Re: [AOLSERVER] SSL handshake error
I need to know the browser type, version and strength (e.g. MSIE 5.5 128-bit, Netscape 4.7 40-bit...). Oscar, when you say you're seeing the exact same problem, do you mean you're seeing both the error message and the browser is failing on the first connect? /s. On Tuesday, March 11, 2003, at 08:42 AM, Oscar Bonilla wrote: I'm seeing the exact same problem, however I have ServerSessionCache set to true. I'm using nsopenssl 2.1. What could the problem be? This is the nsopenssl part of my aolserver config file: - ns_section ns/server/${servername}/module/nsopenssl ns_param ServerPort ${httpsport} ns_param ServerHostname ${hostname} ns_param ServerAddress ${address} ns_param ServerCertFile ${sslcertificate} ns_param ServerKeyFile ${sslkey} ns_param ServerProtocols All ns_param ServerCipherSuite ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL ns_param ServerSessionCache true ns_param ServerSessionCacheID1 ns_param ServerSessionCacheSize 512 ns_param ServerSessionCacheTimeout 300 ns_param ServerPeerVerifyfalse ns_param ServerPeerVerifyDepth 3 ns_param ServerCADir ${sslcadir} ns_param ServerCAFile${sslcafile} ns_param ServerTrace false ns_param SockServerCertFile ${sslcertificate} ns_param SockServerKeyFile ${sslkey} ns_param SockServerProtocols All ns_param SockServerCipherSuite ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL ns_param SockServerSessionCache true ns_param SockServerSessionCacheID2 ns_param SockServerSessionCacheSize 512 ns_param SockServerSessionCacheTimeout 300 ns_param SockServerPeerVerifytrue ns_param SockServerPeerVerifyDepth 3 ns_param SockServerCADir ${sslinternalcadir} ns_param SockServerCAFile${sslinternalcafile} ns_param SockServerTrace false ns_param SockClientCertFile ${sslclientcertificate} ns_param SockClientKeyFile ${sslclientkey} ns_param SockClientProtocols All ns_param SockClientCipherSuite ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL ns_param SockClientSessionCache true ns_param SockClientSessionCacheID3 ns_param SockClientSessionCacheSize 512 ns_param SockClientSessionCacheTimeout 300 ns_param SockClientPeerVerifytrue ns_param SockClientPeerVerifyDepth 3 ns_param SockClientCADir ${sslservercadir} ns_param SockClientCAFile${sslservercafile} ns_param SockClientTrace false ns_param RandomFile /dev/urandom ns_param SeedBytes 1024 Thanks, -Oscar On Mon, Mar 10, 2003 at 11:42:36PM -0600, Scott Goodwin wrote: Turn it on, always, always, always have session caching on, or SSL to certain MSIE browser versions will fail in the way you're seeing. I've just updated the nsopenssl config examples at my site to reflect this. nsopenssl 3.0 will have session caching turned on by default, so that if you want it turned off you'll have to explicitly do so. /s. On Monday, March 10, 2003, at 11:32 PM, William Scott Jordan wrote: ServerSessionCache is set to false. Scott At 11:12 PM 3/10/2003 -0600, you wrote: Do you have session caching turned on? /s. On Monday, March 10, 2003, at 11:00 PM, William Scott Jordan wrote: I'm running AOLServer 3.4 with OpenSSL 0.9.6 and nsopenssl 2.2b4 on Redhat 7.0 and I'm getting this error quite a bit: Error: nsopenssl: EOF during SSL handshake I have no idea what's causing it and I can't recreate it. When it happens, it gives the end user a Server Error message. Reloading the same page never causes the problem a second time. I really don't even know whether it's a problem with AOLServer, a configuration issue, or a problem with OpenSSL. Has anybody seen this before or have any idea of how to correct it? Any advice would be appreciated. Scott I. To remove yourself from this list: Send a message to [EMAIL PROTECTED] with the following text in the BODY of your message: signoff aolserver II. For a complete list of listserv options please visit: http://listserv.aol.com/ III. For more AOLserver information please visit: http://www.aolserver.com/ I. To remove yourself from this list: Send a message to [EMAIL PROTECTED] with the following text in the BODY of your message: signoff aolserver II. For a complete list of listserv options please visit: http://listserv.aol.com/ III. For more AOLserver information please visit: http://www.aolserver.com/ I. To remove yourself from this list: Send a message to [EMAIL PROTECTED] with the following text in the BODY of
