Hi all,
I'm having issues with modssl and msie 5 on the
macintosh. I've read through the faqs and various
other sources of information and I cannot find a
good solution, so I was hoping someone on this list
might be able to help me.
The problem
-----------
The situation I'm encountering is that msie
on the mac reports a "Security failure: Data decryption
error" when accessing my secure server. This server is
made up of:
apache-1.3.12, openssl-0.9.5a, mod_ssl-2.6.6-1.3.12
The OS is linux 2.2.14-5.0 with a Redhat 6.2 distribution.
The server reports:
[20/Sep/2000 22:15:38 04148] [trace] OpenSSL: Loop: SSLv3 flush data
[20/Sep/2000 22:15:38 04148] [debug] OpenSSL: I/O error, 5 bytes
expected to read on BIO#08366A78 [mem: 0836C1C0]
[20/Sep/2000 22:15:38 04148] [trace] OpenSSL: Exit: error in SSLv3 read
client certificate A
[20/Sep/2000 22:15:38 04148] [trace] OpenSSL: Exit: error in SSLv3 read
client certificate A
[20/Sep/2000 22:15:38 04148] [error] SSL handshake interrupted by system
[Hint: Stop button pressed in browser?!] (System error follows)
[20/Sep/2000 22:15:38 04148] [error] System: Connection reset by peer
(errno: 104)
Earlier on in the log for that request, the server reports:
[20/Sep/2000 22:15:35 04144] [info] Connection: Client IP:
192.168.1.120, Protocol: SSLv3, Cipher: RC4-MD5 (128/128 bits)
What I have tried
-----------------
I have tried a variety of things to fix this, and the
only thing that works is adding:
SSLProtocol all -SSLv3
to the conf file. None of the CipherSuite commands
I have tried work. This includes the one from the
faq and the default conf:
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
or
SSLCipherSuite
ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
I have also tried disabling the RC4 ciphers, but the problem just occurs
with the next SSLV3 cipher that it used (I don't recall what
that one was)
I have also tried downgrading openssl to 0.9.4. This does
not fix the problem either.
I have also tried upgrading openssl to 0.9.6-beta2. This
does not fix the problem either.
I have also tried:
#define TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES 0
in the ssl/tls1.h file and recompiling. This does not
fix the problem either.
I also have:
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
in the conf file, but this also does not help.
My questions
------------
Does anybody know how I can fix this problem?
What are the ramifications of disabling the SSLV3
protocol?
....
thanks in advance,
-rich
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
