Re: Netscape ask always certificat
On Thu, Oct 30, 2003 at 11:40:52AM +0100, xavier jeannin wrote: [SNIP] > --- > drop connection and then reconnect > CONNECTED(0003) > --- > New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA > SSL-Session: >Protocol : TLSv1 >Cipher: EDH-RSA-DES-CBC3-SHA >Session-ID: >Session-ID-ctx: >Master-Key: > 0F8D50DBEAE85A067D6A631609D5728CE9AA91F7052E39115481D6787478124CC43B290C4D164F858FBC2F44103F8C2A >Key-Arg : None >Start Time: 1067509174 >Timeout : 300 (sec) >Verify return code: 0 (ok) Session caching seems to be off on the server side - when I use reconnect, I get Protocol : TLSv1 Cipher: EDH-RSA-DES-CBC3-SHA Session-ID: 1C7284F45FE7153AD082C737E2EBFD2176A4B0B34BCA41AE79663F9C804142EB Session-ID-ctx: Master-Key: 6D9E61B97ADE120B056E79A09B3489D23D7D2A74FE2D82E067CBEF50296B76B5E6034ECDB32B4B062788BA9D9832DD3B vh Mads Toftum -- Speaking at ApacheCon 2003 - http://ApacheCon.com/ T03, "Apache 2 mod_ssl tutorial" (3h) WE03, "Troubleshooting Apache configurations" WE11, "Apache mod_rewrite, the Swiss Army Knife of URL manipulation" __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Netscape ask always certificat
Ok Sorry I correct my mistake so now I can connect with SSL Client and get my HTML Page. Thank you it is a powerful tools to debug (redirect, etc) I send to you the response I get, I am not capable to analyse the SSL sequence. Is it a normal sequence ? Seeing this can we deduce the session cache work fine ? In this example, I have only ask for one page, I have not browsed into my site so can we deduce anything from this example ? Is it possible to browse into a site with ssl_client (see cookie and session pb) ? thank you --xj CONNECTED(0003) --- Certificate chain 0 s:/C=FR/O=CNRS/OU=UPS836/CN=intranet.stic.cnrs.fr/[EMAIL PROTECTED] i:/C=FR/O=CNRS/CN=CNRS-Standard 1 s:/C=FR/O=CNRS/CN=CNRS-Standard i:/C=FR/O=CNRS/CN=CNRS 2 s:/C=FR/O=CNRS/CN=CNRS i:/C=FR/O=CNRS/CN=CNRS --- Server certificate -BEGIN CERTIFICATE- MIIEfzCCA2egAwIBAgICAvUwDQYJKoZIhvcNAQEEBQAwNDELMAkGA1UEBhMCRlIx DTALBgNVBAoTBENOUlMxFjAUBgNVBAMTDUNOUlMtU3RhbmRhcmQwHhcNMDIwNjI0 MDcwODIyWhcNMDQwNjI0MDcwODIyWjB5MQswCQYDVQQGEwJGUjENMAsGA1UEChME -- zip -- p1vfh+sI/gmyoV5Fpx3cQ1ZhS6PsFxHmhe6bnQSbyOJjVmtvR7qx7iAZuo3+NE8o bNsDnc7NQrDxOts5mYQugiPpNwW+CS7Yj8uuXFPkF/G4pBPBRooiwoJ6o5X6CZi5 uYKp -END CERTIFICATE- subject=/C=FR/O=CNRS/OU=UPS836/CN=intranet.stic.cnrs.fr/[EMAIL PROTECTED] issuer=/C=FR/O=CNRS/CN=CNRS-Standard --- Acceptable client certificate CA names /C=FR/O=CNRS/CN=SSI /C=FR/O=CNRS/CN=CNRS /C=FR/O=CNRS/CN=Datagrid-fr /C=FR/O=CNRS/CN=CNRS-Projets /C=FR/O=CNRS/CN=CNRS-Standard /[EMAIL PROTECTED]/CN=CNRS-Test/OU=UREC/O=CNRS/C=FR /C=FR/O=CNRS/CN=CNRS-Plus --- SSL handshake has read 3873 bytes and written 3551 bytes --- New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA Server public key is 1024 bit SSL-Session: Protocol : TLSv1 Cipher : EDH-RSA-DES-CBC3-SHA