If restarting Netscape doesn't help, then yes, you can't do it. It's a bug
in Netscape.
-Dave
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of tc lewis
> Sent: Wednesday, February 21, 2001 7:02 PM
> To: [EMAIL PROTECTED]
> Subject: RE: confused about ca signing.
>
>
>
> so if i have 2 sites under the same second-level domain name, i can't
> switch back and forth between them in netscape without clearing the cert
> each time?
>
> that kind of sucks.
>
> -tcl.
>
>
> On Wed, 21 Feb 2001, David Rees wrote:
>
> > Are you using Netscape?
> >
> > Did you check the FAQ?
> >
> > http://www.modssl.org/docs/2.6/ssl_faq.html#ToC49
> >
> > -Dave
> >
> > > -----Original Message-----
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED]]On Behalf Of tc lewis
> > > Sent: Wednesday, February 21, 2001 6:52 PM
> > > To: [EMAIL PROTECTED]
> > > Subject: Re: confused about ca signing.
> > >
> > >
> > >
> > > furthermore, this seems to work fine if i test with 2 openssl s_client
> > > connections, so i'm guessing my browser is caching something
> improperly or
> > > something along those lines. i don't know. still looking for
> > > suggestions...
> > >
> > > -tcl.
> > >
> > >
> > > On Wed, 21 Feb 2001, tc lewis wrote:
> > >
> > > >
> > > > perhaps i should add that i'm running both of these sites
> on the same
> > > > ip, but on different ports, and with different instances of
> > > > apache/modssl/openssl/mm, but they're both setup almost exactly
> > > the same.
> > > >
> > > > not sure if the same ip (even tho different ports) thing is
> meaningful.
> > > >
> > > > -tcl.
> > > >
> > > >
> > > > On Wed, 21 Feb 2001, tc lewis wrote:
> > > >
> > > > >
> > > > > hi.
> > > > >
> > > > > i'm using apache 1.3.17 with modssl 2.8.0-1.3.17 and
> openssl 0.9.6 on
> > > > > linux. i'm having a problem using 2 apache servers serving 2
> > > ssl areas
> > > > > with certificates signed by the same self-made ca.
> > > > >
> > > > > in each's config i have:
> > > > > sslcertificatefile /web/corp/conf/ssl/server.crt
> > > > > sslcertificatekeyfile /web/corp/conf/ssl/server.key
> > > > >
> > > > > sslcertificatefile /web/eng/conf/ssl/server.crt
> > > > > sslcertificatekeyfile /web/eng/conf/ssl/server.key
> > > > >
> > > > > the csrs and keys for each of these sites are different,
> but they were
> > > > > both signed by the same ca. i used the pkg.contrib/sign.sh
> > > to sign the
> > > > > csrs. the procedure i used was (more or less):
> > > > >
> > > > > generate the ca:
> > > > > openssl genrsa -des3 -out ca.key 1024
> > > > > openssl req -new -x509 -days 365 -key ca.key -out ca.crt
> > > > >
> > > > > then for each site (corp and eng), i generate the key and csr:
> > > > > openssl genrsa -des3 -out server.key 1024
> > > > > openssl req -new -key server.key -out server.csr
> > > > >
> > > > > i made sure to use the site hostname as the "common name"
> in the csrs.
> > > > >
> > > > > for both of those sites, i copied all relevant files (server.key,
> > > > > server.csr, ca.key, ca.crt) to conf/ssl/. then i copied
> > > > > pkg.contrib/sign.sh to conf/ssl/. i then ran sign.sh.
> it did stuff,
> > > > > asked if i wanted to sign, etc etc. i then ended up with a
> > > server.crt for
> > > > > each site. used those 2 config lines above (along with the
> > > rest of the
> > > > > default ssl directives), and let it rip.
> > > > >
> > > > > when i fire up my browser (netscape on linux), i can then
> go to either
> > > > > site just fine. but after i've visitted one site, when i try
> > > to go to the
> > > > > other, it fails. errors look like this:
> > > > >
> > > > > ==> /web/corp/logs/ssl_engine_log <==
> > > > > [21/Feb/2001 18:07:10 29774] [info] Connection to child
> 1 established
> > > > > (server corp.mybiz.com:9003, client 64.211.151.249)
> > > > > [21/Feb/2001 18:07:10 29774] [info] Seeding PRNG with
> 1160 bytes of
> > > > > entropy
> > > > > [21/Feb/2001 18:07:10 29774] [error] SSL handshake failed (server
> > > > > corp.mybiz.com:9003, client 64.211.151.249) (OpenSSL library error
> > > > > follows)
> > > > > [21/Feb/2001 18:07:10 29774] [error] OpenSSL: error:0407106B:rsa
> > > > > routines:RSA_padding_check_PKCS1_type_2:block type is not 02
> > > > > [21/Feb/2001 18:07:10 29774] [error] OpenSSL: error:04065072:rsa
> > > > > routines:RSA_EAY_PRIVATE_DECRYPT:padding check failed
> > > > > [21/Feb/2001 18:07:10 29774] [error] OpenSSL: error:1408B076:SSL
> > > > > routines:SSL3_GET_CLIENT_KEY_EXCHANGE:bad rsa decrypt
> > > > >
> > > > > ==> /web/corp/logs/ssl_error_log <==
> > > > > [Wed Feb 21 18:07:10 2001] [error] mod_ssl: SSL handshake
> > > failed (server
> > > > > corp.mybiz.com:9003, client 64.211.151.249) (OpenSSL library error
> > > > > follows)
> > > > > [Wed Feb 21 18:07:10 2001] [error] OpenSSL: error:0407106B:rsa
> > > > > routines:RSA_padding_check_PKCS1_type_2:block type is not 02
> > > > > [Wed Feb 21 18:07:10 2001] [error] OpenSSL: error:04065072:rsa
> > > > > routines:RSA_EAY_PRIVATE_DECRYPT:padding check failed
> > > > > [Wed Feb 21 18:07:10 2001] [error] OpenSSL: error:1408B076:SSL
> > > > > routines:SSL3_GET_CLIENT_KEY_EXCHANGE:bad rsa decrypt
> > > > >
> > > > >
> > > > > if i visit the sites in reverse order after closing and
> restarting my
> > > > > browser, the same errors occur for the other site
> (whichever i visit
> > > > > second). i'm guessing this has something to do with them
> both being
> > > > > signed by the same ca, but i just don't know enough to
> know how that
> > > > > affects things.
> > > > >
> > > > > any suggestions? does this have anything to do with the
> > > > > SSLCertificateChainFile / SSLCACertificatePath /
> SSLCACertificateFile
> > > > > directives?
> > > > >
> > > > > -tcl.
> > > > >
> > > > >
> > > > >
> ______________________________________________________________________
> > > > > Apache Interface to OpenSSL (mod_ssl)
www.modssl.org
> > > > User Support Mailing List
[EMAIL PROTECTED]
> > > > Automated List Manager
[EMAIL PROTECTED]
> > > >
> > >
> > > ______________________________________________________________________
> > > Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> > > User Support Mailing List [EMAIL PROTECTED]
> > > Automated List Manager [EMAIL PROTECTED]
> > >
> >
> > ______________________________________________________________________
> > Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> > User Support Mailing List [EMAIL PROTECTED]
> > Automated List Manager [EMAIL PROTECTED]
>
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
>
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
