On Nov 25, 2009, at 9:23 AM, John J. Consolati wrote: > Hopefully someone will be able to help, as I've been working on this problem > for quite a while and have hit a wall. I'm trying to upgrade Apache 2.0.47 > to 2.2.14, and I need SSL support. Everything seems to build and compile > okay, but when I try to access my site running on 2.2.14, I get a strange > error from Firefox: "Secure connection failed. An error occurred during a > connection to xxxxxx. SSL peer reports incorrect Message Authentication > Code. (Error code: ssl_error_bad_mac_alert)."
This means that, after the handshake, the client and server have a different idea of what their session keys are. This happens when the pre-master secret that the client sent was decrypted with a private key that does not belong to the certificate that the server passed to the client. Do you by any chance use a Hardware Security Module to protect the private key? Can you try using your key file and certs with a simple test server included with openssl? Like so: openssl s_server -cert /path/to/yourSSLCertificateFile -key /path/to/yourSSLCertificateKeyFile -CAfile /path/to/yourSSLCertificateChainFile -www and then from a different terminal connect to localhost:4433 curl -i https://localhost:4433/ or openssl s_client -connect localhost:4433 and see if that works. S. > I've tried compiling with OpenSSL 0.9.8L and 0.9.8G with the same results. > This is hosted on a Solaris sparc box. The 2.2.14 server is utilizing all > the same files and SSL certificates as the 2.0.47 server. I've called > Verisign; I have valid certificates, but they've never heard of this error > before. If I self-sign a certificate and test it with the 2.2.14 server, it > seems to work (except for the expected error message regarding self-signed > certificates). > > Searching on Google has led me to try forcing Apache to compile with prefork > enabled (but it seems to default to that anyway on Solaris). I've also tried > statically linking Apache during compile with the same results. > > If anyone has any ideas or suggestions, I'd very much appreciate them... > > Thank you, > John > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > " from the digest: users-digest-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > > -- Sander Temme scte...@apache.org PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF
smime.p7s
Description: S/MIME cryptographic signature