Re: [AOLSERVER] SSL handshake error
On 2003.03.10, William Scott Jordan [EMAIL PROTECTED] wrote: Error: nsopenssl: EOF during SSL handshake I never used to see this error (and I have session caching turned off) until the recent OpenSSL exploits came about. Ever since then, every couple of hours I'll see this in my logs ... the OpenSSL exploits seem to have made it into a couple of rootkits, it seems. What strikes me as funny is the fact that Scott says to always turn session caching on, but before the OpenSSL exploits became popular, I'd never seen this error before. Strange. Now I need to go and look at turning session caching on. Fooey. -- Dossy -- Dossy Shiobara mail: [EMAIL PROTECTED] Panoptic Computer Network web: http://www.panoptic.com/ He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on. (p. 70) I. To remove yourself from this list: Send a message to [EMAIL PROTECTED] with the following text in the BODY of your message: signoff aolserver II. For a complete list of listserv options please visit: http://listserv.aol.com/ III. For more AOLserver information please visit: http://www.aolserver.com/
Re: [AOLSERVER] SSL handshake error
So I switched session caching on last night and when I checked the logs this morning, I see that there were a couple of new EOF during SSL handshake errors. Checking the access log, it looks like something funny was going on; Non-existent files being accessed and such. I think Dossy might be right about this being from the SSL exploits. Hopefully, turning on session caching fixed the real problem and now I'm just seeing the results of some idiots mucking about. Scott At 09:57 PM 3/10/2003 -0800, you wrote: I'll give this a shot. Thanks for the assistance. Scott At 11:42 PM 3/10/2003 -0600, you wrote: Turn it on, always, always, always have session caching on, or SSL to certain MSIE browser versions will fail in the way you're seeing. I've just updated the nsopenssl config examples at my site to reflect this. nsopenssl 3.0 will have session caching turned on by default, so that if you want it turned off you'll have to explicitly do so. /s. On Monday, March 10, 2003, at 11:32 PM, William Scott Jordan wrote: ServerSessionCache is set to false. Scott At 11:12 PM 3/10/2003 -0600, you wrote: Do you have session caching turned on? /s. On Monday, March 10, 2003, at 11:00 PM, William Scott Jordan wrote: I'm running AOLServer 3.4 with OpenSSL 0.9.6 and nsopenssl 2.2b4 on Redhat 7.0 and I'm getting this error quite a bit: Error: nsopenssl: EOF during SSL handshake I have no idea what's causing it and I can't recreate it. When it happens, it gives the end user a Server Error message. Reloading the same page never causes the problem a second time. I really don't even know whether it's a problem with AOLServer, a configuration issue, or a problem with OpenSSL. Has anybody seen this before or have any idea of how to correct it? Any advice would be appreciated. Scott I. To remove yourself from this list: Send a message to [EMAIL PROTECTED] with the following text in the BODY of your message: signoff aolserver II. For a complete list of listserv options please visit: http://listserv.aol.com/ III. For more AOLserver information please visit: http://www.aolserver.com/ I. To remove yourself from this list: Send a message to [EMAIL PROTECTED] with the following text in the BODY of your message: signoff aolserver II. For a complete list of listserv options please visit: http://listserv.aol.com/ III. For more AOLserver information please visit: http://www.aolserver.com/ I. To remove yourself from this list: Send a message to [EMAIL PROTECTED] with the following text in the BODY of your message: signoff aolserver II. For a complete list of listserv options please visit: http://listserv.aol.com/ III. For more AOLserver information please visit: http://www.aolserver.com/ I. To remove yourself from this list: Send a message to [EMAIL PROTECTED] with the following text in the BODY of your message: signoff aolserver II. For a complete list of listserv options please visit: http://listserv.aol.com/ III. For more AOLserver information please visit: http://www.aolserver.com/ I. To remove yourself from this list: Send a message to [EMAIL PROTECTED] with the following text in the BODY of your message: signoff aolserver II. For a complete list of listserv options please visit: http://listserv.aol.com/ III. For more AOLserver information please visit: http://www.aolserver.com/ I. To remove yourself from this list: Send a message to [EMAIL PROTECTED] with the following text in the BODY of your message: signoff aolserver II. For a complete list of listserv options please visit: http://listserv.aol.com/ III. For more AOLserver information please visit: http://www.aolserver.com/
