>---- Original Message ---- >From: "James" <ja...@nixsecurity.org> >To: openssl-users@openssl.org >Cc: openssl-users@openssl.org >Sent: Wed, Feb 6, 2013, 3:51 PM >Subject: Re: Issue with 1.0.1d with Apache 2.2.23 > >>---- Original Message ---- >>From: "James" <ja...@nixsecurity.org> >>To: openssl-users@openssl.org >>Sent: Wed, Feb 6, 2013, 2:50 PM >>Subject: Issue with 1.0.1d with Apache 2.2.23 >> >>I recently upgraded our application to OpenSSL 1.0.1d with FIPS compiled in >>but disabled, which has always been the case in the past. Our application >>runs in a browser using Apache 2.2.23 and mod_ssl which is compiled against >>OpenSSL. Testing has revealed that HTTP requests work fine, however, HTTPS >>requests throw a 403. The following is exhibited in the access_log >> >>a.b.c.d - - [06/Feb/2013:14:18:39 -0500] "GlET / HTTP/1.1" 403 202 >>a.b.c.d - - [06/Feb/2013:14:18:41 -0500] "\xf2G:ET /favicon.ico HTTP/1.1" 403 >>213 >>a.b.c.d - - [06/Feb/2013:14:32:00 -0500] "GVET / HTTP/1.1" 403 202 >>a.b.c.d - - [06/Feb/2013:14:32:01 -0500] "\xb3G\xc1ET /favicon.ico HTTP/1.1" >>403 213 >>a.b.c.d - - [06/Feb/2013:14:32:01 -0500] "\x1aG\x9eET / HTTP/1.1" 403 202 >>a.b.c.d - - [06/Feb/2013:14:32:01 -0500] "tG\xfcET /favicon.ico HTTP/1.1" 403 >>213 >>a.b.c.d - - [06/Feb/2013:14:32:01 -0500] "\x8bG\x02ET / HTTP/1.1" 403 202 >>a.b.c.d - - [06/Feb/2013:14:32:02 -0500] "\bGdET /favicon.ico HTTP/1.1" 403 >>213 >>a.b.c.d - - [06/Feb/2013:14:32:02 -0500] "\xabG\xacET / HTTP/1.1" 403 202 >>a.b.c.d - - [06/Feb/2013:14:32:02 -0500] "\xb2G\tET /favicon.ico HTTP/1.1" >>400 226 >> >>Testing was performed under a Redhat 6 x86_64 system and no errors were >>obvious in the compilation process. >> >>Thanks. >> >>______________________________________________________________________ >>OpenSSL Project http://www.openssl.org >>User Support Mailing List openssl-users@openssl.org >>Automated List Manager majord...@openssl.org > >To add to this, I've tested under four systems; RHEL5 i686/x86_64 and RHEL6 >i686/x86_64 where only the 64bit systems are exhibiting the issue. The 32bit >systems are fine. > > >______________________________________________________________________ >OpenSSL Project http://www.openssl.org >User Support Mailing List openssl-users@openssl.org >Automated List Manager majord...@openssl.org
Just an update, using a SSLCipherSuite in the SSL configuration file for Apache of RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5 works fine. The ciphers we're using are DES-CBC3-MD5:RC2-CBC-MD5:RC4-MD5:DES-CBC3-SHA:RC4-MD5:RC4-SHA:DES-CBC3-SHA:AES128-SHA:AES256-SHA:RC4-MD5:RC4-SHA which is where I see the issue. I suppose I'll have to go through each cipher to determine the culprit. If I'm on the wrong path here and should be posting to the Apache mailing list, let me know but as I've stated previously, OpenSSL 1.0.1c-FIPS works fine with our current cipher suite. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
