Re: Problems with Verisign Global Server ID certificate & Netscape clients
Hi, I have the same problem with some export versions of IE (with 56 bit key) and SGC enabled server. Cipher negotiaton depends on URL. When I connect to URL the same as in CN field negitiation fails. When I use alias URL or IP adress negotiation is correct (but cert is useless ;)). I think that solution lays in cipher order in SSLCipher or vhost configuration, but noone in modssl-users tries to answer my question ! > > The problem (as in subject) concerns Netscape browsers exported > editions that try to connect to an Win NT Server Box equipped with > Apache/1.3.12, Interface: mod_ssl/2.6.2, Library: OpenSSL/0.9.5 > and Verisign Global Server ID certs (server.key and server.crt). > > Trying the same with a RH 6.0 Linux Box whith same configuration: > Apache 1.3.12 + Mod_SSL 2.6.2 + PHP4 +OpenSSL 0.9.5 everything works fine. > > What's happening ??? > > Regards > > >--- >Francesco D'Inzeo >WinTech S.r.l. >Via Lisbona 7 >35127 PADOVA (Italy) >Tel. (+39)-(0)49-8703033 > Fax. (+39)-(0)49-8703045 >e-mail [EMAIL PROTECTED] > > --- Piotr Sloniowski __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
IE 5 cipher negotiation
Hello, There is problem with export versions of IE 5 (with 56 bit key). Cipher negotiation depends on URL type. With any URL which points to the server (alias name, IP) EXCEPT correct one (same as CN field), connection works well. Problem appears only in few versions of IE (ca 5.00.20xx - 5.00.28xx). I have latest mod_ssl/open_ssl/apache with SGC enabled cert. I really need HELP. --- Piotr Sloniowski __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
IE 5.00 cipher negotiation depends on URL type !
On Tue, 6 Jun 2000, Piotr Sloniowski wrote: > Hi, > Could anyone help me with crazy MSIE. > > There are some versions of IE (5.00.2xx to 5.00.28xx) with 56-bit key > which has problems with cipher negotiation. > When I connect to FQDN URL, negotiated cipher (?) is RC4-MD5 (128/128) > and connection fails (browser do not support that !?). > When I connect to that server with IP URL cipher is different and > connection works. > > Every other lower version IE (4.0 with 40-bit key) and > higher (with 128-bit key) works well. > > I'm using mod_ssl-2.6.4-1.3.12 with openssl-0.9.5a, apache 1.3.12 > with standard cofiguration. My server has SGC enabled. > > I have no idea that to do. Please HELP. > > Here goes logs from that situation: > > Connection to URL https://www : > > 1. Connection to child 0 established > (server www.pl:443, client 10.0.0.3) > > 2. Seeding PRNG with 1160 bytes of entropy > > 3. Connection: Client IP: 10.0.0.3, Protocol: SSLv3, > Cipher: EXP1024-RC4-SHA (56/128 bits) > > 4. Connection: Client IP: 10.0.0.3, Protocol: SSLv3, > Cipher: RC4-MD5 (128/128 bits) <-- wrong cipher ??? > > 5. Connection to child 0 closed with standard shutdown > (server www:443, client 10.0.0.3) > <-- lost IE - "dnserror" !!! > > > Connection to above URL with no DNS https://10.0.0.2 (www) > > 1. Connection to child 4 established > (server www:443, client 10.0.0.3) > > 2. Seeding PRNG with 1160 bytes of entropy > > 3. Connection: Client IP: 200.10.5.62, Protocol: SSLv3, > Cipher: EXP1024-RC4-SHA (56/128 bits) <-- correct cipher ??? > > 4. Initial (No.1) HTTPS request received for child 4 > (server www.pekao-fs.com.pl:443) > > 5. Connection to child 4 closed with unclean shutdown > (serverwww.pekao-fs.com.pl:443, client 200.10.5.62) > <-- fine --- Piotr Sloniowski __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: IE 5.00.2xx incorrect cipher negotiation
Sorry, I didn't mentioned that my server has SGC enabled. README.GlobalID do not explain why cipher negotiation depends on URL type. On Tue, 6 Jun 2000, Mads Toftum wrote: > Please read http://www.modssl.org/source/exp/mod_ssl/pkg.mod_ssl/README.GlobalID > it may explain why you see this. > > vh > > Mads Toftum > -- > `Darn it, who spiked my coffee with water?!' - lwall --- Piotr Sloniowski __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
IE 5.00.2xx incorrect cipher negotiation
Hi, Could anyone help me with crazy MSIE. There are some versions of IE (5.00.2xx to 5.00.28xx) with 56-bit key which has problems with cipher negotiation. When I connect to FQDN URL, negotiated cipher (?) is RC4-MD5 (128/128) and connection fails (browser do not support that !?). When I connect to that server with IP URL cipher is different and connection works. Every other lower version IE (4.0 with 40-bit key) and higher (with 128-bit key) works well. I'm using mod_ssl-2.6.4-1.3.12 with openssl-0.9.5a, apache 1.3.12 with standard cofiguration. I have no idea that to do. Please HELP. Here goes logs from that situation: Connection to URL https://www : 1. Connection to child 0 established (server www.pl:443, client 10.0.0.3) 2. Seeding PRNG with 1160 bytes of entropy 3. Connection: Client IP: 10.0.0.3, Protocol: SSLv3, Cipher: EXP1024-RC4-SHA (56/128 bits) 4. Connection: Client IP: 10.0.0.3, Protocol: SSLv3, Cipher: RC4-MD5 (128/128 bits) <-- wrong cipher ??? 5. Connection to child 0 closed with standard shutdown (server www:443, client 10.0.0.3) <-- lost IE - "dnserror" !!! Connection to above URL with no DNS https://10.0.0.2 (www) 1. Connection to child 4 established (server www:443, client 10.0.0.3) 2. Seeding PRNG with 1160 bytes of entropy 3. Connection: Client IP: 200.10.5.62, Protocol: SSLv3, Cipher: EXP1024-RC4-SHA (56/128 bits) <-- correct cipher ??? 4. Initial (No.1) HTTPS request received for child 4 (server www.pekao-fs.com.pl:443) 5. Connection to child 4 closed with unclean shutdown (serverwww.pekao-fs.com.pl:443, client 200.10.5.62) <-- fine Thanks. --- Piotr Sloniowski __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