Re: [AOLSERVER] SSL handshake error
Note that you will see some EOFs in the log files that are normal and aren't due to failures. I see them all the time because we're using client certs -- MSIE makes a connection, realizes the server wants a client cert, cuts the conn (EOF), asks the user which client cert they want to use, then makes a fresh connection. There are other events that can cause an EOF; one of them I think is when a client is using SSLv3 or TLS but doesn't follow the SSL close protocol specified and instead just closes the socket. /s. On Tuesday, March 11, 2003, at 12:01 PM, William Scott Jordan wrote: So I switched session caching on last night and when I checked the logs this morning, I see that there were a couple of new EOF during SSL handshake errors. Checking the access log, it looks like something funny was going on; Non-existent files being accessed and such. I think Dossy might be right about this being from the SSL exploits. Hopefully, turning on session caching fixed the real problem and now I'm just seeing the results of some idiots mucking about. Scott At 09:57 PM 3/10/2003 -0800, you wrote: I'll give this a shot. Thanks for the assistance. Scott At 11:42 PM 3/10/2003 -0600, you wrote: Turn it on, always, always, always have session caching on, or SSL to certain MSIE browser versions will fail in the way you're seeing. I've just updated the nsopenssl config examples at my site to reflect this. nsopenssl 3.0 will have session caching turned on by default, so that if you want it turned off you'll have to explicitly do so. /s. On Monday, March 10, 2003, at 11:32 PM, William Scott Jordan wrote: ServerSessionCache is set to false. Scott At 11:12 PM 3/10/2003 -0600, you wrote: Do you have session caching turned on? /s. On Monday, March 10, 2003, at 11:00 PM, William Scott Jordan wrote: I'm running AOLServer 3.4 with OpenSSL 0.9.6 and nsopenssl 2.2b4 on Redhat 7.0 and I'm getting this error quite a bit: Error: nsopenssl: EOF during SSL handshake I have no idea what's causing it and I can't recreate it. When it happens, it gives the end user a Server Error message. Reloading the same page never causes the problem a second time. I really don't even know whether it's a problem with AOLServer, a configuration issue, or a problem with OpenSSL. Has anybody seen this before or have any idea of how to correct it? Any advice would be appreciated. Scott I. To remove yourself from this list: Send a message to [EMAIL PROTECTED] with the following text in the BODY of your message: signoff aolserver II. For a complete list of listserv options please visit: http://listserv.aol.com/ III. For more AOLserver information please visit: http://www.aolserver.com/ I. To remove yourself from this list: Send a message to [EMAIL PROTECTED] with the following text in the BODY of your message: signoff aolserver II. For a complete list of listserv options please visit: http://listserv.aol.com/ III. For more AOLserver information please visit: http://www.aolserver.com/ I. To remove yourself from this list: Send a message to [EMAIL PROTECTED] with the following text in the BODY of your message: signoff aolserver II. For a complete list of listserv options please visit: http://listserv.aol.com/ III. For more AOLserver information please visit: http://www.aolserver.com/ I. To remove yourself from this list: Send a message to [EMAIL PROTECTED] with the following text in the BODY of your message: signoff aolserver II. For a complete list of listserv options please visit: http://listserv.aol.com/ III. For more AOLserver information please visit: http://www.aolserver.com/ I. To remove yourself from this list: Send a message to [EMAIL PROTECTED] with the following text in the BODY of your message: signoff aolserver II. For a complete list of listserv options please visit: http://listserv.aol.com/ III. For more AOLserver information please visit: http://www.aolserver.com/ I. To remove yourself from this list: Send a message to [EMAIL PROTECTED] with the following text in the BODY of your message: signoff aolserver II. For a complete list of listserv options please visit: http://listserv.aol.com/ III. For more AOLserver information please visit: http://www.aolserver.com/ I. To remove yourself from this list: Send a message to [EMAIL PROTECTED] with the following text in the BODY of your message: signoff aolserver II. For a complete list of listserv options please visit: http://listserv.aol.com/ III. For more AOLserver information please visit: http://www.aolserver.com/
