Re: Mac IE 5 ssl errors
What's the underlying OS? SSL Session caching just doesn't seem to work on older Linuxes is what I've discovered, and falling back to SSL2 is one thing. Another is the Mac IE is very picky and may crap out if a page includes non-SSL content. P. On Fri, Mar 26, 2004 at 12:14:43PM -0500, Randall Perry wrote: Just noticed that Mac IE 5 is having problems with ssl connections to my apache 1.3.29 server. I either get the 'Security failure. Data decryption error,' or it'll connect but graphics won't load on https pages, and I get this error in httpd error.log: [Fri Mar 26 12:05:06 2004] [error] mod_ssl: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!] (System error follows) [Fri Mar 26 12:05:06 2004] [error] System: Connection reset by peer (errno: 54) Found these changes to httpd.conf on searching the list, and implemented them, but to no avail. Anyone got a solution? I just solved it. Do not use an SSLProtocol line. Comment out the SetEnvIf line that does nokeepalive for MSIE. Use the following instead. BrowserMatch MSIE [1-4] nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 BrowserMatch MSIE [5-9] ssl-unclean-shutdown I'm also using this cipher suite line, but the default might work, too: SSLCipherSuite !EXP1024-RC4-SHA:!EXP1024-DES-CBC-SHA:ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM: +LOW:+SSLv2:+EXP:+eNULL -- Randall Perry sysTame Xserve Web Hosting/Co-location Website Development/Promotion Mac Consulting/Sales http://www.systame.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] ---+-+ |Peter Burkholder, System Administrator| | |Digital Library for Earth System Education| Email) [EMAIL PROTECTED] | |DLESE® -- http://www.dlese.org| Office) +1-303-497-2663 | |DLESE Program Center (DPC)| Fax)+1 303-497-8336 | |UCAR/DPC, P.O. Box 3000 | Pager) +1-303-201-1284 | |Boulder, CO 80307-3000| or [EMAIL PROTECTED] | |tt| | ~~~ ~~ ~~~ __o| |~~~ ~~~ ~~_`\,_ | | ~~~ ~~~ (*)/ (*) /tt| __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
[no subject]
I have httpd 2.0.48 built from source. It's been running fine for weeks but this morning it stopped responding to HTTPS although it kept going okay with HTTP. In the hopes that it would go away forever, I simply did an 'httpd restart'. A few hours later, Nagios told me that HTTPS connects were timing out again. Damn. Now I really do have a problem to fix. I hope someone on the list can help. Packet tracing and ssldump indicate that clients are completing the TCP handshake, but the server is mute after ClientHello: SSLDUMP output: --- New TCP connection #1: qaos(47914) - aegeanx.dpc.ucar.edu(443) 1 1 0.0458 (0.0458) CS Handshake ClientHello Version 3.1 cipher suites TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_RC4_128_MD5 TLS_RSA_WITH_3DES_EDE_CBC_SHA compression methods NULL 1 2 0.0754 (0.0296) SC Handshake ServerHello Version 3.1 session_id[32]= 7b a5 2d ba 12 bb 11 55 1d ed 87 28 42 87 f5 e6 a6 f9 9f d2 80 8d b9 d9 19 61 a2 72 19 d2 13 d5 cipherSuite TLS_RSA_WITH_RC4_128_SHA compressionMethod NULL 1 3 0.0754 (0.) SC Handshake Certificate 1 4 0.0754 (0.) SC Handshake ServerHelloDone 1 5 0.1014 (0.0259) CS Handshake ClientKeyExchange 1 6 0.1414 (0.0400) CS ChangeCipherSpec 1 7 0.1414 (0.) CS Handshake 1 8 0.1513 (0.0098) SC ChangeCipherSpec 1 9 0.1513 (0.) SC Handshake 1 10 0.1547 (0.0034) CS application_data --- After this the server sends an ACK, then nothing. I've changed the SSLSessionCache from shmht to dbm, but am I simply wishing in the hopes that'll change anything? Thanks, Peter -- Peter Burkholder, System Administrator Digital Library for Earth System Education (DLESE® -- http://www.dlese.org) [EMAIL PROTECTED] DLESE Program Center (DPC) ~~~ ~~ __o UCAR/DPC, P.O. Box 3000 Ph) +1-303-497-2663 ~~~ ~~_`\,_ Boulder, CO 80307-3000Fx) +1 303-497-8336 ~~~ (*)/ (*) __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
[no subject]
I returned to an issue I'd had some time ago with older MSIE 5.x browsers. I seemed to have solved the problem by making sure that all content is now being fetched over https. Previously I'd had some CSS and javascript coming over straight http, which might raise an error in newer browsers, but seems to cause MSIE 5.0 and 5.2 to choke completely. Does Ralf read these posts? It may have been obvious to more seasoned SSL users out there, but if the FAQ had included this line. Older MSIE 5.x browsers may choke completely if trying to load pages that are a mix of HTTP and HTTPS. I would have been saved much time and anguish. Thanks, Peter -- Peter Burkholder, System Administrator Digital Library for Earth System Education (DLESE® -- http://www.dlese.org) [EMAIL PROTECTED] DLESE Program Center (DPC) ~~~ ~~ __o UCAR/DPC, P.O. Box 3000 Ph) +1-303-497-2663 ~~~ ~~_`\,_ Boulder, CO 80307-3000Fx) +1 303-497-8336 ~~~ (*)/ (*) __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: OT: cheap CA certificates
http://www.geotrust.com/equifax/ On Mon, Nov 17, 2003 at 02:33:53PM -0500, Eric Wood wrote: From: Eric Wood [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: OT: cheap CA certificates Date: Mon, 17 Nov 2003 14:33:53 -0500 Reply-To: [EMAIL PROTECTED] Where can I get cheap/reliable certs for a Apache that IE 5.5+ clients will authorize against? Thawte and Verisign have outpriced themselves. -Eric Wood __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- Peter Burkholder, System Administrator Digital Library for Earth System Education (DLESE® -- http://www.dlese.org) [EMAIL PROTECTED] DLESE Program Center (DPC) ~~~ ~~ __o UCAR/DPC, P.O. Box 3000 Ph) +1-303-497-2663 ~~~ ~~_`\,_ Boulder, CO 80307-3000Fx) +1 303-497-8336 ~~~ (*)/ (*) __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]