httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Peter Rose <pe...@cyberscreen.com>
Subject [users@httpd] Fwd: secure connection works with ssl2 but not ssl3/tls
Date Thu, 28 Apr 2005 08:49:19 GMT



>I have been struggling with this problem for a while now, hopefully 
>someone here can point me in the right direction:

It seems to be an openssl problem rather than an apache problem, but I 
haven't had any response from that list so maybe someone here has 
experienced the same problem. Here it is:


>I have compiled openssl-0.9.6g on RedHat 8.0 and it passes make test and 
>installs OK.
>
>I then compiled and installed Apache-SSL 1.3.29+BenSSL-1.53, but https 
>connections only work if the browser is set to SSL2 only.
>
>I can't see anything wrong with the Apache configuration, so tested as 
>follows with the following results:
>
>
>openssl s_client -ssl3 -connect www2.cyberscreen.com:443
>CONNECTED(00000003)
>26858:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake 
>failure:s3_pkt.c:529:
>
>or, in debug mode I get the hex of the certificate displayed, it seems to 
>read all the fields but then ends with
>
>read from 0816CB80 [08172138] (5 bytes => 0 (0x0))
>25427:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake 
>failure:s23_lib.c:226:
>
>===================================
>
>I also get the following message written to the Apache error log when 
>attempting ssl3/tls connections:
>
>apache_ssl.c(298): error:1408C095:SSL routines:SSL3_GET_FINISHED:digest 
>check failed
>apache_ssl.c(2042): CIPHER is AES256-SHA
>apache_ssl.c(294): SSL_accept returned 0
>
>however, openssl s_client -ssl2 -connect www2.cyberscreen.com:443 connects 
>fine, reads the certificate and establishes the https connection.
>
>I am using self-signed certs for testing and have re-generated them 
>several times in case of error, but always with the same result.
>On an older server running RedHat 6.2 and Apache-SSL 1.3.12, 
>OpenSSL-0.9.5d, I have had no problems for four years.
>
>I have spent ages trawling the internet for this problem but have not 
>found a definitive solution.
>Guidance appreciated.
>
>TIA
>
>Peter Rose
>London UK
>

I don't like your fashion business, mister -
   Leonard Cohen / First We Take Manhattan


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message