headers
Nauman, Ahmed [IT] | 1 Aug 2003 16:24

Handshake Failed

Hi,

Please help on this issue with client authentication. I have made sure the client Issuer is in trusted CA
list of server. All the certificates involved are correct, valid.

ssl log
[info]  Connection to child 0 established (server cddfs1.nj.ssmb.com:443, client 199.67.140.20)
[info]  Seeding PRNG with 1160 bytes of entropy
[error] Certificate Verification: Error (20): unable to get local issuer certificate
[error] SSL handshake failed (server cddfs1.nj.ssmb.com:443, client 199.67.140.20) (OpenSSL library
error follows)
[error] OpenSSL: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned

error log
 Certificate Verification: Error (20): unable to get local issuer certificate
 SSL handshake failed (server wert.npo.dfssmfrb.com:443, client abc.def.140.20) (OpenSSL library
error follows)
 OpenSSL: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned

Regards,
Nauman
_______________________________________________
Citibank N.A., 111 Wall St., New York, NY
Ph:   +1-212-657-1070 (w), +1-718-951-0508 (h)
Fax: +1-212-657-1645

Regards,
Nauman
_______________________________________________
Citibank N.A., 111 Wall St., New York, NY
(Continue reading)

Permalink | Reply | 0 comments |
headers
Dmitri Dmitrienko | 4 Aug 2003 19:36
Picon

crash in mod_ssl 2.8.15

crash report:

environment:
mod_ssl 2.8.15, apache 1.3.28
platform: win32, win XP sp 1
compiler MS VC 6 sp 5
client IE 6
client Mozilla 1.3

steps to reproduce:
using IE 6 or Mozilla 1.3 open HTTP/SSL connectio to localhost.
get there any plain html page with some gifs and press refresh many times
while holding shift (full-refresh for IE or Ctrl-F5 for Mozilla).
crash happens everytime in 4-8 refreshes (in IE) or 30-40 for Mozilla.

call stack:
0: ap_ctx_get(ctx=0x6567616d, key="ssl::io::suck")
1: ssl_io_suck_read(ssl=0x0095b228, buf=0x008f4860, len=4096)
2: SSL_recvwithtimeout(fb=0x008f4810, buf=0x008f4860, len=4096)
3: ssl_io_hook_recvwithtimeout(fb=0x008f4810, buf=0x008f4860, len=4096)
4: ap_hook_call_func(0x00dade34->"p", 0x0086d1a0,
hf=0x0086ea88->{ssl_io_hook_recvwithtimeout, 0})

some noticed details:
a) buf contained a valid GET request:
GET /images/logo.gif HTTP/1.1
Accept: */*
Referer: https://localhost
Accept-Language:en-us
....
(Continue reading)

Permalink | Reply | 0 comments |
headers
Arthur Chan | 5 Aug 2003 10:36
Picon

Browser specific OpenSSL mod_ssl problem !

Hi All.
Help. Netscape is driving me to drinks!
Problem : Netscape 7.1 will not "redirect" from http://my.first.dom to
https://my.secure.dom, claims it is transmitting in clear text (rather than
encrypted).

Objective : from first web-site, create a linik to a secure web-site inside
index.html using an anchor e.g. <A HREF="https://my.secure.dom">ClickMe</A>

Set up : Apache2 httpd + mod_ssl + Tomcat + Oracle. Tomcat holds java
servlets. Apache server has applets communicating with servlets.

What works : Everything works just fine using W98+MSIE5 or W98+Netscape6.2
or Linux+Mozilla.

What doesn't work : Using Netscape 7.1, When I key in the URL
"my.first.dom", it takes me to the web-site. When I click on the link to
"my.secure.dom", which does indeed take me to the secure site, it presents
the logon screen and the certificate. I logged on and accepted the
certificate. Normally in Netscape 6.2, the tiny lock located in bottom right
side of screen should be closed and shows the certificate when I click on
it. But in 7.1, the lock is NOT CLOSED and it says that the transmission is
in clear text for all to see.
However, if I key in the URL : https://my.secure.dom, the little lock closes
and shows the certificate.
...
[code]
(httpd.conf)
...
Listen 192.168.100.1:80
(Continue reading)

Permalink | Reply | 0 comments |
headers
Arthur Chan | 5 Aug 2003 11:26
Picon

Any tools to test https+mod_ssl ???

