.com using MS IE 5.01/128. How about revisiting the IE installations. Have any service packs undone anything - or do you need to reinstall service packs - I would always avoid reapplying SPs as it always breaks something to do with security. For example I have to reinstall Entrust Desktop and IE5/128 each time I reapply SP5 (no version control checks seemingly being done at installation). At 12:34 16/07/00 -0600, you wrote: hey all, if i tell ie to not use sslv3 or tlsv1 in the advanced options (theorizing that it would then use sslv2, which was enabled) I still do not connect, however I get very different errors in the ssl_engine_log than what I was getting when trying to connect via sslv3. I can post those errors if needed. - Original Message - From: "Jeff Gelina" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, July 16, 2000 12:28 PM Subject: Re: msie AGAIN Ok, when I put it in debug mode with the new configuration I found that one log file and only one file changes when i try to access the https site with IE. That file is ssl_engine_log and here is what changes minus the bio dumps which were just a bunch of hex. [16/Jul/2000 11:18:25 15029] [info] Seeding PRNG with 1160 bytes of entropy [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Handshake: start [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Loop: before/accept initialization [16/Jul/2000 11:18:25 15029] [debug] OpenSSL: read 11/11 bytes from BIO#080F4AA8 [mem: 080FA1F0] (BIO dump follows) [16/Jul/2000 11:18:25 15029] [trace] Inter-Process Session Cache: request=GET st atus=MISSED id=309590E9D2CA6A50F56AC3475AF55D91F0436BB996781DECB16C18A37AB60355 (session renewal) [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Loop: SSLv3 read client hello A [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Loop: SSLv3 write server hello A [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Loop: SSLv3 write certificate A [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Loop: SSLv3 write server done A [16/Jul/2000 11:18:25 15029] [debug] OpenSSL: write 876/876 bytes to BIO#080F4AA 8 [mem: 08107688] (BIO dump follows) [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Loop: SSLv3 flush data [16/Jul/2000 11:18:25 15029] [debug] OpenSSL: read 5/5 bytes from BIO#080F4AA8 [ mem: 080FA1F0] (BIO dump follows) [16/Jul/2000 11:18:25 15029] [debug] OpenSSL: read 134/134 bytes from BIO#080F4A A8 [mem: 080FA1F5] (BIO dump follows) [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Loop: SSLv3 read client key exchan ge A [16/Jul/2000 11:18:25 15029] [debug] OpenSSL: read 5/5 bytes from BIO#080F4AA8 [ mem: 080FA1F0] (BIO dump follows) [16/Jul/2000 11:18:25 15029] [debug] OpenSSL: read 1/1 bytes from BIO#080F4AA8 [ mem: 080FA1F5] (BIO dump follows) [16/Jul/2000 11:18:25 15029] [debug] OpenSSL: read 5/5 bytes from BIO#080F4AA8 [ mem: 080FA1F0] (BIO dump follows) [16/Jul/2000 11:18:25 15029] [debug] OpenSSL: read 36/36 bytes from BIO#080F4AA8 [mem: 080FA1F5] (BIO dump follows) [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Loop: SSLv3 read finished A [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Loop: SSLv3 write change cipher sp ec A [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Loop: SSLv3 write finished A [16/Jul/2000 11:18:25 15029] [debug] OpenSSL: write 47/47 bytes to BIO#080F4AA8 [mem: 08107688] (BIO dump follows) [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Loop: SSLv3 flush data [16/Jul/2000 11:18:25 15029] [trace] Inter-Process Session Cache: request=SET st atus=OK id=95F69C732CD78360E18A4C3E7786223C9117E932FB7848875B0892B06210F8A8 time out=300s (session caching) [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Handshake: done [16/Jul/2000 11:18:25 15029] [info] Connection: Client IP: 209.12.32.66, Protoc ol: TLSv1, Cipher: EXP1024-RC4-SHA (56/128 bits) [16/Jul/2000 11:18:25 15029] [debug] OpenSSL: read 0/18437 bytes from BIO#080F4A A8 [mem: 080FA1F0] (BIO dump follows) [16/Jul/2000 11:18:25 15029] [debug] OpenSSL: write 27/27 bytes to BIO#080F4AA8 [mem: 08102A00] (BIO dump follows) [16/J
Re: msie AGAIN
On Mon, Jul 17, 2000 at 09:16:28AM -0600, Jeff Gelina wrote: SP would be a good idea except that this is Linux 6.2. I'm about to install a new apache server, does anyone have any good documentation on the best way to install apache, ssl, php, and frontpage Since you're still in "DEBUG mode" - I'd suggest that you do a minimal install: http://www.modssl.org/example/ and see what that gives you. I am not quite convinced that this is because of trouble in mod_ssl - theoretically it could be something else in your server. It does throw quite a few more headers out than a standard install. Also, where do I go from here on my ie problem. I have pretty detailed information in my error_engine_ssl log. However, I am not sure what it means. Who knows who would understand this stuff? You could try using openssl s_server with the same certificate/keys/ciphers and connect with the same clients to see if you get a difference. If you make a Logfile with full debug info available, I'll take a look at it and see if I can spot anything. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: msie AGAIN
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Mads Toftum Sent: Monday, July 17, 2000 9:11 AM On Mon, Jul 17, 2000 at 09:16:28AM -0600, Jeff Gelina wrote: SP would be a good idea except that this is Linux 6.2. I'm about to install a new apache server, does anyone have any good documentation on the best way to install apache, ssl, php, and frontpage Since you're still in "DEBUG mode" - I'd suggest that you do a minimal install: http://www.modssl.org/example/ and see what that gives you. I am not quite convinced that this is because of trouble in mod_ssl - theoretically it could be something else in your server. It does throw quite a few more headers out than a standard install. Mads is right, following this example should get you running. I was thinking about it a bit, and I think you may have some old openssl libraries around which could be causing your problems. (Remember when you printed that `find / openssl` a while back, there was some in /usr/local?) Building according to the example should get you Apache with openssl statically linked, and prevent any old shared libraries lying around from interfering. Also, where do I go from here on my ie problem. I have pretty detailed information in my error_engine_ssl log. However, I am not sure what it means. Who knows who would understand this stuff? You could try using openssl s_server with the same certificate/keys/ciphers and connect with the same clients to see if you get a difference. If you make a Logfile with full debug info available, I'll take a look at it and see if I can spot anything. Another good idea. -Dave __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: msie AGAIN
Title: Mod_ssl includes very good documentation how install apache and its modules. Salvatore Ilardohttp://www.rokeby.com[EMAIL PROTECTED] -Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]]On Behalf Of Jeff GelinaSent: Monday, July 17, 2000 4:16 PMTo: [EMAIL PROTECTED]Subject: Re: msie AGAINSP would be a good idea except that this is Linux 6.2.I'm about to install a new apache server, does anyone have any gooddocumentation on the best way to install apache, ssl, php, and frontpageAlso, where do I go from here on my ie problem. I have pretty detailedinformation in my error_engine_ssl log. However, I am not sure what itmeans. Who knows who would understand this stuff?Jeff GelinaISP "Little Blade of Grass"Colorado Information Technologies- Original Message -From: "David Leeson" [EMAIL PROTECTED]To: [EMAIL PROTECTED]Sent: Monday, July 17, 2000 3:24 AMSubject: Re: msie AGAIN Jeff, I'm unlikely to be much help on the SSL side (I'm still a newbie to this). I can get through on https://www.colosoft.com andhttps://www.coloinfotech.com using MS IE 5.01/128. How about revisiting the IE installations. Have any service packs undone anything - or do you need to reinstall service packs - I would alwaysavoid reapplying SPs as it always breaks something to do with security. For example I have to reinstall Entrust Desktop and IE5/128 each time I reapply SP5 (no version control checks seemingly being done at installation). At 12:34 16/07/00 -0600, you wrote: hey all, if i tell ie to not use sslv3 or tlsv1 in the advanced options (theorizing that it would then use sslv2, which was enabled) I still donot connect, however I get very different errors in the ssl_engine_log thanwhat I was getting when trying to connect via sslv3. I can post those errorsif needed. - Original Message - From: "Jeff