Session-ID: Session-ID-ctx: Master-Key: 279FCDC4C400A75AE70E85755781EAA6F39429D8FC22AE69B6F95D982020F5DFAD6DF5B552DF21FE7DB23CC7FC09EE1A Key-Arg : None Start Time: 1067509174 Timeout : 300 (sec) Verify return code: 0 (ok) --- drop connection and then reconnect CONNECTED(0003) --- New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA SSL-Session: Protocol : TLSv1 Cipher : EDH-RSA-DES-CBC3-SHA Session-ID: Session-ID-ctx: Master-Key: 0F8D50DBEAE85A067D6A631609D5728CE9AA91F7052E39115481D6787478124CC43B290C4D164F858FBC2F44103F8C2A Key-Arg : None Start Time: 1067509174 Timeout : 300 (sec) Verify return code: 0 (ok) --- drop connection and then reconnect CONNECTED(0003) --- New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA SSL-Session: Protocol : TLSv1 Cipher : EDH-RSA-DES-CBC3-SHA Session-ID: Session-ID-ctx: Master-Key: C04F385EFFBC7FE29AB3503C3A55F264D5EB42D33F5AD15D988E7E030E3E2D0A61BBF9540CD2CDFEF139A23F23656E42 Key-Arg : None Start Time: 1067509174 Timeout : 300 (sec) Verify return code: 0 (ok) --- drop connection and then reconnect CONNECTED(0003) --- New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA SSL-Session: Protocol : TLSv1 Cipher : EDH-RSA-DES-CBC3-SHA Session-ID: Session-ID-ctx: Master-Key: 0FBF55C5A75525AC4DE0A508D984DAAFD046C38C251744F4546358747FFD7527BD88A6F5B5B2258DD8D99BD4F04D6227 Key-Arg : None Start Time: 1067509174 Timeout : 300 (sec) Verify return code: 0 (ok) --- drop connection and then reconnect CONNECTED(0003) --- New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA SSL-Session: Protocol : TLSv1 Cipher : EDH-RSA-DES-CBC3-SHA Session-ID: Session-ID-ctx: Master-Key: 1FA07645E42886ED343D5C7B7BA722675B35E298AC48791D981784FFE2F640914D7BDBE0ADD184DEE104C4BDDC251494 Key-Arg : None Start Time: 1067509174 Timeout : 300 (sec) Verify return code: 0 (ok) --- drop connection and then reconnect CONNECTED(0003) --- New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA SSL-Session: Protocol : TLSv1 Cipher : EDH-RSA-DES-CBC3-SHA Session-ID: Session-ID-ctx: Master-Key: 72B0D603F01C3416E2B39C650E7359B1123E959F49D54EB4654A9F26CF666089DDB071D305CF267FDB95E6B3210DD9B3 Key-Arg : None Start Time: 1067509174 Timeout : 300 (sec) Verify return code: 0 (ok) --- Bienvenue sur l'Intranet du département STIC du CNRS My HTML page closed Mads Toftum a écrit: On Thu, Oct 30, 2003 at 09:24:04AM +0100, xavier jeannin wrote: 24359:error:14094413:SSL routines:SSL3_READ_BYTES:sslv3 alert unsupported certificate:s3_pkt.c:1031:SSL alert number 43 24359:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:514: I am sorry but I do not understand the response. I am sure that my cert is valid, my private key too, and my cafile too. Do you know where I can read documentation that explain the error message ? perhaps it is a bad used of openssl client. openssl s_client expects the certificate and key to be in PEM format - openssl x509 -in cert
Re: apache 1.3.29?
