Dear sirs,
I have a trouble with OpenSSL with Apache web server.
With client authentication, web browsers cannot connect to web server.
Apache log file of logs/erro_log shows as follows:
[Fri May 14 11:45:05 2010] [info] [client 192.168.220.169] Connection to
child 1 established (server mstestsv2.globalsign.co.jp:443)
[Fri May 14 11:45:05 2010] [info] Seeding PRNG with 136 bytes of entropy
[Fri May 14 11:45:05 2010] [debug] ssl_engine_kernel.c(1866): OpenSSL:
Handshake: start
[Fri May 14 11:45:05 2010] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop:
before/accept initialization
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1882): OpenSSL: read
11/11 bytes from BIO#95acc20 [mem: 959b940] (BIO dump follows)
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1815):
+-------------------------------------------------------------------------+
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1854): | 0000: 16 03 01
01 ac 01 00 01-a8 03 01 ........... |
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1860):
+-------------------------------------------------------------------------+
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1882): OpenSSL: read
422/422 bytes from BIO#95acc20 [mem: 959b94e] (BIO dump follows)
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1815):
+-------------------------------------------------------------------------+
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1854): | 0000: 4b ec be
9f 33 bb 31 21-3b 45 ed 13 75 83 ab 3e K...3.1!;E..u..> |
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1854): | 0010: 93 cb 5a
97 da 6d e9 75-7b 8f 3a 42 35 47 d6 13 ..Z..m.u{.:B5G.. |
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1854): | 0020: 20 84 00
a8 f7 b0 c2 b8-6e 95 c9 29 21 5f 72 6d .......n..)!_rm |
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1854): | 0030: 00 02 6c
d0 8d 1d 3a 8a-70 50 de a0 e1 be 81 7e ..l...:.pP.....~ |
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1854): | 0040: d3 00 46
c0 0a c0 14 00-88 00 87 00 39 00 38 c0 ..F.........9.8. |
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1854): | 0050: 0f c0 05
00 84 00 35 c0-07 c0 09 c0 11 c0 13 00 ......5......... |
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1854): | 0060: 45 00 44
00 33 00 32 c0-0c c0 0e c0 02 c0 04 00 E.D.3.2......... |
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1854): | 0070: 96 00 41
00 04 00 05 00-2f c0 08 c0 12 00 16 00 ..A...../....... |
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1854): | 0080: 13 c0 0d
c0 03 fe ff 00-0a 01 00 01 19 00 00 00 ................ |
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1854): | 0090: 1f 00 1d
00 00 1a 6d 73-74 65 73 74 73 76 32 2e ......mstestsv2. |
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1854): | 00a0: 67 6c 6f
62 61 6c 73 69-67 6e 2e 63 6f 2e 6a 70 globalsign.co.jp |
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1854): | 00b0: 00 0a 00
08 00 06 00 17-00 18 00 19 00 0b 00 02 ................ |
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1854): | 00c0: 01 00 00
23 00 e0 15 ca-18 02 31 9a 99 12 12 97 ...#......1..... |
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1854): | 00d0: 91 66 60
79 ae 5a 15 ae-99 54 38 84 4f 10 b5 23 .f`y.Z...T8.O..# |
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1854): | 00e0: fc 3f d9
0a 63 3b 44 fc-6a e6 98 fc 05 da a4 86 .?..c;D.j....... |
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1854): | 00f0: ae 83 e2
05 7e 4a 7d 9a-2f b4 c8 57 77 ce 8a 78 ....~J}./..Ww..x |
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1854): | 0100: 9b 9e 4a
24 f2 37 e3 2c-91 20 aa 92 e8 7c d7 72 ..J$.7.,. ...|.r |
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1854): | 0110: 04 de a8
68 59 4e 05 d2-9b 06 dd d5 cb 1a f6 b6 ...hYN.......... |
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1854): | 0120: 52 45 73
c2 8c e8 5a b9-7b bc 06 11 6d 6b ff 6e REs...Z.{...mk.n |
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1854): | 0130: 12 48 75
71 02 1e f9 d5-bb 79 27 1d d7 39 3d 41 .Huq.....y'..9=A |
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1854): | 0140: 18 29 cf
f1 92 a7 81 98-01 fc ae 0e c9 de 3b 4e .)............;N |
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1854): | 0150: 56 aa 7f