Gelina" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, July 16, 2000 12:28 PM Subject: Re: msie AGAIN Ok, when I put it in debug mode with the new configuration I found that one log file and only one file changes when i try to access the https site with IE. That file is ssl_engine_log and here is what changes minus thebio dumps which were just a bunch of hex. [16/Jul/2000 11:18:25 15029] [info] Seeding PRNG with 1160 bytes of entropy [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Handshake: start [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Loop: before/accept initialization [16/Jul/2000 11:18:25 15029] [debug] OpenSSL: read 11/11 bytes from BIO#080F4AA8 [mem: 080FA1F0] (BIO dump follows) [16/Jul/2000 11:18:25 15029] [trace] Inter-Process Session Cache: request=GET st atus=MISSED id=309590E9D2CA6A50F56AC3475AF55D91F0436BB996781DECB16C18A37AB60355 (session renewal) [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Loop: SSLv3 read client hello A [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Loop: SSLv3 write server hello A [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Loop: SSLv3 write certificate A [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Loop: SSLv3 write server done A [16/Jul/2000 11:18:25 15029] [debug] OpenSSL: write 876/876 bytes to BIO#080F4AA 8 [mem: 08107688] (BIO dump follows) [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Loop: SSLv3 flush data [16/Jul/2000 11:18:25 15029] [debug] OpenSSL: read 5/5 bytes from BIO#080F4AA8 [ mem: 080FA1F0] (BIO dump follows) [16/Jul/2000 11:18:25 15029] [debug] OpenSSL: read 134/134 bytes from BIO#080F4A A8 [mem: 080FA1F5] (BIO dump follows) [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Loop: SSLv3 read clientkey exchan ge A [16/Jul/2000 11:18:25 15029] [debug] OpenSSL: read 5/5 bytes from BIO#080F4AA8 [ mem: 080FA1F0] (BIO dump follows) [16/Jul/2000 11:18:25 15029] [debug] OpenSSL: read 1/1 bytes from BIO#080F4AA8 [ mem: 080FA1F5] (BIO dump follows) [16/Jul/2000 11:18:25 15029] [debug] OpenSSL: read 5/5 bytes from BIO#080F4AA8 [ mem: 080FA1F0] (BIO dump follows) [16/Jul/2000 11:18:25 15029] [debug] OpenSSL: read 36/36 bytes from BIO#080F4AA8 [mem: 080FA1F5] (BIO dump follows) [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Loop: SSLv3 read finishedA [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Loop: SSLv3 write change cipher sp ec A [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Loop: SSLv3 writefinished A [16/Jul/2000 11:18:25 15029] [debug] OpenSSL: write 47/47 bytes to BIO#080F4AA8 [mem: 08107688] (BIO dump follows) [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Loop: SSLv3 flush data [16/Jul/2000 11:18:25 15029] [trace] Inter-Process Session Cache: request=SET st atus=OK id=95F69C732CD78360E18A4C3E7786223C9117E932FB7848875B0892B06210F8A8 time out=300s (session caching) [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Handshake: done [16/Jul/2000 11:18:25 15029] [info] Connection: Client IP:209.12.32.66, Protoc ol: TLSv1, Cipher: EXP1024-RC4-SHA (56/128 bits
Re: msie AGAIN
Title: thanks for the help, but that wasnt much help :) - Original Message - From: Salvo Ilardo To: [EMAIL PROTECTED] Sent: Monday, July 17, 2000 1:58 PM Subject: RE: msie AGAIN Mod_ssl includes very good documentation how install apache and its modules. Salvatore Ilardohttp://www.rokeby.com[EMAIL PROTECTED] -Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]]On Behalf Of Jeff GelinaSent: Monday, July 17, 2000 4:16 PMTo: [EMAIL PROTECTED]Subject: Re: msie AGAINSP would be a good idea except that this is Linux 6.2.I'm about to install a new apache server, does anyone have any gooddocumentation on the best way to install apache, ssl, php, and frontpageAlso, where do I go from here on my ie problem. I have pretty detailedinformation in my error_engine_ssl log. However, I am not sure what itmeans. Who knows who would understand this stuff?Jeff GelinaISP "Little Blade of Grass"Colorado Information Technologies- Original Message -From: "David Leeson" [EMAIL PROTECTED]To: [EMAIL PROTECTED]Sent: Monday, July 17, 2000 3:24 AMSubject: Re: msie AGAIN Jeff, I'm unlikely to be much help on the SSL side (I'm still a newbie to this). I can get through on https://www.colosoft.com andhttps://www.coloinfotech.com using MS IE 5.01/128. How about revisiting the IE installations. Have any service packs undone anything - or do you need to reinstall service packs - I would alwaysavoid reapplying SPs as it always breaks something to do with security. For example I have to reinstall Entrust Desktop and IE5/128 each time I reapply SP5 (no version control checks seemingly being done at installation). At 12:34 16/07/00 -0600, you wrote: hey all, if i tell ie to not use sslv3 or tlsv1 in the advanced options (theorizing that it would then use sslv2, which was enabled) I still donot connect, however I get very different errors in the ssl_engine_log thanwhat I was getting when trying to connect via sslv3. I can post those errorsif needed. - Original Message - From: "Jeff Gelina" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, July 16, 2000 12:28 PM Subject: Re: msie AGAIN Ok, when I put it in debug mode with the new configuration I found that one log file and only one file changes when i try to access the https site with IE. That file is ssl_engine_log and here is what changes minus thebio dumps which were just a bunch of hex. [16/Jul/2000 11:18:25 15029] [info] Seeding PRNG with 1160 bytes of entropy [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Handshake: start [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Loop: before/accept initialization [16/Jul/2000 11:18:25 15029] [debug] OpenSSL: read 11/11 bytes from BIO#080F4AA8 [mem: 080FA1F0] (BIO dump follows) [16/Jul/2000 11:18:25 15029] [trace] Inter-Process Session Cache: request=GET st atus=MISSED id=309590E9D2CA6A50F56AC3475AF55D91F0436BB996781DECB16C18A37AB60355 (session renewal) [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Loop: SSLv3 read client hello A [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Loop: SSLv3 write server hello A [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Loop: SSLv3 write certificate A [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Loop: SSLv3 write server done A [16/Jul/2000 11:18:25 15029] [debug] OpenSSL: write 876/876 bytes to BIO#080F4AA 8 [mem: 08107688] (BIO dump follows) [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Loop: SSLv3 flush data [16/Jul/2000 11:18:25 15029] [debug] OpenSSL: read 5/5 bytes from BIO#080F4AA8 [ mem: 080FA1F0] (BIO dump follows) [16/Jul/2000 11:18:25 15029] [debug] OpenSSL: read 134/134 bytes from BIO#080F4A A8 [mem: 080FA1F5] (BIO dump follows) [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Loop: SSLv3 read clientkey exchan ge A [16/Jul/2000 11:18:25 15029] [debug] OpenSSL: read 5/5 bytes from BIO#080F4AA8 [ mem: 080FA1F0] (BIO dump follows) [16/Jul/2000 11:18:25 15029] [debug] OpenSSL: read 1/1 bytes from BIO#080F4AA8 [ mem: 080FA1F5] (BIO dump follows) [16/Jul/2000 11:18:25 15029] [debug] OpenSSL: read 5/5 bytes from BIO#080F4AA8 [ mem: 080FA1F0] (BIO dump follows) [16/Jul/2000 11:18:25 15029] [debug] OpenSSL: read 36/36 bytes from BIO#080F4AA8 [mem: 080FA1F5] (BIO dump follows) [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Loop: SSLv3 read finishedA [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Loop: SSLv3 write change cipher sp ec A [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Loop: SSLv3 writefinished A [16/Jul/2000 11:18:25 15029] [debug] OpenSSL: write 47/47 bytes to BIO#080F4AA8 [mem: 08107688] (BIO dump follows) [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Loop: SSLv3 flush data [16/Jul/2000 11:18:2
Re: msie AGAIN
David, Here you go: http://www.coinfotech.com/httpdconf.htm I apprciate the help you have given me so far, thanks P.S. could you please send me a copy of your httpd.conf file (I am by no means an expert and would benifit greatly by being able to see an actual used httpd.conf file. If it is too much of a security risk then thats ok, but if not, I would greatly apprciate it. [EMAIL PROTECTED] is my email addy. - Original Message - From: "David Rees" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, July 15, 2000 7:31 PM Subject: Re: msie AGAIN On Sat, Jul 15, 2000 at 06:57:02PM -0600, Jeff Gelina wrote: Ok, I have done as you have requested (it was a pain in the butt) you will see the new page at http://minnesota.coinfotech.com but you will not be able to access the https with any ie browser. Netscape will see it just fine. Hence, same problem. Hmm, it doesn's work for IE, but does for Netscape. Can put your httpd.conf on the website so I can look at it? -Dave __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: msie AGAIN
