On Wed, Aug 25, 1999, Graham Leggett wrote:
> I searched the mailing list archive and uncovered some problems in the
> past with this, there doesn't seem to be any evidence of a solution.
>
> I installed modssl into Apache by following the instructions inside
> INSTALL. The Apache server starts up without a problem. I point Netscape
> at my newly configured test SSL enabled virtual host using the default
> www.snakeoil.dom certificate. I expect to see a message from Netscape
> complaining that the cert isn't recognised as signed by a valid CA and
> that it doesn't match the servername, but instead I get an error message
> that Netscape cannot negotiate a common encryption algorithm.
>
> [...]
> SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
> [...]
> An attempt to connect to the secure server using s_client looks like
> this:
> [...]
> New, TLSv1/SSLv3, Cipher is EDH-DSS-DES-CBC3-SHA
> [...]
> Does anyone have any idea what's wrong?
This cipher works only with a DSA server cert, and that's
what you're using:
| Certificate:
| Data:
| Version: 3 (0x2)
| Serial Number: 21 (0x15)
| Signature Algorithm: dsaWithSHA1
| Issuer: C=XY, ST=Snake Desert, L=Snake Town, O=Snake Oil, Ltd,
|OU=Certificate Authority, CN=Snake Oil [EMAIL PROTECTED]
| Validity
| Not Before: Feb 25 13:28:32 1999 GMT
| Not After : Feb 25 13:28:32 2000 GMT
| Subject: C=XY, ST=Snake Desert, L=Snake Town, O=Snake Oil, Ltd, OU=Webserver
|Team, [EMAIL PROTECTED]
| Subject Public Key Info:
| Public Key Algorithm: dsaEncryption
| DSA Public Key:
| pub:
| 1d:7e:90:7b:6f:eb:32:66:5e:c2:e0:71:1a:dc:b2:
| cf:34:6d:ed:42:5c:73:87:3c:cb:62:4d:45:cb:72:
| 81:dc:70:1a:c6:43:d3:a8:ba:ad:e4:7c:97:ac:08:
| 68:b1:61:66:5f:1b:dc:39:0b:36:fc:ec:b1:35:ec:
| 39:c4:7b:c7:cd:9b:bf:db:e6:92:72:ef:8d:09:37:
| 15:12:6f:99:fa:52:00:f7:0d:44:15:24:ff:52:fc:
| 50:a1:e4:7c:03:fa:07:7d:40:87:bb:51:94:6d:fa:
| 5b:f8:81:c3:57:22:82:1a:93:9c:3c:67:34:3a:af:
| e9:68:1b:77:b4:44:b7:14
| P:
| 00:ea:3f:4e:09:87:84:28:51:6a:8f:25:97:ed:c6:
| c8:0b:74:ee:78:84:69:af:11:8a:f6:a3:69:ea:32:
| 33:bf:0d:b5:6e:ba:3a:fc:40:39:d5:58:d4:6f:78:
| 4b:95:76:bc:7a:01:fb:42:72:18:08:bd:d2:52:e0:
| b4:ea:7e:f8:0e:98:8c:2c:19:8c:a5:00:39:b2:70:
| 84:65:05:51:dd:e6:ad:68:70:69:5d:91:e1:01:89:
| 8f:9c:4b:9c:af:f2:ba:35:c7:80:d1:09:dd:1a:c6:
| 68:41:bd:3b:b6:05:16:e2:a6:96:8a:ec:f3:40:2f:
| 0e:71:b3:c7:90:72:1d:0a:2d
| Q:
| 00:9f:2b:4f:c1:7b:36:a2:11:01:25:23:cb:50:70:
| c7:bd:35:cd:22:1f
| G:
| 4f:94:4c:12:68:c9:e0:75:ce:27:41:b2:20:a0:1e:
| b0:54:21:3b:2d:e0:5d:75:1f:57:8c:d7:4e:94:8c:
| cf:c7:10:59:f4:ea:c4:b8:15:8e:4b:d9:0a:de:92:
| 61:c3:66:a5:a4:67:27:2a:e6:51:d1:83:da:e4:b0:
| 05:c3:24:5e:3d:c6:fc:d2:3f:ee:7d:42:e9:9b:81:
| 4e:dd:71:e9:30:90:03:bd:a7:62:1d:31:41:a8:ff:
| 91:b9:a1:4f:6c:0d:c8:e3:4c:c7:fb:19:3b:f5:8f:
| 52:bd:2a:be:ef:f4:d7:61:52:d9:89:4a:b6:ad:f0:
| 44:ce:3e:5c:7c:fb:8d:8d
| X509v3 extensions:
| Netscape Cert Type:
| SSL Server
| Signature Algorithm: dsaWithSHA1
| 30:2d:02:14:4e:97:e6:5b:02:e3:29:82:45:15:7e:69:f1:fb:
| eb:6b:c3:68:ec:2c:02:15:00:8b:d2:ad:cb:74:2c:75:12:c5:
| 2d:9a:c8:1a:90:de:98:ae:ed:7c:17
So it's clear that you cannot connect with Netscape. But... errrr.... why to
the hell are people using the DSA certs? You _HAVE_ to pressed "D" or used
ALGO=DSA on the "make certificate" procedure. Because else the RSA snakeoil
cert is used, of course.
Can someone explain me why people with the "no shared cipher" problem are
using DSA certs? Is there an error in one of our scripts or why do they all
select the DSA certs?
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
