Problem with ssl
Hi, I managed to get a certificate up and running, but whilst running with apache-ssl, i get : [Thu Nov 11 11:18:50 1999] [debug] apache_ssl.c(355): Random input /dev/urandom(1024) -> 1112 [Thu Nov 11 11:18:50 1999] [debug] apache_ssl.c(928): Generating 512 bit key [Thu Nov 11 11:18:51 1999] [debug] apache_ssl.c(272): SSL_accept returned 0 [Thu Nov 11 11:18:51 1999] [debug] apache_ssl.c(276): error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate ANy ideas, in the web browser it says The security library has experienced an out of memory error. Please try to reconnect. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problem with ssl
Roddy Strachan wrote: > > Hi, > I managed to get a certificate up and running, but whilst running > with apache-ssl, i get : > > [Thu Nov 11 11:18:50 1999] [debug] apache_ssl.c(355): Random input > /dev/urandom(1024) -> 1112 > [Thu Nov 11 11:18:50 1999] [debug] apache_ssl.c(928): Generating 512 bit > key > [Thu Nov 11 11:18:51 1999] [debug] apache_ssl.c(272): SSL_accept returned > 0 > [Thu Nov 11 11:18:51 1999] [debug] apache_ssl.c(276): error:14094412:SSL > routines:SSL3_READ_BYTES:sslv3 alert bad certificate > > ANy ideas, in the web browser it says > > The security library has experienced an out of memory error. Please try to > reconnect. That usually happens when you've left some fields blank in the server cert. Cheers, Ben. -- http://www.apache-ssl.org/ben.html "My grandfather once told me that there are two kinds of people: those who work and those who take the credit. He told me to try to be in the first group; there was less competition there." - Indira Gandhi __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problem with ssl
You using a real cert? Are you using NS? I found that if CN is not real or resolvable by DNS it can give that error. -N - Original Message - From: Roddy Strachan <[EMAIL PROTECTED]> To: SSL List <[EMAIL PROTECTED]> Sent: Wednesday, November 10, 1999 7:21 PM Subject: Problem with ssl > Hi, > I managed to get a certificate up and running, but whilst running > with apache-ssl, i get : > > [Thu Nov 11 11:18:50 1999] [debug] apache_ssl.c(355): Random input > /dev/urandom(1024) -> 1112 > [Thu Nov 11 11:18:50 1999] [debug] apache_ssl.c(928): Generating 512 bit > key > [Thu Nov 11 11:18:51 1999] [debug] apache_ssl.c(272): SSL_accept returned > 0 > [Thu Nov 11 11:18:51 1999] [debug] apache_ssl.c(276): error:14094412:SSL > routines:SSL3_READ_BYTES:sslv3 alert bad certificate > > ANy ideas, in the web browser it says > > The security library has experienced an out of memory error. Please try to > reconnect. > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Problem with SSL Site
Title: Problem with SSL Site I was wondering if anyone could shed some light on this: I am using the s_client command within OpenSSL utility under Windows NT which works great for testing most secure sites. However one site, out of the hundreds I've tested has proven problematic. A GET against https://www.genuity.com will not fetch the same page content that a browser will. It always yeilds a server error (500) when attempting to GET the site's root page. I've tried setting various combinations of SSL flags to no avail. Any insight would be much obliged... Christopher Shaw Senior Developer Gomez Advisors, Inc http://www.gomez.com [EMAIL PROTECTED]
problem with SSL reconnection
hi everyone, i am working on a ssl server, upon getting a request from the client, the server is succesfully serving the request. if i am going to use the same process for serving another request from the same/different client I get the following error during SSL_accept(): 10190:error:140D9115:SSL routines:SSL_GET_PREV_SESSION: session id context uninitialized since problem may be caused by SSL_get_session()/SSL_SESSION_free(), i looked in the SSL_set_session_id_context man page and added the following code int s_server_session_id_context = 1; SSL_CTX_set_session_id_context(ctx,(void*)&s_server_session_id_context, sizeof s_server_session_id_context); on doing the above i am getting the following errors error:0D067007:asn1 encoding routines:ASN1_COLLATE_PRIMITIVE:expecting an asn1 sequence error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate on internet explorer it is poping up a window and asking me for the certificate. on netscape i donot get any such problems but i am getting the above error messages can anyone tell me how i can overcome the following problem Thanks in advance ganesh godavari __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Problem with SSL and Apache