Re: [AOLSERVER] SSL handshake error
Ok, so maybe I was not seeing the *exact* same problem ;) I was just seeing the error messages in the log. I had seen the server error message on the browsers some time ago, but I expected the error messages to also go away. I guess it must be the OpenSSL exploit then... any way to check and make sure? Regards, -Oscar On Tue, Mar 11, 2003 at 09:08:58AM -0600, Scott Goodwin wrote: I need to know the browser type, version and strength (e.g. MSIE 5.5 128-bit, Netscape 4.7 40-bit...). Oscar, when you say you're seeing the exact same problem, do you mean you're seeing both the error message and the browser is failing on the first connect? /s. On Tuesday, March 11, 2003, at 08:42 AM, Oscar Bonilla wrote: I'm seeing the exact same problem, however I have ServerSessionCache set to true. I'm using nsopenssl 2.1. What could the problem be? This is the nsopenssl part of my aolserver config file: - ns_section ns/server/${servername}/module/nsopenssl ns_param ServerPort ${httpsport} ns_param ServerHostname ${hostname} ns_param ServerAddress ${address} ns_param ServerCertFile ${sslcertificate} ns_param ServerKeyFile ${sslkey} ns_param ServerProtocols All ns_param ServerCipherSuite ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL ns_param ServerSessionCache true ns_param ServerSessionCacheID1 ns_param ServerSessionCacheSize 512 ns_param ServerSessionCacheTimeout 300 ns_param ServerPeerVerifyfalse ns_param ServerPeerVerifyDepth 3 ns_param ServerCADir ${sslcadir} ns_param ServerCAFile${sslcafile} ns_param ServerTrace false ns_param SockServerCertFile ${sslcertificate} ns_param SockServerKeyFile ${sslkey} ns_param SockServerProtocols All ns_param SockServerCipherSuite ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL ns_param SockServerSessionCache true ns_param SockServerSessionCacheID2 ns_param SockServerSessionCacheSize 512 ns_param SockServerSessionCacheTimeout 300 ns_param SockServerPeerVerifytrue ns_param SockServerPeerVerifyDepth 3 ns_param SockServerCADir ${sslinternalcadir} ns_param SockServerCAFile${sslinternalcafile} ns_param SockServerTrace false ns_param SockClientCertFile ${sslclientcertificate} ns_param SockClientKeyFile ${sslclientkey} ns_param SockClientProtocols All ns_param SockClientCipherSuite ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL ns_param SockClientSessionCache true ns_param SockClientSessionCacheID3 ns_param SockClientSessionCacheSize 512 ns_param SockClientSessionCacheTimeout 300 ns_param SockClientPeerVerifytrue ns_param SockClientPeerVerifyDepth 3 ns_param SockClientCADir ${sslservercadir} ns_param SockClientCAFile${sslservercafile} ns_param SockClientTrace false ns_param RandomFile /dev/urandom ns_param SeedBytes 1024 Thanks, -Oscar On Mon, Mar 10, 2003 at 11:42:36PM -0600, Scott Goodwin wrote: Turn it on, always, always, always have session caching on, or SSL to certain MSIE browser versions will fail in the way you're seeing. I've just updated the nsopenssl config examples at my site to reflect this. nsopenssl 3.0 will have session caching turned on by default, so that if you want it turned off you'll have to explicitly do so. /s. On Monday, March 10, 2003, at 11:32 PM, William Scott Jordan wrote: ServerSessionCache is set to false. Scott At 11:12 PM 3/10/2003 -0600, you wrote: Do you have session caching turned on? /s. On Monday, March 10, 2003, at 11:00 PM, William Scott Jordan wrote: I'm running AOLServer 3.4 with OpenSSL 0.9.6 and nsopenssl 2.2b4 on Redhat 7.0 and I'm getting this error quite a bit: Error: nsopenssl: EOF during SSL handshake I have no idea what's causing it and I can't recreate it. When it happens, it gives the end user a Server Error message. Reloading the same page never causes the problem a second time. I really don't even know whether it's a problem with AOLServer, a configuration issue, or a problem with OpenSSL. Has anybody seen this before or have any idea of how to correct it? Any advice would be appreciated. Scott I. To remove yourself from this list: Send a message to [EMAIL PROTECTED] with the following text in the BODY of