Hi All.
Further to my earlier comments that httpd + mod_ssl seems to be ignored by
Netscape 7.1
After logging-in and accepting the certificate, 7.1's liitle lock remains
open and says I am transmitting in clear text.
Yet Netscape 6.2, MSIE5 and Mozilla all accepted the certificate and they
say the transmission is encrypted.
Are there any tools available to test the transmission ???
Cheers.
:-)

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users <at> modssl.org
Automated List Manager                            majordomo <at> modssl.org
Permalink | Reply | 2 comments |
headers
Kiyoshi Watanabe | 5 Aug 2003 11:38
Picon

Re: Any tools to test https+mod_ssl ???


Hi I think that the following may help you.

openssl s_client -connect localhost:443 -state -debug

Please Refer to the FAQ in detail (www.modssl.org)

-Kiyoshi
Kiyoshi Watanabe

> Hi All.
> Further to my earlier comments that httpd + mod_ssl seems to be ignored by
> Netscape 7.1
> After logging-in and accepting the certificate, 7.1's liitle lock remains
> open and says I am transmitting in clear text.
> Yet Netscape 6.2, MSIE5 and Mozilla all accepted the certificate and they
> say the transmission is encrypted.
> Are there any tools available to test the transmission ???
> Cheers.
> :-)
> 
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
> User Support Mailing List                      modssl-users <at> modssl.org
> Automated List Manager                            majordomo <at> modssl.org
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users <at> modssl.org
Automated List Manager                            majordomo <at> modssl.org
(Continue reading)

Permalink | Reply | 1 comment |
headers
Herbert Neugebauer | 5 Aug 2003 19:32
Picon

Certificate verification problem (required client certificate)

Hello,

I'm having a strange problem with Apache 2.0.45 / openssl 0.9.6 (and
possibly tomcat 4.1.27).

The web-server should run all applications only over SSL and with client
certificate verification enabled.

So I set up all the necessary configuration, including server and client
certificates (our company has it's own internal CA), and moved three
different applications from the non-SSL to the SSL virtual-host.
Everything works fine, the applications can access the "environment
variables", where the user-ID coming from the certificate is stored, in
order to authenticate the users and provide user-specific content.

However the 4th application doesn't work. One of the working applications
is PHP, another also working application is JSP based, so using Tomcat.

The fourth application is not JSP, but a Servlet/Applet combination.

What happens when accessing the page is that the "index.html" downloads to
the client, but then the applet should be retrieved by the browser (IE),
but the JAVA Plug-In just says "applet not found", and in the web-server
error file (put in INFO) I see the following errors.:

[Tue Aug 05 18:56:52 2003] [info] Connection to child 4 established
(server esds
v07.bbn.hp.com:443, client 15.191.1.8)
[Tue Aug 05 18:56:52 2003] [info] Seeding PRNG with 136 bytes of entropy
[Tue Aug 05 18:56:52 2003] [info] SSL library error 1 in handshake (server
(Continue reading)

Permalink | Reply | 0 comments |
headers
Arthur Chan | 7 Aug 2003 11:10
Picon

SSL throws SSL23_GET_SERVER_HELLO error

Hi All.
When I run the  following line command :
[ssl] # openssl s_client -connect localhost:443 -state -debug
I get this error message :
...
SSL_connect:error in SSLv2/v3 read server hello A
1565:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol:s23_clnt.c:460:
...
Looking at line 460 of the source, it is exactly that error, no further
clues available.
Does anyone know more about it and want to help out ???
CHeers.