hey all, if i tell ie to not use sslv3 or tlsv1 in the advanced options (theorizing that it would then use sslv2, which was enabled) I still do not connect, however I get very different errors in the ssl_engine_log than what I was getting when trying to connect via sslv3. I can post those errors if needed. - Original Message - From: "Jeff Gelina" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, July 16, 2000 12:28 PM Subject: Re: msie AGAIN Ok, when I put it in debug mode with the new configuration I found that one log file and only one file changes when i try to access the https site with IE. That file is ssl_engine_log and here is what changes minus the bio dumps which were just a bunch of hex. [16/Jul/2000 11:18:25 15029] [info] Seeding PRNG with 1160 bytes of entropy [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Handshake: start [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Loop: before/accept initialization [16/Jul/2000 11:18:25 15029] [debug] OpenSSL: read 11/11 bytes from BIO#080F4AA8 [mem: 080FA1F0] (BIO dump follows) [16/Jul/2000 11:18:25 15029] [trace] Inter-Process Session Cache: request=GET st atus=MISSED id=309590E9D2CA6A50F56AC3475AF55D91F0436BB996781DECB16C18A37AB60355 (session renewal) [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Loop: SSLv3 read client hello A [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Loop: SSLv3 write server hello A [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Loop: SSLv3 write certificate A [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Loop: SSLv3 write server done A [16/Jul/2000 11:18:25 15029] [debug] OpenSSL: write 876/876 bytes to BIO#080F4AA 8 [mem: 08107688] (BIO dump follows) [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Loop: SSLv3 flush data [16/Jul/2000 11:18:25 15029] [debug] OpenSSL: read 5/5 bytes from BIO#080F4AA8 [ mem: 080FA1F0] (BIO dump follows) [16/Jul/2000 11:18:25 15029] [debug] OpenSSL: read 134/134 bytes from BIO#080F4A A8 [mem: 080FA1F5] (BIO dump follows) [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Loop: SSLv3 read client key exchan ge A [16/Jul/2000 11:18:25 15029] [debug] OpenSSL: read 5/5 bytes from BIO#080F4AA8 [ mem: 080FA1F0] (BIO dump follows) [16/Jul/2000 11:18:25 15029] [debug] OpenSSL: read 1/1 bytes from BIO#080F4AA8 [ mem: 080FA1F5] (BIO dump follows) [16/Jul/2000 11:18:25 15029] [debug] OpenSSL: read 5/5 bytes from BIO#080F4AA8 [ mem: 080FA1F0] (BIO dump follows) [16/Jul/2000 11:18:25 15029] [debug] OpenSSL: read 36/36 bytes from BIO#080F4AA8 [mem: 080FA1F5] (BIO dump follows) [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Loop: SSLv3 read finished A [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Loop: SSLv3 write change cipher sp ec A [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Loop: SSLv3 write finished A [16/Jul/2000 11:18:25 15029] [debug] OpenSSL: write 47/47 bytes to BIO#080F4AA8 [mem: 08107688] (BIO dump follows) [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Loop: SSLv3 flush data [16/Jul/2000 11:18:25 15029] [trace] Inter-Process Session Cache: request=SET st atus=OK id=95F69C732CD78360E18A4C3E7786223C9117E932FB7848875B0892B06210F8A8 time out=300s (session caching) [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Handshake: done [16/Jul/2000 11:18:25 15029] [info] Connection: Client IP: 209.12.32.66, Protoc ol: TLSv1, Cipher: EXP1024-RC4-SHA (56/128 bits) [16/Jul/2000 11:18:25 15029] [debug] OpenSSL: read 0/18437 bytes from BIO#080F4A A8 [mem: 080FA1F0] (BIO dump follows) [16/Jul/2000 11:18:25 15029] [debug] OpenSSL: write 27/27 bytes to BIO#080F4AA8 [mem: 08102A00] (BIO dump follows) [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Write: SSL negotiation finished su ccessfully [16/Jul/2000 11:18:25 15029] [info] Connection to child 0 closed with standard shutdown (server minnesota.coinfotech.com:443, client 209.12.32.66) Can you decipher this??? - Original Message - From: "Martin Lichtin" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, July 15, 2000 7:18 PM Subject: Re: msie AGAIN Ok, I have done as you have requested (it was a pain in the butt) you will see the new page at http://minnesota.coinfotech.com but you will not be able to access the https with any ie browser. Netscape will see it just fine. Hence, same problem. What messages do you see in the ssl.log when you increase the debug level? Try SSLLog ssl.log SSLLogLevel debug __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Au
Re: msie AGAIN
On Sun, Jul 16, 2000 at 12:02:32PM -0600, Jeff Gelina wrote: David, Here you go: http://www.coinfotech.com/httpdconf.htm Just one thought - could you try using: SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown Instead of: SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 Oh yeah, one other point - I get thrugh now on my msie 5, but the server name in the certificate doesn't match the server's name! vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: msie AGAIN
On Sun, Jul 16, 2000 at 09:13:47PM +0200, Mads Toftum wrote: Oh yeah, one other point - I get thrugh now on my msie 5, but the server name in the certificate doesn't match the server's name! Ooops - I was a bit too fast on that - I was testing on https://www.coinfotech.com ;-) vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: msie AGAIN
On Sun, Jul 16, 2000 at 12:02:32PM -0600, Jeff Gelina wrote: David, Here you go: http://www.coinfotech.com/httpdconf.htm I apprciate the help you have given me so far, thanks P.S. could you please send me a copy of your httpd.conf file (I am by no means an expert and would benifit greatly by being able to see an actual used httpd.conf file. If it is too much of a security risk then thats ok, but if not, I would greatly apprciate it. [EMAIL PROTECTED] is my email addy. Everything there looks fine, and I still can't connect with MSIE. I'm out of ideas, does anyone else have any? -Dave __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: msie AGAIN
Ok, when I put it in debug mode with the new configuration I found that one log file and only one file changes when i try to access the https site with IE. That file is ssl_engine_log and here is what changes minus the bio dumps which were just a bunch of hex. [16/Jul/2000 11:18:25 15029] [info] Seeding PRNG with 1160 bytes of entropy [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Handshake: start [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Loop: before/accept initialization [16/Jul/2000 11:18:25 15029] [debug] OpenSSL: read 11/11 bytes from BIO#080F4AA8 [mem: 080FA1F0] (BIO dump follows) [16/Jul/2000 11:18:25 15029] [trace] Inter-Process Session Cache: request=GET st atus=MISSED id=309590E9D2CA6A50F56AC3475AF55D91F0436BB996781DECB16C18A37AB60355 (session renewal) [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Loop: SSLv3 read client hello A [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Loop: SSLv3 write server hello A [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Loop: SSLv3 write certificate A [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Loop: SSLv3 write server done A [16/Jul/2000 11:18:25 15029] [debug] OpenSSL: write 876/876 bytes to BIO#080F4AA 8 [mem: 08107688] (BIO dump follows) [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Loop: SSLv3 flush data [16/Jul/2000 11:18:25 15029] [debug] OpenSSL: read 5/5 bytes from BIO#080F4AA8 [ mem: 080FA1F0] (BIO dump follows) [16/Jul/2000 11:18:25 15029] [debug] OpenSSL: read 134/134 bytes from BIO#080F4A A8 [mem: 080FA1F5] (BIO dump follows) [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Loop: SSLv3 read client key exchan ge A [16/Jul/2000 11:18:25 15029] [debug] OpenSSL: read 5/5 bytes from BIO#080F4AA8 [ mem: 080FA1F0] (BIO dump follows) [16/Jul/2000 11:18:25 15029] [debug] OpenSSL: read 1/1 bytes from BIO#080F4AA8 [ mem: 080FA1F5] (BIO dump follows) [16/Jul/2000 11:18:25 15029] [debug] OpenSSL: read 5/5 bytes from BIO#080F4AA8 [ mem: 080FA1F0] (BIO dump follows) [16/Jul/2000 11:18:25 15029] [debug] OpenSSL: read 36/36 bytes from BIO#080F4AA8 [mem: 080FA1F5] (BIO dump follows) [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Loop: SSLv3 read finished A [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Loop: SSLv3 write change cipher sp ec A [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Loop: SSLv3 write finished A [16/Jul/2000 11:18:25 15029] [debug] OpenSSL: write 47/47 bytes to BIO#080F4AA8 [mem: 08107688] (BIO dump follows) [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Loop: