On Wed, 20 Jan 2010 20:33:34 -0500, "Shotton, Fred" <[email protected]> wrote: > I'm running apache 2.2.14 with mod_ssl using OpenSSL 0.98m-beta1. When > renegotiating a client session, I get an error from apache: > "Re-negotiation handshake failed: Not accepted by client" and a fatal > "unexpected_message" alert in OpenSSL s_client. Below you will find log > output for the renegotiation failure and log output for a successful > legacy renegotiation against OpenSSL 0.98k...
Fred,
In order to help you, I'm probably going to need to see a full packet
capture and a list of the actual command-lines used to run the debugging
commands available. I ask for these data because I see the following
suspicious item in the OpenSSL ChangeLog:
*) Add option SSL_OP_LEGACY_SERVER_CONNECT which will allow clients to
connect (but not renegotiate) with servers which do not support RI.
Until RI is more widely deployed this option is enabled by default.
[Steve Henson]
at http://www.openssl.org/news/changelog.html
Flagging this change is just blind guess on my part based on my reading
of the debug logs but it would certainly be consistent with the observed
data if your secure-renegotiation attempt were failing because one of
the initial ClientHello, ServerHello, or both is missing the appropriate
signalling.
Finally, have you talked to anyone on the OpenSSL or Apache mailing
lists about your test plan?
Regards,
Michael
P.S. - In case it helps, I think the output from commands similar to
tcpdump -i eth0 -w tls.pcap -s 0 port 443
and
script -t tls.log
# ... your test script
is about what I'm looking for.
pgp9LXOXQTyPf.pgp
Description: PGP signature
