Re: [AOLSERVER] SSL handshake error
I need to know the browser type, version and strength (e.g. MSIE 5.5
128-bit, Netscape 4.7 40-bit...).
Oscar, when you say you're seeing the exact same problem, do you mean
you're seeing both the error message and the browser is failing on the
first connect?
/s.
On Tuesday, March 11, 2003, at 08:42 AM, Oscar Bonilla wrote:
I'm seeing the exact same problem, however I have ServerSessionCache
set to true. I'm using
nsopenssl 2.1. What could the problem be?
This is the nsopenssl part of my aolserver config file:
-
ns_section ns/server/${servername}/module/nsopenssl
ns_param ServerPort ${httpsport}
ns_param ServerHostname ${hostname}
ns_param ServerAddress ${address}
ns_param ServerCertFile ${sslcertificate}
ns_param ServerKeyFile ${sslkey}
ns_param ServerProtocols All
ns_param ServerCipherSuite
ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
ns_param ServerSessionCache true
ns_param ServerSessionCacheID1
ns_param ServerSessionCacheSize 512
ns_param ServerSessionCacheTimeout 300
ns_param ServerPeerVerifyfalse
ns_param ServerPeerVerifyDepth 3
ns_param ServerCADir ${sslcadir}
ns_param ServerCAFile${sslcafile}
ns_param ServerTrace false
ns_param SockServerCertFile ${sslcertificate}
ns_param SockServerKeyFile ${sslkey}
ns_param SockServerProtocols All
ns_param SockServerCipherSuite
ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
ns_param SockServerSessionCache true
ns_param SockServerSessionCacheID2
ns_param SockServerSessionCacheSize 512
ns_param SockServerSessionCacheTimeout 300
ns_param SockServerPeerVerifytrue
ns_param SockServerPeerVerifyDepth 3
ns_param SockServerCADir ${sslinternalcadir}
ns_param SockServerCAFile${sslinternalcafile}
ns_param SockServerTrace false
ns_param SockClientCertFile ${sslclientcertificate}
ns_param SockClientKeyFile ${sslclientkey}
ns_param SockClientProtocols All
ns_param SockClientCipherSuite
ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
ns_param SockClientSessionCache true
ns_param SockClientSessionCacheID3
ns_param SockClientSessionCacheSize 512
ns_param SockClientSessionCacheTimeout 300
ns_param SockClientPeerVerifytrue
ns_param SockClientPeerVerifyDepth 3
ns_param SockClientCADir ${sslservercadir}
ns_param SockClientCAFile${sslservercafile}
ns_param SockClientTrace false
ns_param RandomFile /dev/urandom
ns_param SeedBytes 1024
Thanks,
-Oscar
On Mon, Mar 10, 2003 at 11:42:36PM -0600, Scott Goodwin wrote:
Turn it on, always, always, always have session caching on, or SSL to
certain MSIE browser versions will fail in the way you're seeing. I've
just updated the nsopenssl config examples at my site to reflect this.
nsopenssl 3.0 will have session caching turned on by default, so that
if you want it turned off you'll have to explicitly do so.
/s.
On Monday, March 10, 2003, at 11:32 PM, William Scott Jordan wrote:
ServerSessionCache is set to false.
Scott
At 11:12 PM 3/10/2003 -0600, you wrote:
Do you have session caching turned on?
/s.
On Monday, March 10, 2003, at 11:00 PM, William Scott Jordan wrote:
I'm running AOLServer 3.4 with OpenSSL 0.9.6 and nsopenssl 2.2b4 on
Redhat
7.0 and I'm getting this error quite a bit:
Error: nsopenssl: EOF during SSL handshake
I have no idea what's causing it and I can't recreate it. When it
happens,
it gives the end user a Server Error message. Reloading the same
page
never causes the problem a second time. I really don't even know
whether
it's a problem with AOLServer, a configuration issue, or a problem
with
OpenSSL.
Has anybody seen this before or have any idea of how to correct it?
Any
advice would be appreciated.