SSLv3 flush data [16/Jul/2000 11:18:25 15029] [trace] Inter-Process Session Cache: request=SET st atus=OK id=95F69C732CD78360E18A4C3E7786223C9117E932FB7848875B0892B06210F8A8 time out=300s (session caching) [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Handshake: done [16/Jul/2000 11:18:25 15029] [info] Connection: Client IP: 209.12.32.66, Protoc ol: TLSv1, Cipher: EXP1024-RC4-SHA (56/128 bits) [16/Jul/2000 11:18:25 15029] [debug] OpenSSL: read 0/18437 bytes from BIO#080F4A A8 [mem: 080FA1F0] (BIO dump follows) [16/Jul/2000 11:18:25 15029] [debug] OpenSSL: write 27/27 bytes to BIO#080F4AA8 [mem: 08102A00] (BIO dump follows) [16/Jul/2000 11:18:25 15029] [trace] OpenSSL: Write: SSL negotiation finished su ccessfully [16/Jul/2000 11:18:25 15029] [info] Connection to child 0 closed with standard shutdown (server minnesota.coinfotech.com:443, client 209.12.32.66) Can you decipher this??? - Original Message - From: "Martin Lichtin" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, July 15, 2000 7:18 PM Subject: Re: msie AGAIN Ok, I have done as you have requested (it was a pain in the butt) you will see the new page at http://minnesota.coinfotech.com but you will not be able to access the https with any ie browser. Netscape will see it just fine. Hence, same problem. What messages do you see in the ssl.log when you increase the debug level? Try SSLLog ssl.log SSLLogLevel debug __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: msie AGAIN
David, I fixed the add module mod_auth_anon.c, it shouldn't have been pounded out. I unpounded it. Didn't help though. Jeff - Original Message - From: "David Rees" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, July 15, 2000 7:31 PM Subject: Re: msie AGAIN On Sat, Jul 15, 2000 at 06:57:02PM -0600, Jeff Gelina wrote: Ok, I have done as you have requested (it was a pain in the butt) you will see the new page at http://minnesota.coinfotech.com but you will not be able to access the https with any ie browser. Netscape will see it just fine. Hence, same problem. Hmm, it doesn's work for IE, but does for Netscape. Can put your httpd.conf on the website so I can look at it? -Dave __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: msie AGAIN
I tried that, you will see the pounded out line below those three lines. That was my attempt. I had the # behind the f in a lame attempt to make sure the whole line was pounded out cause it was taking two lines on my screen. I really didnt need it. Anyway, I'm still having the problems. Does anyone understand that jibberish that I get in the ssl_engine_log?? I think that that is the clue. Something about a sslv3 loop - Original Message - From: "Mads Toftum" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, July 16, 2000 1:13 PM Subject: Re: msie AGAIN On Sun, Jul 16, 2000 at 12:02:32PM -0600, Jeff Gelina wrote: David, Here you go: http://www.coinfotech.com/httpdconf.htm Just one thought - could you try using: SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown Instead of: SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 Oh yeah, one other point - I get thrugh now on my msie 5, but the server name in the certificate doesn't match the server's name! vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: msie AGAIN
man i am embarrased one level down, I was thinking contriubution was like developmental cotribution to mod_ssl. I guess you could assume that means that .rpms were a contribution to the site by someone else. I was looking for some type of download area. Kept getting deeper and deeper in the site. Well here i go, hope this fixes it. Well surprise surprise (I hate rpms! I never use them anymore and never will again!) Can you make sense of this??? As you can see it says i need 0.9.4 but i already have 0.9.5??? error: failed dependencies: openssl = 0.9.4 is needed by apache-mod_ssl-1.3.11.2.5.0-0.6.0 libcrypto.so.0 is needed by apache-mod_ssl-1.3.11.2.5.0-0.6.0 libssl.so.0 is needed by apache-mod_ssl-1.3.11.2.5.0-0.6.0 [root@minnesota downloads]# find / -name libssl.so.0 find: /proc/6/fd: Permission denied [root@minnesota downloads]# find / -name libssl* /usr/lib/apache/libssl.so /usr/local/ssl/lib/libssl.a /usr/openssl-0.9.5a/libssl.a /usr/mod_ssl-2.6.5-1.3.12/pkg.sslmod/libssl.module /usr/mod_ssl-2.6.5-1.3.12/pkg.sslmod/libssl.version find: /proc/6/fd: Permission denied [root@minnesota downloads]# find / -name libcrypto* /usr/local/ssl/lib/libcrypto.a /usr/openssl-0.9.5a/libcrypto.a - Original Message - From: "David Rees" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, July 14, 2000 7:32 PM Subject: Re: msie AGAIN On Fri, Jul 14, 2000 at 07:28:12PM -0600, Jeff Gelina wrote: Do you know where that rpm is, there is no rpm at www.rpm.org nor can i find anything at www.modssl.org. Is there even one? You didn't look very hard, did you? :-) http://www.modssl.org/contrib/ -Dave __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: msie AGAIN
In addition to the mod_ssl-2.6.5-1.i386.rpm, you also need the openssl-0.9.5a-1.i586.rpm. You probably also want to get the apache rpm from the same location. -Dave On Sat, Jul 15, 2000 at 12:06:15PM -0600, Jeff Gelina wrote: man i am embarrased one level down, I was thinking contriubution was like developmental cotribution to mod_ssl. I guess you could assume that means that .rpms were a contribution to the site by someone else. I was looking for some type of download area. Kept getting deeper and deeper in the site. Well here i go, hope this fixes it. Well surprise surprise (I hate rpms! I never use them anymore and never will again!) Can you make sense of this??? As you can see it says i need 0.9.4 but i already have 0.9.5??? error: failed dependencies: openssl = 0.9.4 is needed by apache-mod_ssl-1.3.11.2.5.0-0.6.0 libcrypto.so.0 is needed by apache-mod_ssl-1.3.11.2.5.0-0.6.0 libssl.so.0 is needed by apache-mod_ssl-1.3.11.2.5.0-0.6.0 [root@minnesota downloads]# find / -name libssl.so.0 find: /proc/6/fd: Permission denied [root@minnesota downloads]# find / -name libssl* /usr/lib/apache/libssl.so /usr/local/ssl/lib/libssl.a /usr/openssl-0.9.5a/libssl.a /usr/mod_ssl-2.6.5-1.3.12/pkg.sslmod/libssl.module /usr/mod_ssl-2.6.5-1.3.12/pkg.sslmod/libssl.version find: /proc/6/fd: Permission denied [root@minnesota downloads]# find / -name libcrypto* /usr/local/ssl/lib/libcrypto.a /usr/openssl-0.9.5a/libcrypto.a __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: msie AGAIN
Ok, I have done as you have requested (it was a pain in the butt) you will see the new page at http://minnesota.coinfotech.com but you will not be able to access the https with any ie browser. Netscape will see it just fine. Hence, same problem. Jeff Gelina - Original Message - From: "David Rees" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, July 15, 2000 12:16 PM Subject: Re: msie AGAIN In addition to the mod_ssl-2.6.5-1.i386.rpm, you also need the openssl-0.9.5a-1.i586.rpm. You probably also want to get the apache rpm from the same location. -Dave On Sat, Jul 15, 2000 at 12:06:15PM -0600, Jeff Gelina wrote: man i am embarrased one level down, I was thinking contriubution was like developmental cotribution to mod_ssl. I guess you could assume that means that .rpms were a contribution to the site by someone else. I was looking for some type of download area. Kept getting deeper and deeper in the site. Well here i go, hope this fixes it. Well surprise surprise (I hate rpms! I never use them anymore and never will again!) Can you make sense of this??? As you can see it says i need 0.9.4 but i already have 0.9.5??? error: failed dependencies: openssl = 0.9.4 is needed by apache-mod_ssl-1.3.11.2.5.0-0.6.0 libcrypto.so.0 is needed by apache-mod_ssl-1.3.11.2.5.0-0.6.0 libssl.so.0 is needed by apache-mod_ssl-1.3.11.2.5.0-0.6.0 [root@minnesota downloads]# find / -name libssl.so.0 find: /proc/6/fd: Permission denied [root@minnesota downloads]# find / -name libssl* /usr/lib/apache/libssl.so /usr/local/ssl/lib/libssl.a /usr/openssl-0.9.5a/libssl.a /usr/mod_ssl-2.6.5-1.3.12/pkg.sslmod/libssl.module /usr/mod_ssl-2.6.5-1.3.12/pkg.sslmod/libssl.version find: /proc/6/fd: Permission denied [root@minnesota downloads]# find / -name libcrypto* /usr/local/ssl/lib/libcrypto.a /usr/openssl-0.9.5a/libcrypto.a __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: msie AGAIN
On Sat, Jul 15, 2000 at 06:57:02PM -0600, Jeff Gelina wrote: Ok, I have done as you have requested (it was a pain in the butt) you will see the new page at http://minnesota.coinfotech.com but you will not be able to access the https with any ie browser. Netscape will see it just fine. Hence, same problem. Hmm, it doesn's work for IE, but does for Netscape. Can put your httpd.conf on the website so I can look at it? -Dave __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: msie AGAIN