75 f9 8a cf a6-5d af fe bd 2f d2 79 25 V..u....].../.y% |
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1854): | 0160: 85 94 9d
26 e0 19 7e f2-47 d6 e2 67 2c a0 69 cb ...&..~.G..g,.i. |
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1854): | 0170: 3b f6 38
e7 74 7b 02 13-a5 8c 93 01 7f 6c 92 64 ;.8.t{.......l.d |
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1854): | 0180: ce b0 c9
02 00 fc 27 c8-fe 67 da 75 29 a9 1d 48 ......'..g.u)..H |
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1854): | 0190: 5f 41 1b
7a 8a 0f c8 89-95 fe b4 cf bb 20 71 51 _A.z......... qQ |
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1854): | 01a0: cf ec c4
66 9f 9a ...f.. |
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1860):
+-------------------------------------------------------------------------+
[Fri May 14 11:45:05 2010] [debug] ssl_engine_kernel.c(1987): [client
192.168.220.169] SSL virtual host for servername mstestsv2.globalsign.co.jpfound
[Fri May 14 11:45:05 2010] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop:
SSLv3 read client hello A
[Fri May 14 11:45:05 2010] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop:
SSLv3 write server hello A
[Fri May 14 11:45:05 2010] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop:
SSLv3 write certificate A
[Fri May 14 11:45:05 2010] [debug] ssl_engine_kernel.c(1274): [client
192.168.220.169] handing out temporary 1024 bit DH key
[Fri May 14 11:45:05 2010] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop:
SSLv3 write key exchange A
[Fri May 14 11:45:05 2010] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop:
SSLv3 write server done A
[Fri May 14 11:45:05 2010] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop:
SSLv3 flush data
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1882): OpenSSL: read 5/5
bytes from BIO#95acc20 [mem: 959b943] (BIO dump follows)
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1815):
+-------------------------------------------------------------------------+
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1854): | 0000: 16 03 01
00 86 ..... |
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1860):
+-------------------------------------------------------------------------+
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1882): OpenSSL: read
134/134 bytes from BIO#95acc20 [mem: 959b948] (BIO dump follows)
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1815):
+-------------------------------------------------------------------------+
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1854): | 0000: 10 00 00
82 00 80 c5 79-57 22 ae 1a 62 bf f4 ae .......yW"..b... |
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1854): | 0010: dc 1e 0b
e7 db 88 28 75-3d 85 b0 34 b5 f1 da ab ......(u=..4.... |
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1854): | 0020: 63 d9 eb
0d 60 ea 39 26-27 cd 80 e4 24 65 36 cb c...`.9&'...$e6. |
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1854): | 0030: e7 ff 78
f1 70 88 0a 45-43 cc 2b 0d 30 dd 81 14 ..x.p..EC.+.0... |
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1854): | 0040: fc 5c 8a
c1 9e 56 5b 52-30 66 1f d5 14 aa 0d d3 .\\...V[R0f...... |
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1854): | 0050: a0 74 34
73 03 ad cc 30-58 14 7c 10 62 8f 13 55 .t4s...0X.|.b..U |
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1854): | 0060: 30 b4 f0
3d 21 b2 80 f1-9f 4c 3f 4e 1b 4a e6 cf 0..=!....L?N.J.. |
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1854): | 0070: 76 f2 62
a5 90 7a 09 5e-e6 ff d7 45 eb 22 ab 32 v.b..z.^...E.".2 |
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1854): | 0080: e1 85 1d
44 43 54 ...DCT |
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1860):
+-------------------------------------------------------------------------+
[Fri May 14 11:45:05 2010] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop:
SSLv3 read client key exchange A
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1882): OpenSSL: read 5/5
bytes from BIO#95acc20 [mem: 959b943] (BIO dump follows)
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1815):
+-------------------------------------------------------------------------+
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1854): | 0000: 14 03 01
00 01 ..... |