Scott
I. To remove yourself from this list:
Send a message to [EMAIL PROTECTED] with the following
text
in
the BODY of your message:
signoff aolserver
II. For a complete list of listserv options please visit:
http://listserv.aol.com/
III. For more AOLserver information please visit:
http://www.aolserver.com/
I. To remove yourself from this list:
Send a message to [EMAIL PROTECTED] with the following
text in
the BODY of your message:
signoff aolserver
II. For a complete list of listserv options please visit:
http://listserv.aol.com/
III. For more AOLserver information please visit:
http://www.aolserver.com/
I. To remove yourself from this list:
Send a message to [EMAIL PROTECTED] with the following
text
in
the BODY of
Re: [AOLSERVER] SSL handshake error
On 2003.03.10, William Scott Jordan [EMAIL PROTECTED] wrote: Error: nsopenssl: EOF during SSL handshake I never used to see this error (and I have session caching turned off) until the recent OpenSSL exploits came about. Ever since then, every couple of hours I'll see this in my logs ... the OpenSSL exploits seem to have made it into a couple of rootkits, it seems. What strikes me as funny is the fact that Scott says to always turn session caching on, but before the OpenSSL exploits became popular, I'd never seen this error before. Strange. Now I need to go and look at turning session caching on. Fooey. -- Dossy -- Dossy Shiobara mail: [EMAIL PROTECTED] Panoptic Computer Network web: http://www.panoptic.com/ He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on. (p. 70) I. To remove yourself from this list: Send a message to [EMAIL PROTECTED] with the following text in the BODY of your message: signoff aolserver II. For a complete list of listserv options please visit: http://listserv.aol.com/ III. For more AOLserver information please visit: http://www.aolserver.com/
Re: [AOLSERVER] SSL handshake error
So I switched session caching on last night and when I checked the logs this morning, I see that there were a couple of new EOF during SSL handshake errors. Checking the access log, it looks like something funny was going on; Non-existent files being accessed and such. I think Dossy might be right about this being from the SSL exploits. Hopefully, turning on session caching fixed the real problem and now I'm just seeing the results of some idiots mucking about. Scott At 09:57 PM 3/10/2003 -0800, you wrote: I'll give this a shot. Thanks for the assistance. Scott At 11:42 PM 3/10/2003 -0600, you wrote: Turn it on, always, always, always have session caching on, or SSL to certain MSIE browser versions will fail in the way you're seeing. I've just updated the nsopenssl config examples at my site to reflect this. nsopenssl 3.0 will have session caching turned on by default, so that if you want it turned off you'll have to explicitly do so. /s. On Monday, March 10, 2003, at 11:32 PM, William Scott Jordan wrote: ServerSessionCache is set to false. Scott At 11:12 PM 3/10/2003 -0600, you wrote: Do you have session caching turned on? /s. On Monday, March 10, 2003, at 11:00 PM, William Scott Jordan wrote: I'm running AOLServer 3.4 with OpenSSL 0.9.6 and nsopenssl 2.2b4 on Redhat 7.0 and I'm getting this error quite a bit: Error: nsopenssl: EOF during SSL handshake I have no idea what's causing it and I can't recreate it. When it happens, it gives the end user a Server Error message. Reloading the same page never causes the problem a second time. I really don't even know whether it's a problem with AOLServer, a configuration issue, or a problem with OpenSSL. Has anybody seen this before or have any idea of how to correct it? Any advice would be appreciated. Scott I. To remove yourself from this list: Send a message to [EMAIL PROTECTED] with the following text in the BODY of your message: signoff aolserver II. For a complete list of listserv options please visit: http://listserv.aol.com/ III. For more AOLserver information please visit: http://www.aolserver.com/ I. To remove yourself from this list: Send a message to [EMAIL PROTECTED] with the following text in the BODY of your message: signoff aolserver II. For a complete list of listserv options please visit: http://listserv.aol.com/ III. For more AOLserver information please visit: http://www.aolserver.com/ I. To remove yourself from this list: Send a message to [EMAIL PROTECTED] with the following text in the BODY of your message: signoff aolserver II. For a complete list of listserv options please visit: http://listserv.aol.com/ III. For more AOLserver information please visit: http://www.aolserver.com/ I. To remove yourself from this list: Send a message to [EMAIL PROTECTED] with the following text in the BODY of your message: signoff aolserver II. For a complete list of listserv options please visit: http://listserv.aol.com/ III. For more AOLserver information please visit: http://www.aolserver.com/ I. To remove yourself from this list: Send a message to [EMAIL PROTECTED] with the following text in the BODY of your message: signoff aolserver II. For a complete list of listserv options please visit: http://listserv.aol.com/ III. For more AOLserver information please visit: http://www.aolserver.com/ I. To remove yourself from this list: Send a message to [EMAIL PROTECTED] with the following text in the BODY of your message: signoff aolserver II. For a complete list of listserv options please visit: http://listserv.aol.com/ III. For more AOLserver information please visit: http://www.aolserver.com/