I sent this message to the curl mailing list, but thought I would also send it to the openSSL list, in case anyone has seen a problem like this. I'm using curl 5.6.2beta on both Solaris 2.6 and Linux systems, with OpenSSL 0.9.2b, to access an Apache server (Stronghold/2.4.1 Apache/1.3.3) on Solaris 2.6. After I've made a thousand or so requests via SSL, the Apache httpsd daemons start crashing with a segmentation fault on every SSL access, but continue to work for non-SSL access. Has anyone seen a problem like this before? Is the problem related to curl, SSL, or Apache? I'd appreciate any suggestions anyone has. Thanks, Mike Davis Billpoint, Inc. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problem with SSL Site
>A GET against https://www.genuity.com will not >fetch the same page content that a browser will. It always yeilds a >server error (500) >when attempting to GET the site's root page The server is most likely looking to read the User-Agent HTTP header to do some preproceessing before returning the page. Since it cant find it it simply aborts. Check the HTTP rfc for the exact syntax and send both lines: GET / HTTP/1.0 User-Agent: find correct syntax in rfc \n\n has nothing to do with the ssl connxn. Andrew -- reply dropped from dev list - sent only on users __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problem with SSL Site
> I was wondering if anyone could shed some light on this: > > I am using the s_client command within OpenSSL utility under Windows NT > which works great > for testing most secure sites. However one site, out of the hundreds I've > tested has > proven problematic. A GET against https://www.genuity.com will not > fetch the same page content that a browser will. It always yeilds a server > error (500) > when attempting to GET the site's root page. I've tried setting various > combinations > of SSL flags to no avail. Any insight would be much obliged... Try adding the HTTP header "Host: www.genuity.com" and see if the returned stuff changes. -- [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problem with SSL and Apache
On Wed, Apr 28, 1999 at 09:28:18AM -0700, Mike Davis wrote: > I'm using curl 5.6.2beta [...] with OpenSSL 0.9.2b, to access an > Apache server (Stronghold/2.4.1 Apache/1.3.3) on Solaris 2.6. After > I've made a thousand or so requests via SSL, the Apache httpsd > daemons start crashing with a segmentation fault on every SSL > access, but continue to work for non-SSL access. So it's Stronghold that's broken, and you should report the bug to C2Net. The symptoms would appear to indicate that the problem is in the Stronghold SSL session cache implementation. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Problem with SSL and Apache
I tested a non-forking minimal test server (no verify client certs, but server supplies cert on request, encrypted session) with many consecutive secure client sessions using OpenSSL-0.9.2b on Solaris 2.6 through Rational Purify and it came through with NO memory leaks or other nasty errors. This does not discount the problem being with OpenSSL, but reduces my suspicions. Ian Pollard The Partnership Group -Original Message- From: Mike Davis [mailto:[EMAIL PROTECTED]] Sent: Thursday, April 29, 1999 2:28 AM To: [EMAIL PROTECTED] Subject: Problem with SSL and Apache I sent this message to the curl mailing list, but thought I would also send it to the openSSL list, in case anyone has seen a problem like this. I'm using curl 5.6.2beta on both Solaris 2.6 and Linux systems, with OpenSSL 0.9.2b, to access an Apache server (Stronghold/2.4.1 Apache/1.3.3) on Solaris 2.6. After I've made a thousand or so requests via SSL, the Apache httpsd daemons start crashing with a segmentation fault on every SSL access, but continue to work for non-SSL access. Has anyone seen a problem like this before? Is the problem related to curl, SSL, or Apache? I'd appreciate any suggestions anyone has. Thanks, Mike Davis Billpoint, Inc. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
PRoblem with SSL and Apache in Windows
Hi People, I have a problem with the Apache Server, working with SSL. I´m using : Apache 1.2.22 / mod_ssl 2.8.5 / OpenSSL 0.9.6a. The log error that appera in the log file is : [Tue Jun 11 12:12:13 2002] [error] mod_ssl: SSL handshake failed (server domain.com:443, client 211.45.65.223) (OpenSSL library error follows) [Tue Jun 11 12:12:13 2002] [error] OpenSSL: error:140B5446:SSL routines:SSL_GET_NEW_SESSION:engine not initialized This server is running in Windows 2000 Advanced Server with SP2. Thanks in advance, Gustavo __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Problem with SSL certificate in apache 2.0.43