Is there a better place to be asking this question??? nobody is responding??? If anybody knows where I should be asking could you please tell me? Jeff Gelina - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, July 13, 2000 1:38 AM Subject: Re: msie AGAIN I just checked my browser version from home, I'm using IE 5.5 128 bit... What is the problem here, can anyone help? - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, July 11, 2000 7:56 PM Subject: msie AGAIN ok, microsoft really Pis___ me off! Why can't they do anything right? Enough of that, I'm just venting a little. Anyway, I've spent the last two days trouble shooting this msie5x problem with https. I've read and reread the manual and the FAQ. As well as searched for hours on the mailing lists. I have found many things to try, like CipherSuite entries and SSLProtocol. But I have still been unable to resolve the problem. As you can see from my configurartion file I have tried many many things. The server that is giving me problems was the first apache server I did (I used the rpms from RedHat 6.2 apachessl server and loaded all the add on rpms that came with it). Please don't tell me to reinstall not using the rpms it is not an option on this server and yes I have stopped using those freaking rpms. Anyway, could anyone please tell me what I got to do in my httpd.conf file to get msie to view my https server pages. Oh, I have tried to view the https pages with ie5.0, 5.01, 5.5 both 40 and 128 bit encryption and none of them work. I can view the non-https pages just fine all versions of msie and Netscape well view everything including the https pages just fine (Ahh, long live Netscape.) Thanks ahead of time for you thoughts on this problem of mine. Jeff Gelina P.S. Sorry for pasting the whole darn thing here, but wanted to make sure you had it all to look at.
Re: msie AGAIN
If anyone is out there, like the creater of modssl you may find this interesting.. I do not think that this is an ie problem I am running IE 5.5 (as well as many other versions of ie) and they all access my linux server running my ssl mail server just fine. I have read and reread and reread the faq and comebed over the mailing list over and over and over. I have tried all the suggested artilces related to SetEnvIf and the -sslv3. I don't think this is the problem. I think modssl has a problem. Once again my mail server running CommuniGate Pro on https (which is a Linux server) runs just fine with IE. Infact, if I turn SSLv3 off in the I.E. browser this site will not come up. Hence, IE 5.5 works just fine with SSLv3. This leads me to believe that modssl has a problem. Does anyone know how to get in contact with the creater of modssl? Or would it be easier to switch over to ApacheSSL? Jeff Gelina ISP Lead Colorado Information Technologies - Original Message - From: "Jeff Gelina" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, July 14, 2000 4:54 PM Subject: Fw: msie AGAIN Thankyou for responding Martin, This is what I have set in my httpsd.conf file, however it does not seem to help solve the situation. Any ideas? I really don't want to have to demote everything to SSL2 but I will if I have to? VirtualHost _default_:443 DocumentRoot /home/httpd/html ServerAdmin root@localhost ErrorLog /var/log/httpd/error_log-ssl TransferLog /var/log/httpd/access_log-ssl SSLEngine on SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 f orce-response-1.0 SSLCertificateFile/etc/httpd/conf/ssl.crt/server.crt SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key Jeff Gelina - Original Message - From: "Martin Lichtin" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, July 14, 2000 12:25 PM Subject: Re: msie AGAIN Jeff, I don't really know what symptoms you see with IE... but anyway, this is my working SSL configuration SSLProtocol SSLv2 and inside VirtualHost _default_:443 SetEnv nokeepalive 1 SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: msie AGAIN
What versions of IE (4.0, 5.0 5.01, 5.5?) and security levels (40-bit, 56-bit, 128bit?) are affected besides 5.5? All of them? What version of mod_ssl and openssl are you running? Are you also runing the line: SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP in your virtual host in addition to your SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 line? Those two lines are now default in the latest release of mod_ssl. If it's just MSIE 5.5, I can load up an NT machine here with 5.5 to test on my server to see if it works here. Does it work with Netscape? What versions? What's your SSLLogLevel set to? Have you tried setting it higher and looking in the ssl_engine_log? Sorry, a lot of questions, but there's a lot of variables here. -Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jeff Gelina Sent: Friday, July 14, 2000 4:49 PM To: [EMAIL PROTECTED] Subject: Re: msie AGAIN If anyone is out there, like the creater of modssl you may find this interesting.. I do not think that this is an ie problem I am running IE 5.5 (as well as many other versions of ie) and they all access my linux server running my ssl mail server just fine. I have read and reread and reread the faq and comebed over the mailing list over and over and over. I have tried all the suggested artilces related to SetEnvIf and the -sslv3. I don't think this is the problem. I think modssl has a problem. Once again my mail server running CommuniGate Pro on https (which is a Linux server) runs just fine with IE. Infact, if I turn SSLv3 off in the I.E. browser this site will not come up. Hence, IE 5.5 works just fine with SSLv3. This leads me to believe that modssl has a problem. Does anyone know how to get in contact with the creater of modssl? Or would it be easier to switch over to ApacheSSL? Jeff Gelina ISP Lead Colorado Information Technologies - Original Message - From: "Jeff Gelina" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, July 14, 2000 4:54 PM Subject: Fw: msie AGAIN Thankyou for responding Martin, This is what I have set in my httpsd.conf file, however it does not seem to help solve the situation. Any ideas? I really don't want to have to demote everything to SSL2 but I will if I have to? VirtualHost _default_:443 DocumentRoot /home/httpd/html ServerAdmin root@localhost ErrorLog /var/log/httpd/error_log-ssl TransferLog /var/log/httpd/access_log-ssl SSLEngine on SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 f orce-response-1.0 SSLCertificateFile/etc/httpd/conf/ssl.crt/server.crt SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key Jeff Gelina - Original Message - From: "Martin Lichtin" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, July 14, 2000 12:25 PM Subject: Re: msie AGAIN Jeff, I don't really know what symptoms you see with IE... but anyway, this is my working SSL configuration SSLProtocol SSLv2 and inside VirtualHost _default_:443 SetEnv nokeepalive 1 SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: msie AGAIN
Thankyou so much for your response see below to answers to your questions: - Original Message - From: "David Rees" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, July 14, 2000 5:53 PM Subject: RE: msie AGAIN What versions of IE (4.0, 5.0 5.01, 5.5?) and security levels (40-bit, 56-bit, 128bit?) are affected besides 5.5? All of them? What version of mod_ssl and openssl are you running? ie 5.0, 5.01, 5.5 both 56-bit and 128-bit have been testedc openssl version 0.9.5a modssl 2.6.6-1.3.12 Are you also runing the line: SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP Yes in your virtual host in addition to your SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 line? Those two lines are now default in the latest release of mod_ssl. If it's just MSIE 5.5, I can load up an NT machine here with 5.5 to test on my server to see if it works here. Does it work with Netscape? What versions? The ApacheSSL server works fine with Netscape Navigator version 4.08 What's your SSLLogLevel set to? Have you tried setting it higher and looking in the ssl_engine_log? Have not trying to set this higher it is currently set to warn, i will set to debug as soon as i send this. Sorry, a lot of questions, but there's a lot of variables here. You can ask as many questions as you want the more the better! I just want to get it working don't care what it takes. -Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jeff Gelina Sent: Friday, July 14, 2000 4:49 PM To: [EMAIL PROTECTED] Subject: Re: msie AGAIN If anyone is out there, like the creater of modssl