Hi Ralf, If you don't mind, please include a fix which allows the HTTPS env variable to be passed by suexec --- apache_1.3.28/src/support/suexec.c.~20030719062731~ Sat Jul 19 09:27:31 2003 +++ apache_1.3.28/src/support/suexec.c Tue Aug 26 16:49:20 2003 @@ -134,7 +134,7 @@ /* variable name starts with */ "HTTP_", #ifdef MOD_SSL -"HTTPS_", +"HTTPS=", "SSL_", #endif This is already included in apache 2 Thanks, Zvi. On Thu, 30 Oct 2003 09:06:52 +0100, Ralf S. Engelschall wrote about "Re: apache 1.3.29?": > > In article <[EMAIL PROTECTED]> you wrote: > > Andreas Gietl wrote: > >> > >> On Wednesday 29 October 2003 15:39, Jim Jagielski wrote: > >> > >> i guess there will be a new patch within the next days/hours? > > > > I would guess, but that's not my area :) > > Yes, there will be a mod_ssl 2.8.16 released today or tomorrow. I've > already upgraded mod_ssl to Apache 1.3.29, but I've still to include > some other fixes. But 2.8.15 works fine with Apache 1.3.29, so no need > to hurry here... >Ralf S. Engelschall >[EMAIL PROTECTED] >www.engelschall.com > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] -- Dr. Zvi Har'El mailto:[EMAIL PROTECTED] Department of Mathematics tel:+972-54-227607 icq:179294841 Technion - Israel Institute of Technology fax:+972-4-8293388 http://www.math.technion.ac.il/~rl/ Haifa 32000, ISRAEL "If you can't say somethin' nice, don't say nothin' at all." -- Thumper (1942) Thursday, 4 Heshvan 5764, 30 October 2003, 10:49AM __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Netscape ask always certificat
On Thu, Oct 30, 2003 at 09:24:04AM +0100, xavier jeannin wrote: > 24359:error:14094413:SSL routines:SSL3_READ_BYTES:sslv3 alert > unsupported certificate:s3_pkt.c:1031:SSL alert number 43 > 24359:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake > failure:s3_pkt.c:514: > > I am sorry but I do not understand the response. I am sure that my cert > is valid, my private key too, and my cafile too. > Do you know where I can read documentation that explain the error > message ? perhaps it is a bad used of openssl client. openssl s_client expects the certificate and key to be in PEM format - openssl x509 -in cert.crt -inform DER -out cert.pem -outform PEM vh Mads Toftum -- Speaking at ApacheCon 2003 - http://ApacheCon.com/ T03, "Apache 2 mod_ssl tutorial" (3h) WE03, "Troubleshooting Apache configurations" WE11, "Apache mod_rewrite, the Swiss Army Knife of URL manipulation" __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Netscape ask always certificat
Hi Thanks Mads for your answer : I should write Netscape still ask the cert at each page instead of "it does not work". I mad the test you suggest, here is the result [EMAIL PROTECTED] jeannin]# openssl s_client -host intranet.stic.cnrs.fr -port 443 -cert /usr/local/apache/conf/ssl.crt/intranet.stic.cns.fr.crt -key /usr/local/apache/conf/ssl.key/intranet.stic.cnrs.fr.key -CAfile /usr/local/apache/conf/ssl.crt/ca-bundle.crt -reconect -ssl3 CONNECTED(0003) depth=2 /C=FR/O=CNRS/CN=CNRS verify return:1 depth=1 /C=FR/O=CNRS/CN=CNRS-Standard verify return:1 depth=0 /C=FR/O=CNRS/OU=UPS836/CN=intranet.stic.cnrs.fr/[EMAIL PROTECTED] verify return:1 24359:error:14094413:SSL routines:SSL3_READ_BYTES:sslv3 alert unsupported certificate:s3_pkt.c:1031:SSL alert number 43 24359:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:514: I am sorry but I do not understand the response. I am sure that my cert is valid, my private key too, and my cafile too. Do you know where I can read documentation that explain the error message ? perhaps it is a bad used of openssl client. thank you --xj Mads Toftum a écrit: On Wed, Oct 29, 2003 at 05:15:13PM +0100, xavier jeannin wrote: I have developped Web application, that uses X509 certificat. Netscape ask at each time (page) the certificat. As my users have several certificates they do not use the option "Select Automaticly" in netscape, I have to say to my user to use now this option and create a netscape's profile for every certificat. First, I have compile Apache with MM and use : SSLSessionCacheshm:/usr/local/apache/logs/ssl_gscache(2048000) SSLSessionCacheTimeout 1800 but it does not work. "but it does not work" - how should that be understood? that SSLSessionCache does not work, or that the users are still being asked for the certificate? The simplest way to test sessions away from the browser is to use openssl s_client with the -reconnect option - that should tell you wether session caching is in effect or not. Usually when sessions are enabled in apache, but the browser keeps asking for the cert, then it is a setting in the browser - I seem to recall that Netscape had an option to ask for the password on every use. vh Mads Toftum -- _ Xavier Jeannin UREC/CNRS Université P. & M. Curie, Courrier : case 171, 4 place Jussieu 75252 PARIS CEDEX 05 Tél : 01 44 27 42 59 - Fax : 01 44 27 42 61 - Courriel : [EMAIL PROTECTED]
Re: apache 1.3.29?
In article <[EMAIL PROTECTED]> you wrote: > Andreas Gietl wrote: >> >> On Wednesday 29 October 2003 15:39, Jim Jagielski wrote: >> >> i guess there will be a new patch within the next days/hours? > > I would guess, but that's not my area :) Yes, there will be a mod_ssl 2.8.16 released today or tomorrow. I've already upgraded mod_ssl to Apache 1.3.29, but I've still to include some other fixes. But 2.8.15 works fine with Apache 1.3.29, so no need to hurry here... Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]