Hello: I am trying to set-up apache 2.0.43 using ssl on RedHat 8.0. Here is the sequence of commands I typed: cd /usr/local rpm -e apache httpd mod_ssl mod_perl mod_dav redhat-config-httpd rm -rf /var/www/html /var/www /var/log/httpd /etc/httpd/conf lynx http://www.apache.org/dist/httpd/httpd-2.0.43.tar.gz tar zxf httpd-2.0.43.tar.gz cd httpd-2.0.43 ./configure --prefix=/usr/local/apache --enable-ssl make make install cd /usr/local/apache/conf openssl genrsa -des3 -out ca.key 1024 openssl req -new -x509 -days 365 -key ca.key -out ca.crt openssl genrsa -des3 -out server.key 1024 mv server.key server.key.secure openssl rsa -in server.key.secure -out server.key openssl req -new -days 365 -key server.key -out server.csr lynx http://lamps.efactory.de/sign.sh chmod 744 sign.sh ./sign.sh server.csr At this point, I got this output with an error message: CA signing: server.csr -> server.crt: Using configuration from ca.config Enter PEM pass phrase: Check that the request matches the signature Signature ok The Subjects Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :PRINTABLE:'Texas' localityName :PRINTABLE:'Plano' organizationName :PRINTABLE:'JAMM Consulting, Inc.' organizationalUnitName:PRINTABLE:'Web Services' commonName:PRINTABLE:'dsl.JAMMConsulting.com' emailAddress :IA5STRING:'[EMAIL PROTECTED]' Certificate is to be certified until Oct 16 05:58:07 2003 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated CA verifying: server.crt <-> CA cert server.crt: /C=US/ST=Texas/L=Plano/O=JAMM Consulting, Inc./OU=Web [EMAIL PROTECTED] error 18 at 0 depth lookup:self signed certificate /C=US/ST=Texas/L=Plano/O=JAMM Consulting, Inc./OU=Web [EMAIL PROTECTED] error 7 at 0 depth lookup:certificate signature failure Looking around the net, I saw one page that said that I need to examine the verify call in the sign.sh script, but that seems to be fine to me. Here is the contents of the sign.sh script: #!/bin/sh ## ## sign.sh -- Sign a SSL Certificate Request (CSR) ## Copyright (c) 1998-2001 Ralf S. Engelschall, All Rights Reserved. ## # argument line handling CSR=$1 if [ $# -ne 1 ]; then echo "Usage: sign.sign .csr"; exit 1 fi if [ ! -f $CSR ]; then echo "CSR not found: $CSR"; exit 1 fi case $CSR in *.csr ) CERT="`echo $CSR | sed -e 's/\.csr/.crt/'`" ;; * ) CERT="$CSR.crt" ;; esac # make sure environment exists if [ ! -d ca.db.certs ]; then mkdir ca.db.certs fi if [ ! -f ca.db.serial ]; then echo '01' >ca.db.serial fi if [ ! -f ca.db.index ]; then cp /dev/null ca.db.index fi # create an own SSLeay config cat >ca.config < $CERT:" openssl ca -config ca.config -out $CERT -infiles $CSR echo "CA verifying: $CERT <-> CA cert" openssl verify -CAfile ca.crt $CERT # cleanup after SSLeay rm -f ca.config rm -f ca.db.serial.old rm -f ca.db.index.old # die gracefully exit 0 A different page told me that the message was no problem and to continue. So, I tried it. I did these commands: chmod 400 server.key chmod 400 server.key.secure vi /usr/local/apache/conf/ssl.conf and set these values: ServerAdmin [EMAIL PROTECTED] ServerName dsl.JAMMConsulting.com:80 SSLCertificateFile/usr/local/apache/conf/server.crt SSLCertificateKeyFile /usr/local/apache/conf/server.key vi /usr/local/apache/conf/httpd.conf and set these values: ServerAdmin [EMAIL PROTECTED] ServerName dsl.JAMMConsulting.com:80 /usr/local/apache/bin/apachctl startssl Everything seemed OK so far, but when I opened Mozilla and tried to connect to https://dsl.JAMMConsulting.com I got an error message that stated: Could not establish and encrypted connection because certificate presented by dsl.jammconsulting.com is invalid or corrupted. Error Code: -8182 In the error_log for apache, I see this error: [Wed Oct 16 01:07:12 2002] [error] SSL handshake failed (server dsl.JAMMConsulting.com:443, client 127.0.0.1) [Wed Oct 16 01:07:12 2002] [error] SSL Library Error: 336151570 error:14094412:lib(20):func(148):reason(1042) Any ideas what this means and how I fix it? Thanks, Neil. -- Neil Aggarwal JAMM Consulting, Inc.(972) 612-6056, http://www.JAMMConsulting.com Custom Internet DevelopmentWebsites, Ecommerce, Java, databases __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problem with SSL Netscape: ...no common encryption algorithm...??