you may find this interesting.. I do not think that this is an ie problem I am running IE 5.5 (as well as many other versions of ie) and they all access my linux server running my ssl mail server just fine. I have read and reread and reread the faq and comebed over the mailing list over and over and over. I have tried all the suggested artilces related to SetEnvIf and the -sslv3. I don't think this is the problem. I think modssl has a problem. Once again my mail server running CommuniGate Pro on https (which is a Linux server) runs just fine with IE. Infact, if I turn SSLv3 off in the I.E. browser this site will not come up. Hence, IE 5.5 works just fine with SSLv3. This leads me to believe that modssl has a problem. Does anyone know how to get in contact with the creater of modssl? Or would it be easier to switch over to ApacheSSL? Jeff Gelina ISP Lead Colorado Information Technologies - Original Message - From: "Jeff Gelina" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, July 14, 2000 4:54 PM Subject: Fw: msie AGAIN Thankyou for responding Martin, This is what I have set in my httpsd.conf file, however it does not seem to help solve the situation. Any ideas? I really don't want to have to demote everything to SSL2 but I will if I have to? VirtualHost _default_:443 DocumentRoot /home/httpd/html ServerAdmin root@localhost ErrorLog /var/log/httpd/error_log-ssl TransferLog /var/log/httpd/access_log-ssl SSLEngine on SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 f orce-response-1.0 SSLCertificateFile/etc/httpd/conf/ssl.crt/server.crt SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key Jeff Gelina - Original Message - From: "Martin Lichtin" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, July 14, 2000 12:25 PM Subject: Re: msie AGAIN Jeff, I don't really know what symptoms you see with IE... but anyway, this is my working SSL configuration SSLProtocol SSLv2 and inside VirtualHost _default_:443 SetEnv nokeepalive 1 SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __
RE: msie AGAIN
What versions of IE (4.0, 5.0 5.01, 5.5?) and security levels (40-bit, 56-bit, 128bit?) are affected besides 5.5? All of them? What version of mod_ssl and openssl are you running? ie 5.0, 5.01, 5.5 both 56-bit and 128-bit have been testedc openssl version 0.9.5a modssl 2.6.6-1.3.12 There is no version 2.6.6 of mod_ssl (yet), perhaps you mean 2.6.5? No IE browsers work at all? Did you build from source, or are you using RPMs? If using RPMs, have you tried building from source? Any additional modules built into the server? What platform are you running on? The ApacheSSL server works fine with Netscape Navigator version 4.08 You mean mod_ssl server? (ApacheSSL is a different project) What's your SSLLogLevel set to? Have you tried setting it higher and looking in the ssl_engine_log? Have not trying to set this higher it is currently set to warn, i will set to debug as soon as i send this. I think we're going to need some of this debugging info, you may want to try info or trace before debug, we don't want to get _too_ much information if we don't need it. -Dave __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: msie AGAIN
Hey David, comments below: - Original Message - From: "David Rees" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, July 14, 2000 6:11 PM Subject: RE: msie AGAIN What versions of IE (4.0, 5.0 5.01, 5.5?) and security levels (40-bit, 56-bit, 128bit?) are affected besides 5.5? All of them? What version of mod_ssl and openssl are you running? ie 5.0, 5.01, 5.5 both 56-bit and 128-bit have been testedc openssl version 0.9.5a modssl 2.6.6-1.3.12 There is no version 2.6.6 of mod_ssl (yet), perhaps you mean 2.6.5? No IE browsers work at all? Did you build from source, or are you using RPMs? If using RPMs, have you tried building from source? Any additional modules built into the server? What platform are you running on? - sorry, it is mod_ssl 2.6.5 - thats correct no ie browsers work at all check for yourself minnesota.coinfotech.com - This server was done from the rpms. I am scared to try and redo it from source because its a pretty important server. Was hoping to find the problem and fix it. - on this server I installed the asp modules the jserv modules the php modules and probably missing something. - Running RH6.2 The ApacheSSL server works fine with Netscape Navigator version 4.08 You mean mod_ssl server? (ApacheSSL is a different project) Yes, that is what i mean, mod_ssl sorry once again. What's your SSLLogLevel set to? Have you tried setting it higher and looking in the ssl_engine_log? Have not trying to set this higher it is currently set to warn, i will set to debug as soon as i send this. I think we're going to need some of this debugging info, you may want to try info or trace before debug, we don't want to get _too_ much information if we don't need it. well, i tried to access it a couple of times with it set to debug mode, and found nothing in the error_log-ssl file or for any other log for that matter except for some talking about when i accessed it via the http site which is normal. Any ideas? -Dave __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: msie AGAIN
David, I stand corrected, I have downoaded the source for 2.6.5 but have not installed it yet. I currently have the rpm of 2.6.2 for mod_ssl - Original Message - From: "Jeff Gelina" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, July 14, 2000 6:27 PM Subject: Re: msie AGAIN Hey David, comments below: - Original Message - From: "David Rees" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, July 14, 2000 6:11 PM Subject: RE: msie AGAIN What versions of IE (4.0, 5.0 5.01, 5.5?) and security levels (40-bit, 56-bit, 128bit?) are affected besides 5.5? All of them? What version of mod_ssl and openssl are you running? ie 5.0, 5.01, 5.5 both 56-bit and 128-bit have been testedc openssl version 0.9.5a modssl 2.6.6-1.3.12 There is no version 2.6.6 of mod_ssl (yet), perhaps you mean 2.6.5? No IE browsers work at all? Did you build from source, or are you using RPMs? If using RPMs, have you tried building from source? Any additional modules built into the server? What platform are you running on? - sorry, it is mod_ssl 2.6.5 - thats correct no ie browsers work at all check for yourself minnesota.coinfotech.com - This server was done from the rpms. I am scared to try and redo it from source because its a pretty important server. Was hoping to find the problem and fix it. - on this server I installed the asp modules the jserv modules the php modules and probably missing something. - Running RH6.2 The ApacheSSL server works fine with Netscape Navigator version 4.08 You mean mod_ssl server? (ApacheSSL is a different project) Yes, that is what i mean, mod_ssl sorry once again. What's your SSLLogLevel set to? Have you tried setting it higher and looking in the ssl_engine_log? Have not trying to set this higher it is currently set to warn, i will set to debug as soon as i send this. I think we're going to need some of this debugging info, you may want to try info or trace before debug, we don't want to get _too_ much information if we don't need it. well, i tried to access it a couple of times with it set to debug mode, and found nothing in the error_log-ssl file or for any other log for that matter except for some talking about when i accessed it via the http site which is normal. Any ideas? -Dave __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: msie AGAIN
I stand corrected, I have downoaded the source for 2.6.5 but have not installed it yet. I currently have the rpm of 2.6.2 for mod_ssl OK, If you want to avoid compiling yourself, get the rpm for mod_ssl 2.6.5 and install that, first. Then we'll start the trouble shooting process again. -Dave __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: msie AGAIN
David, Do you know where that rpm is, there is no rpm at www.rpm.org nor can i find anything at www.modssl.org. Is there even one? Jeff Gelina - Original Message - From: "David Rees" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, July 14, 2000 6:49 PM Subject: RE: msie AGAIN I stand corrected, I have downoaded the source for 2.6.5 but have not installed it yet. I currently have the rpm of 2.6.2 for mod_ssl OK, If you want to avoid compiling yourself, get the rpm for mod_ssl 2.6.5 and install that, first. Then we'll start the trouble shooting process again. -Dave __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: msie AGAIN
On Fri, Jul 14, 2000 at 07:28:12PM -0600, Jeff Gelina wrote: Do you know where that rpm is, there is no rpm at www.rpm.org nor can i find anything at www.modssl.org. Is there even one? You didn't look very hard, did you? :-) http://www.modssl.org/contrib/ -Dave __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: msie AGAIN
