httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Kraemer <mar...@apache.org>
Subject Re: SSL deadlock after SSLv3 key exchange A?
Date Thu, 22 Sep 2005 16:24:05 GMT
On Thu, Sep 22, 2005 at 05:03:34PM +0100, Joe Orton wrote:
> 
> You do mean to pass the server keypair for client authentication, right?

Oops - wrong line pasted. No -- I tried it first, but of course the
server said
  [Thu Sep 22 15:48:43 2005] [error] Certificate Verification: Error (26): unsupported certificate
purpose
and I used client certs instead.

BTW: Some moments ago, I tried to configure the SSL server in the
global scope not to require a cert, and then added "SSLVerifyClient
optional" or "... require" to a .htaccess, and it hangs too. It looks
like it deadlocks at about the same SSL protocol phase:
[Thu Sep 22 18:04:59 2005] [debug] ssl_engine_kernel.c(1181): [client 172.25.124.236] handing
out temporary 1024 bit DH key
[Thu Sep 22 18:04:59 2005] [debug] ssl_engine_kernel.c(1798): OpenSSL: Loop: SSLv3 write key
exchange A
[Thu Sep 22 18:04:59 2005] [debug] ssl_engine_kernel.c(1798): OpenSSL: Loop: SSLv3 write certificate
request A
[Thu Sep 22 18:04:59 2005] [debug] ssl_engine_kernel.c(1798): OpenSSL: Loop: SSLv3 flush data
and when the client is cancelled, it proceeds:
[Thu Sep 22 18:05:21 2005] [debug] ssl_engine_io.c(1590): OpenSSL: read 5/5 bytes from BIO#822b438
[mem: 8232ab8] (BIO dump follows)
[Thu Sep 22 18:05:21 2005] [debug] ssl_engine_io.c(1537): +-------------------------------------------------------------------------+
[Thu Sep 22 18:05:21 2005] [debug] ssl_engine_io.c(1562): | 0000: 15 03                  
                         ..               |
[Thu Sep 22 18:05:21 2005] [debug] ssl_engine_io.c(1566): | 0005 - <SPACES/NULS>
[Thu Sep 22 18:05:21 2005] [debug] ssl_engine_io.c(1568): +-------------------------------------------------------------------------+
[Thu Sep 22 18:05:21 2005] [debug] ssl_engine_io.c(1590): OpenSSL: read 32/32 bytes from BIO#822b438
[mem: 8232abd] (BIO dump follows)
[Thu Sep 22 18:05:21 2005] [debug] ssl_engine_io.c(1537): +-------------------------------------------------------------------------+
[Thu Sep 22 18:05:21 2005] [debug] ssl_engine_io.c(1562): | 0000: 51 36 d9 95 d3 d0 7e 95-a1
6d cd 83 3c 35 c8 26  Q6....~..m..<5.& |
[Thu Sep 22 18:05:21 2005] [debug] ssl_engine_io.c(1562): | 0010: ae 2b 15 e9 3b f3 85 cd-4f
91 b3 7c 21 25 83 81  .+..;...O..|!%.. |
[Thu Sep 22 18:05:21 2005] [debug] ssl_engine_io.c(1568): +-------------------------------------------------------------------------+
[Thu Sep 22 18:05:21 2005] [debug] ssl_engine_kernel.c(1803): OpenSSL: Read: SSLv3 read client
certificate A
[Thu Sep 22 18:05:21 2005] [debug] ssl_engine_kernel.c(1822): OpenSSL: Exit: failed in SSLv3
read client certificate A
[Thu Sep 22 18:05:21 2005] [error] Re-negotiation handshake failed: Not accepted by client!?

> What is the output with -debug passed to s_client?
(appended. Used with the original setup:
  * global "SSLVerifyClient require"
  * 4000+ line ca-bundle file
  * client invocation:
    % openssl s_client -debug -CAfile ssl.crt/ca-bundle.crt -cert ~/martin+sslclient@mch00bcm.mch.fsc.net-cert.pem
-key ~/martin+sslclient@mch00bcm.mch.fsc.net-key.pem -connect mch00bcm:8443
    <<bigbundle.txt>>
)
Also appended is <<halfbundle.txt>> which contains a connection trace
when I delete half of the ca-bundle certs. It reaches the read_request
phase and I entered "HEAD / HTTP/1.0\n\n".

   Martin
-- 
<Martin.Kraemer@Fujitsu-Siemens.com>         |     Fujitsu Siemens
Fon: +49-89-636-46021, FAX: +49-89-636-48332 | 81730  Munich,  Germany

Mime
View raw message