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1860):
+-------------------------------------------------------------------------+
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1882): OpenSSL: read 1/1
bytes from BIO#95acc20 [mem: 959b948] (BIO dump follows)
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1815):
+-------------------------------------------------------------------------+
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1854): | 0000:
01 . |
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1860):
+-------------------------------------------------------------------------+
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1882): OpenSSL: read 5/5
bytes from BIO#95acc20 [mem: 959b943] (BIO dump follows)
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1815):
+-------------------------------------------------------------------------+
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1854): | 0000: 16 03 01
00 30 ....0 |
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1860):
+-------------------------------------------------------------------------+
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1882): OpenSSL: read
48/48 bytes from BIO#95acc20 [mem: 959b948] (BIO dump follows)
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1815):
+-------------------------------------------------------------------------+
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1854): | 0000: dd 5d 88
45 94 ac a6 c0-75 08 3d 38 1f a2 1d 40 .].E....u.=8...@ |
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1854): | 0010: c7 38 8e
ba ba 52 ce 1a-2e 4f 86 95 7a 31 12 3c .8...R...O..z1.< |
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1854): | 0020: 92 a3 9a
5f 10 a8 bf 8d-db 95 37 93 16 c3 f4 fc ..._......7..... |
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1860):
+-------------------------------------------------------------------------+
[Fri May 14 11:45:05 2010] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop:
SSLv3 read finished A
[Fri May 14 11:45:05 2010] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop:
SSLv3 write change cipher spec A
[Fri May 14 11:45:05 2010] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop:
SSLv3 write finished A
[Fri May 14 11:45:05 2010] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop:
SSLv3 flush data
[Fri May 14 11:45:05 2010] [debug] ssl_engine_kernel.c(1870): OpenSSL:
Handshake: done
[Fri May 14 11:45:05 2010] [info] Connection: Client IP: 192.168.220.169,
Protocol: TLSv1, Cipher: DHE-RSA-CAMELLIA256-SHA (256/256 bits)
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1882): OpenSSL: read 5/5
bytes from BIO#95acc20 [mem: 959b943] (BIO dump follows)
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1815):
+-------------------------------------------------------------------------+
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1854): | 0000: 17 03 01
01 b0 ..... |
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1860):
+-------------------------------------------------------------------------+
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1882): OpenSSL: read
432/432 bytes from BIO#95acc20 [mem: 959b948] (BIO dump follows)
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1815):
+-------------------------------------------------------------------------+
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1854): | 0000: 25 8a 94
e7 68 8a 39 e3-12 38 a8 e6 b8 14 54 df %...h.9..8....T. |
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1854): | 0010: 63 86 7c
4b 19 35 06 cc-6a 1a 74 06 57 4f f2 95 c.|K.5..j.t.WO.. |
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1854): | 0020: ae 1a ee
71 f2 ad 30 7f-69 de e9 82 10 ff 75 22 ...q..0.i.....u" |
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1854): | 0030: 06 11 7e
86 a6 2c c3 31-ae 2a d5 4d a8 bd b7 54 ..~..,.1.*.M...T |
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1854): | 0040: 5a da a7
fd 77 4e f9 20-18 24 4d ff ca 07 64 62 Z...wN. .$M...db |
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1854): | 0050: fd 3b 3f
2a 2b 7e d9 c5-69 28 4a 7c 0e e5 a6 19 .;?*+~..i(J|.... |
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1854): | 0060: ac d0 9d
0f 25 a0 16 bd-6c b3 81 22 3a 6d 16 3f ....%...l..":m.? |