I installed Netscape 4.72 on Redhat and it gave me 128bit encryption immediately. I've also read a statement from Netscape regarding version 4.72 support for 128bit encryption, although I cannot remember where at the moment. I'll try to find it and get back to you, because if I'm right then Netscape is messing everyone about. This stuff is hard enough as it is! John -Original Message- From: James H. Cloos Jr. [mailto:[EMAIL PROTECTED]] Sent: 12 July 2000 18:58 To: [EMAIL PROTECTED] Subject: Re: msie AGAIN "John" == Airey, John [EMAIL PROTECTED] writes: John You will find that all versions of Netscape since 4.72 support John 128bit encryption out of the box. No. They still make you go through loops to get the 128bit version, while the export version (56 now?) is readily available. Seven (nine now?) countries and all. (Or at least they did as of when 4.73 was first released) -JimC -- James H. Cloos, Jr. http://jhcloos.com/public_key 1024D/ED7DAEA6 [EMAIL PROTECTED] E9E9 F828 61A4 6EA9 0F2B 63E7 997A 9F17 ED7D AEA6 Is this post worth two cents? Then goto http://2cw.org/23! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
msie AGAIN
ok, microsoft really Pis___ me off! Why can't they do anything right? Enough of that, I'm just venting a little. Anyway, I've spent the last two days trouble shooting this msie5x problem with https. I've read and reread the manual and the FAQ. As well as searched for hours on the mailing lists. I have found many things to try, like CipherSuite entries and SSLProtocol. But I have still been unable to resolve the problem. As you can see from my configurartion file I have tried many many things. The server that is giving me problems was the first apache server I did (I used the rpms from RedHat 6.2 apachessl server and loaded all the add on rpms that came with it). Please don't tell me to reinstall not using the rpms it is not an option on this server and yes I have stopped using those freaking rpms. Anyway, could anyone please tell me what I got to do in my httpd.conf file to get msie to view my https server pages. Oh, I have tried to view the https pages with ie5.0, 5.01, 5.5 both 40 and 128 bit encryption and none of them work. I can view the non-https pages just fine all versions of msie and Netscape well view everything including the https pages just fine (Ahh, long live Netscape.) Thanks ahead of time for you thoughts on this problem of mine. Jeff Gelina P.S. Sorry for pasting the whole darn thing here, but wanted to make sure you had it all to look at. ## Based upon the NCSA server configuration files originally by Rob McCool.## This is the main Apache server configuration file. It contains the# configuration directives that give the server its instructions.# See URL:http://www.apache.org/docs/ for detailed information about# the directives.## Do NOT simply read the instructions in here without understanding# what they do. They're here only as hints or reminders. If you are unsure# consult the online docs. You have been warned. ## After this file is processed, the server will look for and process# /etc/httpd/conf/srm.conf and then /etc/httpd/conf/access.conf# unless you have overridden these with ResourceConfig and/or# AccessConfig directives here.## The configuration directives are grouped into three basic sections:# 1. Directives that control the operation of the Apache server process as a# whole (the 'global environment').# 2. Directives that define the parameters of the 'main' or 'default' server,# which responds to requests that aren't handled by a virtual host.# These directives also provide default values for the settings# of all virtual hosts.# 3. Settings for virtual hosts, which allow Web requests to be sent to# different IP addresses or hostnames and have them handled by the# same Apache server process.## Configuration and logfile names: If the filenames you specify for many# of the server's control files begin with "/" (or "drive:/" for Win32), the# server will use that explicit path. If the filenames do *not* begin# with "/", the value of ServerRoot is prepended -- so "logs/foo.log"# with ServerRoot set to "/usr/local/apache" will be interpreted by the# server as "/usr/local/apache/logs/foo.log". Section 1: Global Environment## The directives in this section affect the overall operation of Apache,# such as the number of concurrent requests it can handle or where it# can find its configuration files.### ServerType is either inetd, or standalone. Inetd mode is only supported on# Unix platforms.#ServerType standalone## ServerRoot: The top of the directory tree under which the server's# configuration, error, and log files are kept.## NOTE! If you intend to place this on an NFS (or otherwise network)# mounted filesystem then please read the LockFile documentation# (available at URL:http://www.apache.org/docs/mod/core.html#lockfile);# you will save yourself a lot of trouble.## Do NOT add a slash at the end of the directory path.#ServerRoot /etc/httpd## The LockFile directive sets the path to the lockfile used when Apache# is compiled with either USE_FCNTL_SERIALIZED_ACCEPT or# USE_FLOCK_SERIALIZED_ACCEPT. This directive should normally be left at# its default value. The main reason for changing it is if the logs# directory is NFS mounted, since the lockfile MUST BE STORED ON A LOCAL# DISK. The PID of the main server process is automatically appended to# the filename. ##LockFile /var/lock/httpsd.lock## PidFile: The file in which the server should record its process# identification number when it starts.#PidFile /var/run/httpsd.pid## ScoreBoardFile: File used to store internal server process information.# Not all architectures require this. But if yours does (you'll know because# this file will be created when you run Apache) then you *must* ensure that# no two invocations of Apache share the same scoreboard file.#ScoreBoardFile /var/run/httpsd.scoreboard## In the standard configuration, the server will process this file,# srm.conf, and access.conf in that order. The latter two files are# now distributed empty,
RE: msie AGAIN
You will find that all versions of Netscape since 4.72 support 128bit encryption out of the box. - John Airey Internet Systems Support Officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] -Original Message- From: Filip Van Laenen [mailto:[EMAIL PROTECTED]] Sent: 12 July 2000 08:51 To: '[EMAIL PROTECTED]' Subject: RE: msie AGAIN Hi, While on the subject, is there an export version of Netscape with 128 bit encryption? I had a problem similar to yours, but later found out that it was because MSIE doesn't support IDEA, while I was telling the server that it should only accept that algorithm. The thing that made me angry is that the browser just hangs or gives you a stupid message telling it cannot connect, in stead of just telling the truth, namely that it couldn't produce the correct cipher for the server. They must be explicitly hiding that message in MSIE... Best regards, Filip -- Filip van Laenen [EMAIL PROTECTED] ([EMAIL PROTECTED]) Senior Knowledge Engineer, Computas, http://www.computas.com http://www.computas.com/ Telefon: +47 67 83 10 00 Fax: +47 67 83 10 01 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 12, 2000 4:57 AM To: [EMAIL PROTECTED] Subject: msie AGAIN ok, microsoft really Pis___ me off! Why can't they do anything right? Enough of that, I'm just venting a little. Anyway, I've spent the last two days trouble shooting this msie5x problem with https. I've read and reread the manual and the FAQ. As well as searched for hours on the mailing lists. I have found many things to try, like CipherSuite entries and SSLProtocol. But I have still been unable to resolve the problem. As you can see from my configurartion file I have tried many many things. The server that is giving me problems was the first apache server I did (I used the rpms from RedHat 6.2 apachessl server and loaded all the add on rpms that came with it). Please don't tell me to reinstall not using the rpms it is not an option on this server and yes I have stopped using those freaking rpms. Anyway, could anyone please tell me what I got to do in my httpd.conf file to get msie to view my https server pages. Oh, I have tried to view the https pages with ie5.0, 5.01, 5.5 both 40 and 128 bit encryption and none of them work. I can view the non-https pages just fine all versions of msie and Netscape well view everything including the https pages just fine (Ahh, long live Netscape.) Thanks ahead of time for you thoughts on this problem of mine. Jeff Gelina P.S. Sorry for pasting the whole darn thing here, but wanted to make sure you had it all to look at. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] Royal National Institute for the Blind Registered charity number 226227. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: msie AGAIN
