Folks,
Some more info about the problem:
1) William's suggestion (see below) worked -- not sure why, but it did.
But, as you could imagine, it's not feasible to tell all your customers to
perform this step prior to accessing your site -- especially when other
websites work just fine! ;->.
2) The cert is a Verisign Global ID, (i.e. SGC). Found some info on
Verisign's pages with respect to there being a problem when the CN in the
cert, doesn't match the machine name when using a SGC, (which it didn't).
So, I tried the following:
A) Create two new SGC certs using the gid-cert.sh from modssl -- one that
matched the server name, and one which didn't. After installing each of
those, I found that IE worked fine with both self generated certs, and the
Verisign cert still failed.
B) Dumped all certificates involved (i.e. Verisign, My SGC w/name correct,
and My SGC w/name incorrect). I found that the Verisign cert was quite
different from the ones I created using gid-cert.sh. Here is the dump of
the Verisign cert:
[SNIP]
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
2.5.29.3:
0...0...0..
..`.H...E....0.......This certificate incorporates by reference, and its use
is strictly subject to, the VeriSign Certification Practice Statement (CPS),
available at: https://www.verisign.com/CPS; by E-mail at
[EMAIL PROTECTED]; or by mail at VeriSign, Inc., 2593 Coast Ave.,
Mountain View, CA 94043 USA Tel. +1 (415) 961-8830 Copyright (c) 1996
VeriSign, Inc. All Rights Reserved. CERTAIN WARRANTIES DISCLAIMED and
LIABILITY
LIMITED.....`.H...E.........`.H...E.....0,0*.(https://www.verisign.com/repos
itory/CPS
Netscape Cert Type:
SSL Server
X509v3 Extended Key Usage:
Netscape Server Gated Crypto
2.16.840.1.113733.1.6.7:
. 747682e5ac6afd90000dce1635ddc3b3
Signature Algorithm: md5WithRSAEncryption
[SNIP]
Here is the dump of my SGC cert:
[SNIP]
X509v3 extensions:
X509v3 Subject Alternative Name:
email:root@foobar
X509v3 Basic Constraints:
CA:FALSE, pathlen:0
Netscape Comment:
mod_ssl generated custom server certificate
Netscape Cert Type:
SSL Server
X509v3 Extended Key Usage:
Microsoft Server Gated Crypto, Netscape Server Gated Crypto
Signature Algorithm: md5WithRSAEncryption
[SNIP]
The major differences are that the verisign cert does NOT have the Microsoft
SGC extension, it does NOT have the pathlen as part of the X509v3 Basic
Constrains, it does have an additional extension (oid:2.5.29.3) which seems
to be a disclaimer, and it does have an additional extension
(oid:2.16.840.1.113733.1.6.7) which seems to be the MD5 hash of 'something'.
Does anyone know what these oids are? And, how to add them to the test
certs, (i.e. by modifying the gid-cert.sh script)?
One additional test I ran was to create a SGC cert without the Microsoft SGC
flag, (i.e. only the Netscape SGC) but it made no difference whatsoever.
So, I'm still back where I started which is trying to figure out why IE
can't connect? (And now I want to know also why trying William's workaround
below fixes the problem!!!!!!!!)
- Bob
> -----Original Message-----
> From: Wallace, William [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, July 27, 2000 10:17 AM
> To: '[EMAIL PROTECTED]'
> Subject: RE: MSIE *Again*
>
>
> Does changing the "Check for server certificate revocation (requires
> restart)" advanced security setting in IE change the behavior?
>
> > -----Original Message-----
> > From: Burns, Robert [mailto:[EMAIL PROTECTED]]
> > Sent: Wednesday, July 26, 2000 10:38 AM
> > To: '[EMAIL PROTECTED]'
> > Subject: MSIE *Again*
> >
> >
> > Folks,
> >
> > I believe I'm experiencing the same MSIE problems that
> > have been discussed on this list over the past few weeks,
> > but with a little more information. Perhaps it will help.
> >
> > I'm running Apache 1.3.12 + modssl 2.6.4 + openssl 0.9.5a on
> > an UltraSparc 10 + Solaris7.