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users <at> modssl.org
Automated List Manager                            majordomo <at> modssl.org
Permalink | Reply | 0 comments |
headers
Nauman, Ahmed [IT] | 7 Aug 2003 16:07

RE: SSL throws SSL23_GET_SERVER_HELLO error

Please see following links
http://www.mail-archive.com/modssl-users <at> modssl.org/msg16205.html
http://forums.devshed.com/archive/15/2001/11/4/25897

Hope they help.

Regards,
Nauman
_______________________________________________
Citibank N.A., 111 Wall St., New York, NY
Ph:   +1-212-657-1070 (w), +1-718-951-0508 (h)
Fax: +1-212-657-1645

-----Original Message-----
From: Arthur Chan [mailto:achana <at> saysit.com.hk]
Sent: Thursday, August 07, 2003 5:10 AM
To: modssl-users <at> modssl.org
Subject: SSL throws SSL23_GET_SERVER_HELLO error

Hi All.
When I run the  following line command :
[ssl] # openssl s_client -connect localhost:443 -state -debug
I get this error message :
...
SSL_connect:error in SSLv2/v3 read server hello A
1565:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol:s23_clnt.c:460:
...
Looking at line 460 of the source, it is exactly that error, no further
clues available.
(Continue reading)

Permalink | Reply | 6 comments |
headers
Arthur Chan | 8 Aug 2003 06:39
Picon

FRUSTRATION : SSL throws SSL23_GET_SERVER_HELLO error

Hiya
I followed the discussion on those links, but it was not conclusive for me.
It would seem that I have got both apache2.0.40 + mod_ssl talking with
OpenSSL, using name-based vhosts. I have the certificate installed and
self-signed. However
[ssl] # openssl s_client -connect localhost:443 -state -debug
still throws this sticky error :
SSL_connect:error in SSLv2/v3 read server hello A
1565:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol:s23_clnt.c:460:
I am down to checking the source code (reveals nothing much other than it is
an error), and blindly changing things in httpd.conf...
Frustrating

----- Original Message -----
From: "Nauman, Ahmed [IT]" <ahmed.nauman <at> citigroup.com>
To: <modssl-users <at> modssl.org>
Sent: Thursday, August 07, 2003 10:07 AM
Subject: RE: SSL throws SSL23_GET_SERVER_HELLO error

Please see following links
http://www.mail-archive.com/modssl-users <at> modssl.org/msg16205.html
http://forums.devshed.com/archive/15/2001/11/4/25897

Hope they help.

Regards,
Nauman
_______________________________________________
Citibank N.A., 111 Wall St., New York, NY
(Continue reading)

Permalink | Reply | 5 comments |
headers
Cliff Woolley | 8 Aug 2003 07:51
Picon
Favicon

Re: FRUSTRATION : SSL throws SSL23_GET_SERVER_HELLO error

On Fri, 8 Aug 2003, Arthur Chan wrote:

> [ssl] # openssl s_client -connect localhost:443 -state -debug
> still throws this sticky error :
> SSL_connect:error in SSLv2/v3 read server hello A
> 1565:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
> protocol:s23_clnt.c:460:

You have multiple problems conspiring against you here.

Problem #1: your OpenSSL doesn't have the error messages loaded so you're
getting a rather non-descriptive error message.  No big deal, it just
means you have to look harder to find out what the error means.

Problem #2: SSL23_GET_SERVER_HELLO:unknown protocol: - now I bet if you
looked at the debug dump you'd see something very similar to:
0000 - 3c 21 44 4f 43 54 59 <!DOCTY
which was mentioned in one of those links the other guy sent you.  It's
telling you that that's what it received from the server.  You'll notice
that "<!DOCTY" is the first few bytes of a standard html page unencrypted.
So this tells you that your web server is in fact speaking plain HTTP on
port 443 rather than HTTPS.  You probably do not have "SSLEngine on" for
that virtual host.

Problem #3: You mentioned trying to get name-based vhosts to work with
SSL.  You must realize that this doesn't work right in the general case.
Please see http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html#vhosts2 .

Hope this helps.
(Continue reading)

Permalink | Reply | 4 comments |

Gmane