[AOLSERVER] SSL handshake error
I'm running AOLServer 3.4 with OpenSSL 0.9.6 and nsopenssl 2.2b4 on Redhat 7.0 and I'm getting this error quite a bit: Error: nsopenssl: EOF during SSL handshake I have no idea what's causing it and I can't recreate it. When it happens, it gives the end user a Server Error message. Reloading the same page never causes the problem a second time. I really don't even know whether it's a problem with AOLServer, a configuration issue, or a problem with OpenSSL. Has anybody seen this before or have any idea of how to correct it? Any advice would be appreciated. Scott I. To remove yourself from this list: Send a message to [EMAIL PROTECTED] with the following text in the BODY of your message: signoff aolserver II. For a complete list of listserv options please visit: http://listserv.aol.com/ III. For more AOLserver information please visit: http://www.aolserver.com/
Re: [AOLSERVER] SSL handshake error
Do you have session caching turned on? /s. On Monday, March 10, 2003, at 11:00 PM, William Scott Jordan wrote: I'm running AOLServer 3.4 with OpenSSL 0.9.6 and nsopenssl 2.2b4 on Redhat 7.0 and I'm getting this error quite a bit: Error: nsopenssl: EOF during SSL handshake I have no idea what's causing it and I can't recreate it. When it happens, it gives the end user a Server Error message. Reloading the same page never causes the problem a second time. I really don't even know whether it's a problem with AOLServer, a configuration issue, or a problem with OpenSSL. Has anybody seen this before or have any idea of how to correct it? Any advice would be appreciated. Scott I. To remove yourself from this list: Send a message to [EMAIL PROTECTED] with the following text in the BODY of your message: signoff aolserver II. For a complete list of listserv options please visit: http://listserv.aol.com/ III. For more AOLserver information please visit: http://www.aolserver.com/ I. To remove yourself from this list: Send a message to [EMAIL PROTECTED] with the following text in the BODY of your message: signoff aolserver II. For a complete list of listserv options please visit: http://listserv.aol.com/ III. For more AOLserver information please visit: http://www.aolserver.com/
Re: [AOLSERVER] SSL handshake error
ServerSessionCache is set to false. Scott At 11:12 PM 3/10/2003 -0600, you wrote: Do you have session caching turned on? /s. On Monday, March 10, 2003, at 11:00 PM, William Scott Jordan wrote: I'm running AOLServer 3.4 with OpenSSL 0.9.6 and nsopenssl 2.2b4 on Redhat 7.0 and I'm getting this error quite a bit: Error: nsopenssl: EOF during SSL handshake I have no idea what's causing it and I can't recreate it. When it happens, it gives the end user a Server Error message. Reloading the same page never causes the problem a second time. I really don't even know whether it's a problem with AOLServer, a configuration issue, or a problem with OpenSSL. Has anybody seen this before or have any idea of how to correct it? Any advice would be appreciated. Scott I. To remove yourself from this list: Send a message to [EMAIL PROTECTED] with the following text in the BODY of your message: signoff aolserver II. For a complete list of listserv options please visit: http://listserv.aol.com/ III. For more AOLserver information please visit: http://www.aolserver.com/ I. To remove yourself from this list: Send a message to [EMAIL PROTECTED] with the following text in the BODY of your message: signoff aolserver II. For a complete list of listserv options please visit: http://listserv.aol.com/ III. For more AOLserver information please visit: http://www.aolserver.com/ I. To remove yourself from this list: Send a message to [EMAIL PROTECTED] with the following text in the BODY of your message: signoff aolserver II. For a complete list of listserv options please visit: http://listserv.aol.com/ III. For more AOLserver information please visit: http://www.aolserver.com/