Re: [AOLSERVER] SSL handshake error
Note that you will see some EOFs in the log files that are normal and aren't due to failures. I see them all the time because we're using client certs -- MSIE makes a connection, realizes the server wants a client cert, cuts the conn (EOF), asks the user which client cert they want to use, then makes a fresh connection. There are other events that can cause an EOF; one of them I think is when a client is using SSLv3 or TLS but doesn't follow the SSL close protocol specified and instead just closes the socket. /s. On Tuesday, March 11, 2003, at 12:01 PM, William Scott Jordan wrote: So I switched session caching on last night and when I checked the logs this morning, I see that there were a couple of new EOF during SSL handshake errors. Checking the access log, it looks like something funny was going on; Non-existent files being accessed and such. I think Dossy might be right about this being from the SSL exploits. Hopefully, turning on session caching fixed the real problem and now I'm just seeing the results of some idiots mucking about. Scott At 09:57 PM 3/10/2003 -0800, you wrote: I'll give this a shot. Thanks for the assistance. Scott At 11:42 PM 3/10/2003 -0600, you wrote: Turn it on, always, always, always have session caching on, or SSL to certain MSIE browser versions will fail in the way you're seeing. I've just updated the nsopenssl config examples at my site to reflect this. nsopenssl 3.0 will have session caching turned on by default, so that if you want it turned off you'll have to explicitly do so. /s. On Monday, March 10, 2003, at 11:32 PM, William Scott Jordan wrote: ServerSessionCache is set to false. Scott At 11:12 PM 3/10/2003 -0600, you wrote: Do you have session caching turned on? /s. On Monday, March 10, 2003, at 11:00 PM, William Scott Jordan wrote: I'm running AOLServer 3.4 with OpenSSL 0.9.6 and nsopenssl 2.2b4 on Redhat 7.0 and I'm getting this error quite a bit: Error: nsopenssl: EOF during SSL handshake I have no idea what's causing it and I can't recreate it. When it happens, it gives the end user a Server Error message. Reloading the same page never causes the problem a second time. I really don't even know whether it's a problem with AOLServer, a configuration issue, or a problem with OpenSSL. Has anybody seen this before or have any idea of how to correct it? Any advice would be appreciated. Scott I. To remove yourself from this list: Send a message to [EMAIL PROTECTED] with the following text in the BODY of your message: signoff aolserver II. For a complete list of listserv options please visit: http://listserv.aol.com/ III. For more AOLserver information please visit: http://www.aolserver.com/ I. To remove yourself from this list: Send a message to [EMAIL PROTECTED] with the following text in the BODY of your message: signoff aolserver II. For a complete list of listserv options please visit: http://listserv.aol.com/ III. For more AOLserver information please visit: http://www.aolserver.com/ I. To remove yourself from this list: Send a message to [EMAIL PROTECTED] with the following text in the BODY of your message: signoff aolserver II. For a complete list of listserv options please visit: http://listserv.aol.com/ III. For more AOLserver information please visit: http://www.aolserver.com/ I. To remove yourself from this list: Send a message to [EMAIL PROTECTED] with the following text in the BODY of your message: signoff aolserver II. For a complete list of listserv options please visit: http://listserv.aol.com/ III. For more AOLserver information please visit: http://www.aolserver.com/ I. To remove yourself from this list: Send a message to [EMAIL PROTECTED] with the following text in the BODY of your message: signoff aolserver II. For a complete list of listserv options please visit: http://listserv.aol.com/ III. For more AOLserver information please visit: http://www.aolserver.com/ I. To remove yourself from this list: Send a message to [EMAIL PROTECTED] with the following text in the BODY of your message: signoff aolserver II. For a complete list of listserv options please visit: http://listserv.aol.com/ III. For more AOLserver information please visit: http://www.aolserver.com/ I. To remove yourself from this list: Send a message to [EMAIL PROTECTED] with the following text in the BODY of your message: signoff aolserver II. For a complete list of listserv options please visit: http://listserv.aol.com/ III. For more AOLserver information please visit: http://www.aolserver.com/
Re: [AOLSERVER] SSL handshake error
Ok, so maybe I was not seeing the *exact* same problem ;) I was just
seeing the error messages in the log. I had seen the server error
message on the browsers some time ago, but I expected the error
messages to also go away. I guess it must be the OpenSSL exploit
then... any way to check and make sure?
