Sorry Robert,
I don't have any explaination. I discovered the same problem mid-June and
have only just got around to investigating it.
I've done the same SSL log analysis as you and a packet trace as well. At
the packet level what happens is as soon as the handshake completes IE
closes the connections (it sends a FIN).
It seems to only happen with the X509 v3 certificates from Verisign so
perhaps it's something to do with the x509 version or the fact that their v3
certificates have an additional certificate in the chain. I've seen similar
certificates work though with IE (but a different web server).
On a somewhat wierd note, we both have famous Scottish names!
> -----Original Message-----
> From: Burns, Robert [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, July 27, 2000 10:33 AM
> To: '[EMAIL PROTECTED]'
> Subject: RE: MSIE *Again*
>
>
> William,
>
> That *DID* work....do you happen to have any explaination as to why?
>
> It doesn't make sense that having to turn on revocation
> checking would allow
> it to work?
>
> Is this true for all Verisign certs? If so, why do I not get
> that error
> when going to other sites with a Verisign cert using IE?
>
> - Bob
>
> > -----Original Message-----
> > From: Wallace, William [mailto:[EMAIL PROTECTED]]
> > Sent: Thursday, July 27, 2000 10:17 AM
> > To: '[EMAIL PROTECTED]'
> > Subject: RE: MSIE *Again*
> >
> >
> > Does changing the "Check for server certificate revocation (requires
> > restart)" advanced security setting in IE change the behavior?
> >
> > > -----Original Message-----
> > > From: Burns, Robert [mailto:[EMAIL PROTECTED]]
> > > Sent: Wednesday, July 26, 2000 10:38 AM
> > > To: '[EMAIL PROTECTED]'
> > > Subject: MSIE *Again*
> > >
> > >
> > > Folks,
> > >
> > > I believe I'm experiencing the same MSIE problems that
> > > have been discussed on this list over the past few weeks,
> > > but with a little more information. Perhaps it will help.
> > >
> > > I'm running Apache 1.3.12 + modssl 2.6.4 + openssl 0.9.5a on
> > > an UltraSparc 10 + Solaris7.
> > >
> > > First, I created a dummy certificate (i.e. signed by Snake-Oil CA)
> > > and everything works just fine. Both IE and Netscape connect
> > > without incident.
> > >
> > > Next, I got a generated new keys and got a Verisign certificate.
> > > I installed this certificate (along with the intermediate
> > certificate)
> > > and that's when things started breaking for IE only.
> Netscape will
> > > connect just fine, but IE gives that 'very informative'
> > error screen.
> > >
> > > Here is the tail end of the log with debug turned on:
> > >
> > > [26/Jul/2000 09:55:20 27052] [debug] OpenSSL: write 67/67 bytes
> > > to BIO#0014D048 [mem: 001749F0] (BIO dump follows)
> > > +-------------------------------------------------------------
> > > ------------+
> > > | 0000: 14 03 00 00 01 01 16 03-00 00 38 7c 9b f8 cc 94
> > > ..........8|.... |
> > > | 0010: 73 0a b9 2b e8 ec 32 91-c2 88 86 52 2b d6 f3 12
> > > s..+..2....R+... |
> > > | 0020: 8c 67 0d 7a f9 c2 0c 1e-4c c8 6d 7a 95 3e 21 d9
> > > .g.z....L.mz.>!. |
> > > | 0030: 02 16 c0 7d 94 4d 47 7d-70 49 9a 4c d6 db 82 c9
> > > ...}.MG}pI.L.... |
> > > | 0040: 72 09 17 r..
> > > |
> > > +-------------------------------------------------------------
> > > ------------+
> > > [26/Jul/2000 09:55:20 27052] [trace] OpenSSL: Loop: SSLv3
> flush data
> > > [26/Jul/2000 09:55:20 27052] [trace] Inter-Process Session Cache:
> > > request=SET
> > > status=OK
> > >
> id=460730715DA5C519241676A466979A8EC3B3813DC8A8803C81BCA4658A094BD8
> > > timeout=299s (session caching)
> > > [26/Jul/2000 09:55:20 27052] [trace] OpenSSL: Handshake: done
> > > [26/Jul/2000 09:55:20 27052] [info] Connection: Client IP:
> > > 192.168.8.109,
> > > Protocol: SSLv3, Cipher: RC4-MD5 (128/128 bits)
> > > [26/Jul/2000 09:55:20 27052] [debug] OpenSSL: read 0/18437
> > bytes from
> > > BIO#0014D048
> > > [mem: 001675C8] (BIO dump follows)
> > > +-------------------------------------------------------------
> > > ------------+
> > > +-------------------------------------------------------------
> > > ------------+
> > > [26/Jul/2000 09:55:20 27052] [debug] OpenSSL: write 23/23 bytes to
> > > BIO#0014D048
> > > [mem: 0016FDD8] (BIO dump follows)
> > > +-------------------------------------------------------------
> > > ------------+
> > > | 0000: 15 03 00 00 12 d4 c5 65-6a a4 01 3f bd 11 49 75
> > > .......ej..?..Iu |
> > > | 0010: 12 43 94 83 8f 2c a5
> > > .C...,. |
> > > +-------------------------------------------------------------
> > > ------------+
> > > [26/Jul/2000 09:55:20 27052] [trace] OpenSSL: Write: SSL
> negotiation
> > > finished
> > > successfully
> > > [26/Jul/2000 09:55:20 27052] [info] Connection to child 1
> > closed with
> > > standard
> > > shutdown (server 192.168.8.84:443, client 192.168.8.109)
> > >
> > > It appears that in the line above (read 0/18437 bytes
> > from...) that IE
> > > shutdown the TCP/IP connection, forcing the SSL connection to
> > > be closed by
> > > the server. The question is, why does IE shutdown the
> > connection, but
> > > Netscape continued on without problem?
> > >
> > > I'm going to try to sniff the TCP line to see what is
> > > actually happening,
> > > but until then, any additional insight would be helpfull.
> > >
> > > Thanks,
> > >
> > > - Bob
> > >
> > > ------------------------------------------------------
> > > Bob Burns Zaxus
> > > [EMAIL PROTECTED] 1-888-744-4976, X6510
> > > (local) 1-954-846-6510
> > > ------------------------------------------------------
> > >
> >
> ______________________________________________________________________
> > > Apache Interface to OpenSSL (mod_ssl)
> www.modssl.org
> > User Support Mailing List
> [EMAIL PROTECTED]
> > Automated List Manager
> [EMAIL PROTECTED]
> >
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
>
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
