Hi folks
The WIN32 modssl has a serious problem with SGC Certificates in such that
Browsers who try to "Step Up" can't successfully handshake.
For example Netscape 4.7 bails out with "A network error occurred while Netscape
was receiving data.". IE 4.0 has a similar Problem and can't connect.
I build that Version myself according to the instructions with the newest
packages (Apache 1.3.12 modssl/2.6.6 OpenSSL/0.9.5a). Up to now that Version
worked ok, but before I just used test certificates without SGC.
The same Problem happened with an older version which I build some month ago
(Apache 1.3.9 mod_ssl/2.4.3 OpenSSL/0.9.4).
A glimpse at modssls log file shows:
[23/Aug/2000 09:05:13 00306] [info] Connection: Client IP: 192.168.12.133,
Protocol: SSLv3, Cipher: EXP1024-RC4-SHA (56/128 bits)
[23/Aug/2000 09:05:13 00306] [trace] OpenSSL: Handshake: start
[23/Aug/2000 09:05:13 00306] [trace] OpenSSL: Loop: before accept initialization
[23/Aug/2000 09:05:13 00306] [trace] OpenSSL: Loop: SSLv3 read client hello A
[23/Aug/2000 09:05:13 00306] [trace] OpenSSL: Loop: SSLv3 write server hello A
[23/Aug/2000 09:05:13 00306] [trace] OpenSSL: Loop: SSLv3 write certificate A
[23/Aug/2000 09:05:13 00306] [trace] OpenSSL: Loop: SSLv3 write server done A
[23/Aug/2000 09:05:13 00306] [trace] OpenSSL: Loop: SSLv3 flush data
[23/Aug/2000 09:05:13 00306] [trace] OpenSSL: Exit: error in SSLv3 read client
certificate A
[23/Aug/2000 09:05:14 00306] [trace] OpenSSL: Loop: SSLv3 read client key
exchange A
[23/Aug/2000 09:05:14 00306] [trace] OpenSSL: Exit: error in SSLv3 read
certificate verify A
[23/Aug/2000 09:05:14 00306] [info] Connection to child 0 closed with standard
shutdown
This error is not related to the 56 bit problem that MSIE has. The same happens
also with older netscape browsers, that connect with 40 bit.
When turning debug on also, this shows that there are some I/O errors. Most of
them seem to be not critical, but the last one seems to force the error.
[...]
[23/Aug/2000 09:03:17 00294] [trace] OpenSSL: Loop: SSLv3 read client key
exchange A
[23/Aug/2000 09:03:17 00294] [debug] OpenSSL: I/O error, 5 bytes expected to
read on BIO#007C0F90 [mem: 00CA21E8]
[23/Aug/2000 09:03:17 00294] [trace] OpenSSL: Exit: error in SSLv3 read
certificate verify A
[23/Aug/2000 09:03:17 00294] [info] Connection to child 0 closed with standard
shutdown (server asp.subito.de:443, client 192.168.12.133)
This only happens with the Step Up handshake. When I use a Test Certificate
without the SGC bit everything works well. Also newer Browsers that don't need
to Step Up also don't have a Problem with the Certificate with SGC.
I compared this to an apache+modssl running under Solaris, and there everything
works well. Also the debug log shows no I/O errors.
Any hints ?
Greetings, Richard
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