Regards,
-Oscar
On Tue, Mar 11, 2003 at 09:08:58AM -0600, Scott Goodwin wrote:
I need to know the browser type, version and strength (e.g. MSIE 5.5
128-bit, Netscape 4.7 40-bit...).
Oscar, when you say you're seeing the exact same problem, do you mean
you're seeing both the error message and the browser is failing on the
first connect?
/s.
On Tuesday, March 11, 2003, at 08:42 AM, Oscar Bonilla wrote:
I'm seeing the exact same problem, however I have ServerSessionCache
set to true. I'm using
nsopenssl 2.1. What could the problem be?
This is the nsopenssl part of my aolserver config file:
-
ns_section ns/server/${servername}/module/nsopenssl
ns_param ServerPort ${httpsport}
ns_param ServerHostname ${hostname}
ns_param ServerAddress ${address}
ns_param ServerCertFile ${sslcertificate}
ns_param ServerKeyFile ${sslkey}
ns_param ServerProtocols All
ns_param ServerCipherSuite
ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
ns_param ServerSessionCache true
ns_param ServerSessionCacheID1
ns_param ServerSessionCacheSize 512
ns_param ServerSessionCacheTimeout 300
ns_param ServerPeerVerifyfalse
ns_param ServerPeerVerifyDepth 3
ns_param ServerCADir ${sslcadir}
ns_param ServerCAFile${sslcafile}
ns_param ServerTrace false
ns_param SockServerCertFile ${sslcertificate}
ns_param SockServerKeyFile ${sslkey}
ns_param SockServerProtocols All
ns_param SockServerCipherSuite
ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
ns_param SockServerSessionCache true
ns_param SockServerSessionCacheID2
ns_param SockServerSessionCacheSize 512
ns_param SockServerSessionCacheTimeout 300
ns_param SockServerPeerVerifytrue
ns_param SockServerPeerVerifyDepth 3
ns_param SockServerCADir ${sslinternalcadir}
ns_param SockServerCAFile${sslinternalcafile}
ns_param SockServerTrace false
ns_param SockClientCertFile ${sslclientcertificate}
ns_param SockClientKeyFile ${sslclientkey}
ns_param SockClientProtocols All
ns_param SockClientCipherSuite
ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
ns_param SockClientSessionCache true
ns_param SockClientSessionCacheID3
ns_param SockClientSessionCacheSize 512
ns_param SockClientSessionCacheTimeout 300
ns_param SockClientPeerVerifytrue
ns_param SockClientPeerVerifyDepth 3
ns_param SockClientCADir ${sslservercadir}
ns_param SockClientCAFile${sslservercafile}
ns_param SockClientTrace false
ns_param RandomFile /dev/urandom
ns_param SeedBytes 1024
Thanks,
-Oscar
On Mon, Mar 10, 2003 at 11:42:36PM -0600, Scott Goodwin wrote:
Turn it on, always, always, always have session caching on, or SSL to
certain MSIE browser versions will fail in the way you're seeing. I've
just updated the nsopenssl config examples at my site to reflect this.
nsopenssl 3.0 will have session caching turned on by default, so that
if you want it turned off you'll have to explicitly do so.
/s.
On Monday, March 10, 2003, at 11:32 PM, William Scott Jordan wrote:
ServerSessionCache is set to false.
Scott
At 11:12 PM 3/10/2003 -0600, you wrote:
Do you have session caching turned on?
/s.
