Netscape 3.0x [en] browsers; Apache 1.3.6, openssl0.92b, mod_ssl2.2.7/8

Phil Tracy Mon, 10 May 1999 18:05:45 -0700
Software: Netscape 3.0x browsers [English language], Apache 1.36 + openssl
0.92b + mod_ssl 2.2.7 and 2.2.8.  Server running HP/UX 10.20.

On one of my servers, I can consistently get the following client browsers
to fail in establishing SSL connections.  The message "The security library
has encountered a database error.  You will probably be unable to connect
to this site securely" pops up in the browser:

     Mac 3.01
     Mac 3.04
     NT 3.01
     NT 3.04

The errors that occur on the server end are as follows:

     >[10/May/1999 14:22:04] [error] SSL handshake failed (client
          129.105.110.169,  server www-gate.it-services.nwu.edu:443) (OpenSSL
          library error follows)
     >[10/May/1999 14:22:04] [error] OpenSSL: error:14094412:SSL
          routines:SSL3_READ_BYTES:sslv3 alert bad certificate [Hint:
          Subject CN in certificate not server name!?]

The server cert name definitely matches, that's not the problem.  And I
have no problems at all with Netscape 4.x browsers.

Another server, with identical software, works just fine with all browsers.
 Both servers have certificates signed by Verisign.  I've tried mod_ssl
versions 2.2.7 and 2.2.8, with identical results.  Is there anything really
stupid I might have done in my configuration file?

Here's the certificate from the server that works:
># x509 -in ./server.crt -noout -text
>Certificate:
>    Data:
>        Version: 1 (0x0)
>        Serial Number:
>            3d:cc:e4:4f:7f:9c:82:0d:2c:22:75:c0:50:4c:7d:8d
>        Signature Algorithm: md5WithRSAEncryption
>        Issuer: C=US, O=RSA Data Security, Inc., OU=Secure Server 
>Certification Authority
>        Validity
>            Not Before: Feb 16 00:00:00 1999 GMT
>            Not After : Feb 16 23:59:59 2000 GMT
>        Subject: C=US, ST=Illinois, L=Evanston, O=Northwestern University, 
>OU=Information Technology, CN=www-snap.it-services.nwu.edu
>        Subject Public Key Info:
>            Public Key Algorithm: rsaEncryption
>            RSA Public Key: (1024 bit)
>                Modulus (1024 bit):
>                    00:c2:11:40:19:11:13:fe:03:7a:95:d3:a1:a9:85:
>                    30:c9:a3:1e:d0:54:4b:0e:8f:03:26:88:f9:dc:25:
>                    1e:b2:8f:4a:39:31:d1:c7:92:5a:6a:68:3a:1c:de:
>                    0a:34:17:89:b2:34:3c:f3:e2:34:de:21:01:c6:df:
>                    16:66:be:74:8f:5f:56:c4:6b:0f:ed:7c:cc:7d:d3:
>                    6f:14:74:7b:53:60:15:e4:82:0e:d2:44:46:0a:f4:
>                    e3:49:b5:89:5f:c2:fe:33:e6:d2:ab:bb:dd:e2:87:
>                    71:87:77:bf:ba:95:0c:b7:bf:18:76:16:bc:6b:e8:
>                    06:fd:a8:f6:93:e4:28:5e:9b
>                Exponent: 65537 (0x10001)
>    Signature Algorithm: md5WithRSAEncryption
>        82:9d:ca:bf:eb:bc:f2:b4:14:bf:cc:6c:46:94:e2:37:b3:91:
>        6b:5c:6d:48:a4:2a:51:59:af:0d:68:12:a6:99:10:6e:ee:e2:
>        4c:35:e7:a9:c7:e2:44:d4:b1:34:90:fa:a6:a9:69:8a:4c:ad:
>        50:6a:57:b5:d6:5a:cf:03:92:9e:ad:82:a5:8a:19:a6:82:12:
>        29:1b:e7:1d:cb:5d:b2:44:27:cd:17:5f:e4:49:6d:79:38:57:
>        a2:37:e7:10:10:de:75:14:22:73:06:d1:a1:e4:34:e9:fe:dc:
>        f0:6f:61:f1:de:84:68:84:d2:d3:9e:5b:9f:f4:3e:a8:1b

Here's the certificate from the server that doesn't seem to work:
># x509 -in ./server.crt -noout -text
>Certificate:
>    Data:
>        Version: 1 (0x0)
>        Serial Number:
>            12:43:66:11:7d:d3:28:c6:9e:c0:cc:c3:5a:e1:f2:17
>        Signature Algorithm: md5WithRSAEncryption
>        Issuer: C=US, O=RSA Data Security, Inc., OU=Secure Server 
>Certification Authority
>        Validity
>            Not Before: Feb 12 00:00:00 1999 GMT
>            Not After : Feb 12 23:59:59 2000 GMT
>        Subject: C=US, ST=Illinois, L=Evanston, O=Northwestern University, 
>OU=Information Technology, CN=www-gate.it-services.nwu.edu
>        Subject Public Key Info:
>            Public Key Algorithm: rsaEncryption
>            RSA Public Key: (1024 bit)
>                Modulus (1024 bit):
>                    00:b7:ce:47:ca:bd:86:06:4f:22:81:2d:48:d9:0b:
>                    1b:ba:ce:96:96:8c:4c:20:74:97:61:30:2a:f5:42:
>                    e9:33:61:9a:89:29:a4:62:60:9d:dc:0b:02:ed:b1:
>                    7a:81:b1:18:83:18:97:7e:b5:96:ff:6b:2f:a0:06:
>                    17:73:78:2a:a3:0b:59:2e:e0:63:76:11:a6:37:a1:
>                    67:51:05:7a:21:03:bf:cb:e0:a1:fa:4e:6a:17:48:
>                    c8:4e:01:03:07:bb:24:fd:bb:a7:82:9a:a7:04:18:
>                    77:d3:21:1d:e7:7c:3b:00:a3:3f:39:4e:96:a5:84:
>                    3d:5c:b6:c8:66:5f:ad:cd:c3
>                Exponent: 65537 (0x10001)
>    Signature Algorithm: md5WithRSAEncryption
>        88:94:1c:96:ee:28:c5:79:ac:a4:9c:e5:47:fc:61:c0:c0:dd:
>        68:6d:4b:55:0f:d7:7e:a6:ff:81:f5:7a:6c:7f:eb:22:02:7c:
>        8a:f7:41:ad:cc:4b:df:6c:db:8b:46:11:14:04:c0:39:c9:28:
>        8a:84:cc:a6:1c:34:84:52:df:b4:7c:01:39:7e:cd:90:3f:d4:
>        31:60:67:5d:ec:12:02:50:8d:b0:d2:dd:1b:c1:b8:a0:94:a7:
>        8a:04:b7:d2:7c:a5:f1:0b:f9:e9:6d:1b:b5:c9:b7:57:90:11:
>        ab:ee:a8:54:9b:cd:13:64:d0:94:77:94:9b:f5:39:c8:86

Any help is certainly appreciated!
--
Phil Tracy
Northwestern University, Evanston, IL   USA
mailto:[EMAIL PROTECTED]    http://dopey.at.nwu.edu/tracy/
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]
Netscape 3.0x [en] browsers; Apache 1.3.6, openssl0.92b, mod_ssl2.2.7/8

Reply via email to