I have version 4.73 installed, and it says this in the 'About': -- This version supports U.S. security with RSA Public Key Cryptography, MD2, MD5, RC2-CBC, RC4, DES-CBC, DES-EDE3-CBC . -- I find that sentence a bit cryptic (sorry, but I'm not a native speaker): does it mean that it supports those ciphers only in the US? I'm sitting in Norway, and the version I'm running here cannot connect to an SSL-webserver if I don't open the server for ciphers with 40 bit key lengths (or less). Filip -- Filip van Laenen [EMAIL PROTECTED] ([EMAIL PROTECTED]) Senior Knowledge Engineer, Computas, http://www.computas.com Telefon: +47 67 83 10 00 Fax: +47 67 83 10 01 -Original Message- From: Airey, John [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 12, 2000 11:48 AM To: '[EMAIL PROTECTED]' Subject: RE: msie AGAIN You will find that all versions of Netscape since 4.72 support 128bit encryption out of the box. - John Airey Internet Systems Support Officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] -Original Message- From: Filip Van Laenen [mailto:[EMAIL PROTECTED]] Sent: 12 July 2000 08:51 To: '[EMAIL PROTECTED]' Subject: RE: msie AGAIN Hi, While on the subject, is there an export version of Netscape with 128 bit encryption? I had a problem similar to yours, but later found out that it was because MSIE doesn't support IDEA, while I was telling the server that it should only accept that algorithm. The thing that made me angry is that the browser just hangs or gives you a stupid message telling it cannot connect, in stead of just telling the truth, namely that it couldn't produce the correct cipher for the server. They must be explicitly hiding that message in MSIE... Best regards, Filip -- Filip van Laenen [EMAIL PROTECTED] ([EMAIL PROTECTED]) Senior Knowledge Engineer, Computas, http://www.computas.com http://www.computas.com/ Telefon: +47 67 83 10 00 Fax: +47 67 83 10 01 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 12, 2000 4:57 AM To: [EMAIL PROTECTED] Subject: msie AGAIN ok, microsoft really Pis___ me off! Why can't they do anything right? Enough of that, I'm just venting a little. Anyway, I've spent the last two days trouble shooting this msie5x problem with https. I've read and reread the manual and the FAQ. As well as searched for hours on the mailing lists. I have found many things to try, like CipherSuite entries and SSLProtocol. But I have still been unable to resolve the problem. As you can see from my configurartion file I have tried many many things. The server that is giving me problems was the first apache server I did (I used the rpms from RedHat 6.2 apachessl server and loaded all the add on rpms that came with it). Please don't tell me to reinstall not using the rpms it is not an option on this server and yes I have stopped using those freaking rpms. Anyway, could anyone please tell me what I got to do in my httpd.conf file to get msie to view my https server pages. Oh, I have tried to view the https pages with ie5.0, 5.01, 5.5 both 40 and 128 bit encryption and none of them work. I can view the non-https pages just fine all versions of msie and Netscape well view everything including the https pages just fine (Ahh, long live Netscape.) Thanks ahead of time for you thoughts on this problem of mine. Jeff Gelina P.S. Sorry for pasting the whole darn thing here, but wanted to make sure you had it all to look at. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] Royal National Institute for the Blind Registered charity number 226227. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: msie AGAIN
Try visiting http://www.fortify.net/sslcheck.html and see what it says. This page will negotiate the highest security and state it. For example, using IE5.01 SP1 I get RC4 128bit. At first glance it appears you are not afflicted with export restricted ciphers, so it should be OK. - John Airey Internet Systems Support Officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] -Original Message- From: Filip Van Laenen [mailto:[EMAIL PROTECTED]] Sent: 12 July 2000 11:21 To: '[EMAIL PROTECTED]' Subject: RE: msie AGAIN I have version 4.73 installed, and it says this in the 'About': -- This version supports U.S. security with RSA Public Key Cryptography, MD2, MD5, RC2-CBC, RC4, DES-CBC, DES-EDE3-CBC . -- I find that sentence a bit cryptic (sorry, but I'm not a native speaker): does it mean that it supports those ciphers only in the US? I'm sitting in Norway, and the version I'm running here cannot connect to an SSL-webserver if I don't open the server for ciphers with 40 bit key lengths (or less). Filip -- Filip van Laenen [EMAIL PROTECTED] ([EMAIL PROTECTED]) Senior Knowledge Engineer, Computas, http://www.computas.com Telefon: +47 67 83 10 00 Fax: +47 67 83 10 01 -Original Message- From: Airey, John [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 12, 2000 11:48 AM To: '[EMAIL PROTECTED]' Subject: RE: msie AGAIN You will find that all versions of Netscape since 4.72 support 128bit encryption out of the box. - John Airey Internet Systems Support Officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] -Original Message- From: Filip Van Laenen [mailto:[EMAIL PROTECTED]] Sent: 12 July 2000 08:51 To: '[EMAIL PROTECTED]' Subject: RE: msie AGAIN Hi, While on the subject, is there an export version of Netscape with 128 bit encryption? I had a problem similar to yours, but later found out that it was because MSIE doesn't support IDEA, while I was telling the server that it should only accept that algorithm. The thing that made me angry is that the browser just hangs or gives you a stupid message telling it cannot connect, in stead of just telling the truth, namely that it couldn't produce the correct cipher for the server. They must be explicitly hiding that message in MSIE... Best regards, Filip -- Filip van Laenen [EMAIL PROTECTED] ([EMAIL PROTECTED]) Senior Knowledge Engineer, Computas, http://www.computas.com http://www.computas.com/ Telefon: +47 67 83 10 00 Fax: +47 67 83 10 01 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 12, 2000 4:57 AM To: [EMAIL PROTECTED] Subject: msie AGAIN ok, microsoft really Pis___ me off! Why can't they do anything right? Enough of that, I'm just venting a little. Anyway, I've spent the last two days trouble shooting this msie5x problem with https. I've read and reread the manual and the FAQ. As well as searched for hours on the mailing lists. I have found many things to try, like CipherSuite entries and SSLProtocol. But I have still been unable to resolve the problem. As you can see from my configurartion file I have tried many many things. The server that is giving me problems was the first apache server I did (I used the rpms from RedHat 6.2 apachessl server and loaded all the add on rpms that came with it). Please don't tell me to reinstall not using the rpms it is not an option on this server and yes I have stopped using those freaking rpms. Anyway, could anyone please tell me what I got to do in my httpd.conf file to get msie to view my https server pages. Oh, I have tried to view the https pages with ie5.0, 5.01, 5.5 both 40 and 128 bit encryption and none of them work. I can view the non-https pages just fine all versions of msie and Netscape well view everything including the https pages just fine (Ahh, long live Netscape.) Thanks ahead of time for you thoughts on this problem of mine. Jeff Gelina P.S. Sorry for pasting the whole darn thing here, but wanted to make sure you had it all to look at. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] Royal National Institute for the Blind Registered charity number 226227. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache
Re: msie AGAIN
"John" == Airey, John [EMAIL PROTECTED] writes: John You will find that all versions of Netscape since 4.72 support John 128bit encryption out of the box. No. They still make you go through loops to get the 128bit version, while the export version (56 now?) is readily available. Seven (nine now?) countries and all. (Or at least they did as of when 4.73 was first released) -JimC -- James H. Cloos, Jr. http://jhcloos.com/public_key 1024D/ED7DAEA6 [EMAIL PROTECTED] E9E9 F828 61A4 6EA9 0F2B 63E7 997A 9F17 ED7D AEA6 Is this post worth two cents? Then goto http://2cw.org/23! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]