[EMAIL PROTECTED] wrote: > > Hi all, > > Our first attempt to install a secure webserver was not succesfull. We > did install Openssl (0.9.4) and WN webserver (2.3.3) on a Linux box. > > After installing a Verisign test certificate; when testing with > ./openssl s_client -connect www.takeitnow.nl:443 and GET / HTTP/1.0 > everything seems to work; the HTTP GET is recorded in the server > logging. But when accessing the server with Netscape (4.5) I get a popup > box 'Netscape and this server cannot communicate securely because they > have no common encryption algorithms'. > > What could cause this > Err they have no common encryption algorithms? :-) Possibly the server only supports strong encryption or has been configured to only support strong encryption and you are using an export grade browser? Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problem with SSL Netscape: ...no common encryption algorithm...??
Dear Steve, You're right: I've downloaded a 128bit IEX security upgrade and now it works. But, now we've to find out how to install 'weak' encryption. Thanks again Jon Petersen Dr Stephen Henson wrote: > [EMAIL PROTECTED] wrote: > > > > Hi all, > > > > Our first attempt to install a secure webserver was not succesfull. We > > did install Openssl (0.9.4) and WN webserver (2.3.3) on a Linux box. > > > > After installing a Verisign test certificate; when testing with > > ./openssl s_client -connect www.takeitnow.nl:443 and GET / HTTP/1.0 > > everything seems to work; the HTTP GET is recorded in the server > > logging. But when accessing the server with Netscape (4.5) I get a popup > > box 'Netscape and this server cannot communicate securely because they > > have no common encryption algorithms'. > > > > What could cause this > > > > Err they have no common encryption algorithms? :-) > > Possibly the server only supports strong encryption or has been > configured to only support strong encryption and you are using an export > grade browser? > > Steve. > -- > Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ > Personal Email: [EMAIL PROTECTED] > Senior crypto engineer, Celo Communications: http://www.celocom.com/ > Core developer of the OpenSSL project: http://www.openssl.org/ > Business Email: [EMAIL PROTECTED] PGP key: via homepage. > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problem with SSL Netscape: ...no common encryption algorithm...??
> > After installing a Verisign test certificate; when testing with > > ./openssl s_client -connect www.takeitnow.nl:443 and GET / HTTP/1.0 > > everything seems to work; the HTTP GET is recorded in the server > > logging. But when accessing the server with Netscape (4.5) I get a popup > > box 'Netscape and this server cannot communicate securely because they > > have no common encryption algorithms'. > > Possibly the server only supports strong encryption or has been > configured to only support strong encryption and you are using an export > grade browser? That's right! Now we've created a certificate with the option -newkey rsa:512. Great, it works. But, is it possible to offer users with 'strong browsers' the strong encryption while offering poor European users the weak encryption? Now they all use the same weak encryption. I can't find anything about this in the docs. Btw which docs ;) Jon Petersen __ > OpenSSL Projecthttp://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problem with SSL Netscape: ...no common encryption algorithm...??
Steve, The server is WN 2.3.3 (see also http://www.wnserver.org). It works with both 'strong' and 'weak' browsers, but I can't figure out if it uses strong encryption where possible (e.g. strong browsers). Jon Dr Stephen Henson wrote: > [EMAIL PROTECTED] wrote: > > > > > > That's right! Now we've created a certificate with the option -newkey rsa:512. > > Great, it works. But, is it possible to offer users with 'strong browsers' the > > strong encryption while offering poor European users the weak encryption? Now > > they all use the same weak encryption. I can't find anything about this in the > > docs. Btw which docs ;) > > > > The server should work with export ciphers even if the key is larger > than 512 bits by using an RSA temporary key. Which server is it BTW? > > Steve. > -- > Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ > Personal Email: [EMAIL PROTECTED] > Senior crypto engineer, Celo Communications: http://www.celocom.com/ > Core developer of the OpenSSL project: http://www.openssl.org/ > Business Email: [EMAIL PROTECTED] PGP key: via homepage. > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problem with SSL Netscape: ...no common encryption algorithm...??
Hi The browsers send a prioritised list of ciphers to the server for selection, strong first, followed by the weaker ones. The server selects the first cipher that matches. So the server should typically select the strongest possible common cipher. :) Amit. [EMAIL PROTECTED] wrote: > Steve, > > The server is WN 2.3.3 (see also http://www.wnserver.org). It works with both > 'strong' and 'weak' browsers, but I can't figure out if it uses strong encryption > where possible (e.g. strong browsers). > __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