> >
> > First, I created a dummy certificate (i.e. signed by Snake-Oil CA)
> > and everything works just fine. Both IE and Netscape connect
> > without incident.
> >
> > Next, I got a generated new keys and got a Verisign certificate.
> > I installed this certificate (along with the intermediate
> certificate)
> > and that's when things started breaking for IE only. Netscape will
> > connect just fine, but IE gives that 'very informative'
> error screen.
> >
> > Here is the tail end of the log with debug turned on:
> >
> > [26/Jul/2000 09:55:20 27052] [debug] OpenSSL: write 67/67 bytes
> > to BIO#0014D048 [mem: 001749F0] (BIO dump follows)
> > +-------------------------------------------------------------
> > ------------+
> > | 0000: 14 03 00 00 01 01 16 03-00 00 38 7c 9b f8 cc 94
> > ..........8|.... |
> > | 0010: 73 0a b9 2b e8 ec 32 91-c2 88 86 52 2b d6 f3 12
> > s..+..2....R+... |
> > | 0020: 8c 67 0d 7a f9 c2 0c 1e-4c c8 6d 7a 95 3e 21 d9
> > .g.z....L.mz.>!. |
> > | 0030: 02 16 c0 7d 94 4d 47 7d-70 49 9a 4c d6 db 82 c9
> > ...}.MG}pI.L.... |
> > | 0040: 72 09 17 r..
> > |
> > +-------------------------------------------------------------
> > ------------+
> > [26/Jul/2000 09:55:20 27052] [trace] OpenSSL: Loop: SSLv3 flush data
> > [26/Jul/2000 09:55:20 27052] [trace] Inter-Process Session Cache:
> > request=SET
> > status=OK
> > id=460730715DA5C519241676A466979A8EC3B3813DC8A8803C81BCA4658A094BD8
> > timeout=299s (session caching)
> > [26/Jul/2000 09:55:20 27052] [trace] OpenSSL: Handshake: done
> > [26/Jul/2000 09:55:20 27052] [info] Connection: Client IP:
> > 192.168.8.109,
> > Protocol: SSLv3, Cipher: RC4-MD5 (128/128 bits)
> > [26/Jul/2000 09:55:20 27052] [debug] OpenSSL: read 0/18437
> bytes from
> > BIO#0014D048
> > [mem: 001675C8] (BIO dump follows)
> > +-------------------------------------------------------------
> > ------------+
> > +-------------------------------------------------------------
> > ------------+
> > [26/Jul/2000 09:55:20 27052] [debug] OpenSSL: write 23/23 bytes to
> > BIO#0014D048
> > [mem: 0016FDD8] (BIO dump follows)
> > +-------------------------------------------------------------
> > ------------+
> > | 0000: 15 03 00 00 12 d4 c5 65-6a a4 01 3f bd 11 49 75
> > .......ej..?..Iu |
> > | 0010: 12 43 94 83 8f 2c a5
> > .C...,. |
> > +-------------------------------------------------------------
> > ------------+
> > [26/Jul/2000 09:55:20 27052] [trace] OpenSSL: Write: SSL negotiation
> > finished
> > successfully
> > [26/Jul/2000 09:55:20 27052] [info] Connection to child 1
> closed with
> > standard
> > shutdown (server 192.168.8.84:443, client 192.168.8.109)
> >
> > It appears that in the line above (read 0/18437 bytes
> from...) that IE
> > shutdown the TCP/IP connection, forcing the SSL connection to
> > be closed by
> > the server. The question is, why does IE shutdown the
> connection, but
> > Netscape continued on without problem?
> >
> > I'm going to try to sniff the TCP line to see what is
> > actually happening,
> > but until then, any additional insight would be helpfull.
> >
> > Thanks,
> >
> > - Bob
> >
> > ------------------------------------------------------
> > Bob Burns Zaxus
> > [EMAIL PROTECTED] 1-888-744-4976, X6510
> > (local) 1-954-846-6510
> > ------------------------------------------------------
> >
> ______________________________________________________________________
> > Apache Interface to OpenSSL (mod_ssl)
www.modssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
>
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