On Monday, March 10, 2003, at 11:00 PM, William Scott Jordan wrote:
I'm running AOLServer 3.4 with OpenSSL 0.9.6 and nsopenssl 2.2b4 on
Redhat
7.0 and I'm getting this error quite a bit:
Error: nsopenssl: EOF during SSL handshake
I have no idea what's causing it and I can't recreate it. When it
happens,
it gives the end user a Server Error message. Reloading the same
page
never causes the problem a second time. I really don't even know
whether
it's a problem with AOLServer, a configuration issue, or a problem
with
OpenSSL.
Has anybody seen this before or have any idea of how to correct it?
Any
advice would be appreciated.
Scott
I. To remove yourself from this list:
Send a message to [EMAIL PROTECTED] with the following
text
in
the BODY of
[AOLSERVER] SSL handshake error
I'm running AOLServer 3.4 with OpenSSL 0.9.6 and nsopenssl 2.2b4 on Redhat 7.0 and I'm getting this error quite a bit: Error: nsopenssl: EOF during SSL handshake I have no idea what's causing it and I can't recreate it. When it happens, it gives the end user a Server Error message. Reloading the same page never causes the problem a second time. I really don't even know whether it's a problem with AOLServer, a configuration issue, or a problem with OpenSSL. Has anybody seen this before or have any idea of how to correct it? Any advice would be appreciated. Scott I. To remove yourself from this list: Send a message to [EMAIL PROTECTED] with the following text in the BODY of your message: signoff aolserver II. For a complete list of listserv options please visit: http://listserv.aol.com/ III. For more AOLserver information please visit: http://www.aolserver.com/
Re: [AOLSERVER] SSL handshake error
Do you have session caching turned on? /s. On Monday, March 10, 2003, at 11:00 PM, William Scott Jordan wrote: I'm running AOLServer 3.4 with OpenSSL 0.9.6 and nsopenssl 2.2b4 on Redhat 7.0 and I'm getting this error quite a bit: Error: nsopenssl: EOF during SSL handshake I have no idea what's causing it and I can't recreate it. When it happens, it gives the end user a Server Error message. Reloading the same page never causes the problem a second time. I really don't even know whether it's a problem with AOLServer, a configuration issue, or a problem with OpenSSL. Has anybody seen this before or have any idea of how to correct it? Any advice would be appreciated. Scott I. To remove yourself from this list: Send a message to [EMAIL PROTECTED] with the following text in the BODY of your message: signoff aolserver II. For a complete list of listserv options please visit: http://listserv.aol.com/ III. For more AOLserver information please visit: http://www.aolserver.com/ I. To remove yourself from this list: Send a message to [EMAIL PROTECTED] with the following text in the BODY of your message: signoff aolserver II. For a complete list of listserv options please visit: http://listserv.aol.com/ III. For more AOLserver information please visit: http://www.aolserver.com/
Re: [AOLSERVER] SSL handshake error
ServerSessionCache is set to false. Scott At 11:12 PM 3/10/2003 -0600, you wrote: Do you have session caching turned on? /s. On Monday, March 10, 2003, at 11:00 PM, William Scott Jordan wrote: I'm running AOLServer 3.4 with OpenSSL 0.9.6 and nsopenssl 2.2b4 on Redhat 7.0 and I'm getting this error quite a bit: Error: nsopenssl: EOF during SSL handshake I have no idea what's causing it and I can't recreate it. When it happens, it gives the end user a Server Error message. Reloading the same page never causes the problem a second time. I really don't even know whether it's a problem with AOLServer, a configuration issue, or a problem with OpenSSL. Has anybody seen this before or have any idea of how to correct it? Any advice would be appreciated. Scott I. To remove yourself from this list: Send a message to [EMAIL PROTECTED] with the following text in the BODY of your message: signoff aolserver II. For a complete list of listserv options please visit: http://listserv.aol.com/ III. For more AOLserver information please visit: http://www.aolserver.com/ I. To remove yourself from this list: Send a message to [EMAIL PROTECTED] with the following text in the BODY of your message: signoff aolserver II. For a complete list of listserv options please visit: http://listserv.aol.com/ III. For more AOLserver information please visit: http://www.aolserver.com/ I. To remove yourself from this list: Send a message to [EMAIL PROTECTED] with the following text in the BODY of your message: signoff aolserver II. For a complete list of listserv options please visit: http://listserv.aol.com/ III. For more AOLserver information please visit: http://www.aolserver.com/