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1854): | 0070: 87 e3 a5
1e 94 f1 6d 3a-fd 35 ae a9 8c b5 16 fe ......m:.5...... |
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1854): | 0080: 75 56 cb
78 ef 27 f0 49-10 a5 49 c0 13 69 56 19 uV.x.'.I..I..iV. |
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1854): | 0090: a2 00 81
b5 70 8a c8 b5-3a df 2e 52 d6 66 79 d5 ....p...:..R.fy. |
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1854): | 00a0: 16 0f 74
ad 51 5d 89 de-02 28 5b f3 41 d3 b9 60 ..t.Q]...([.A..` |
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1854): | 00b0: e3 05 7a
04 bf 91 17 67-9a c4 8c 95 1b 5b 23 46 ..z....g.....[#F |
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1854): | 00c0: d8 45 a1
59 12 8d 3e d8-8b ec 14 f9 36 36 c6 9b .E.Y..>.....66.. |
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1854): | 00d0: a1 9b e1
1d 76 14 d7 47-cc 07 c4 b1 e2 cd a4 9e ....v..G........ |
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1854): | 00e0: 28 cc b6
cf 5f 13 4e 3b-5d 94 48 de 2a b5 47 46 (..._.N;].H.*.GF |
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1854): | 00f0: 21 d8 aa
1c ba 65 45 99-31 fd e1 30 ca a8 4e e6 !....eE.1..0..N. |
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1854): | 0100: 6f fd 46
6d 31 47 30 b3-dd 10 79 13 2a b7 a1 73 o.Fm1G0...y.*..s |
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1854): | 0110: 6c 36 e8
6e 64 ae ab 8f-92 db 80 72 71 b1 e0 b9 l6.nd......rq... |
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1854): | 0120: 15 c5 05
fa 1b fe 8c e7-cc 7c 02 11 82 c7 4f 96 .........|....O. |
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1854): | 0130: 76 da 74
fd 77 ec 9d d0-d4 f8 9d 25 07 77 fb f8 v.t.w......%.w.. |
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1854): | 0140: a5 31 51
4b e8 97 d8 e0-60 43 1f 00 5c 95 b7 cb .1QK....`C..\\... |
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1854): | 0150: 31 39 fb
6b 69 c8 d1 7e-ec 33 1b 0d 44 5c fd e7 19.ki..~.3..D\\.. |
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1854): | 0160: 7f 49 23
6f a1 06 b7 83-7a 5f 26 85 59 98 48 01 .I#o....z_&.Y.H. |
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1854): | 0170: f1 cf 92
3f 1a 7a 9f 3b-93 6d 73 a1 ed a2 68 a7 ...?.z.;.ms...h. |
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1854): | 0180: ea 7a cb
f0 e8 58 d3 d5-11 a5 36 11 cd 55 3f 42 .z...X....6..U?B |
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1854): | 0190: 7b c2 fc
b2 be e6 33 e9-7b 73 c1 a1 5b 6b 1d a7 {.....3.{s..[k.. |
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1854): | 01a0: 4a 10 c9
0c 18 43 7e cf-3a 79 32 cd a7 1a 5c 8e J....C~.:y2...\\. |
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1860):
+-------------------------------------------------------------------------+
[Fri May 14 11:45:05 2010] [info] Initial (No.1) HTTPS request received for
child 1 (server mstestsv2.globalsign.co.jp:443)
[Fri May 14 11:45:05 2010] [debug] ssl_engine_kernel.c(510): [client
192.168.220.169] Changed client verification type will force renegotiation
[Fri May 14 11:45:05 2010] [info] [client 192.168.220.169] Requesting
connection re-negotiation
[Fri May 14 11:45:05 2010] [debug] ssl_engine_io.c(1893): OpenSSL: I/O
error, 5 bytes expected to read on BIO#95acc20 [mem: 959b943]
[Fri May 14 11:45:05 2010] [debug] ssl_engine_kernel.c(764): [client
192.168.220.169] Performing full renegotiation: complete handshake protocol
(client does not support secure renegotiation)
[Fri May 14 11:45:05 2010] [debug] ssl_engine_kernel.c(1866): OpenSSL:
Handshake: start
[Fri May 14 11:45:05 2010] [debug] ssl_engine_kernel.c(1884): OpenSSL:
Write: SSL renegotiate ciphers
[Fri May 14 11:45:05 2010] [debug] ssl_engine_kernel.c(1903): OpenSSL: Exit:
error in SSL renegotiate ciphers
[Fri May 14 11:45:05 2010] [error] [client 192.168.220.169] Re-negotiation
request failed
[Fri May 14 11:45:05 2010] [error] SSL Library Error: 336068946
error:14080152:SSL routines:SSL3_ACCEPT:unsafe legacy renegotiation disabled
In my investigation, similar error occuers with OpenSSL 0.9.8l, 0.9.8m,
0.9.8n and 1.0.0.
I know this is concerned about security issue CVE-2009-3555, but many
browsers fails to connect the server.
I know only Firefox 3.6 can connect.
Are there any solutions?
Regards,
Koichi Sugimoto.
