httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sander Temme <scte...@apache.org>
Subject Re: [users@httpd] SSL on Apache 2.2.14
Date Wed, 25 Nov 2009 18:03:33 GMT

On Nov 25, 2009, at 9:23 AM, John J. Consolati wrote:

> Hopefully someone will be able to help, as I've been working on this problem for quite
a while and have hit a wall.  I'm trying to upgrade Apache 2.0.47 to 2.2.14, and I need SSL
support.  Everything seems to build and compile okay, but when I try to access my site running
on 2.2.14, I get a strange error from Firefox: "Secure connection failed.  An error occurred
during a connection to xxxxxx.  SSL peer reports incorrect Message Authentication Code.  (Error
code: ssl_error_bad_mac_alert)."

This means that, after the handshake, the client and server have a different idea of what
their session keys are.  This happens when the pre-master secret that the client sent was
decrypted with a private key that does not belong to the certificate that the server passed
to the client.  

Do you by any chance use a Hardware Security Module to protect the private key? 

Can you try using your key file and certs with a simple test server included with openssl?
 Like so: 

openssl s_server -cert /path/to/yourSSLCertificateFile -key /path/to/yourSSLCertificateKeyFile
-CAfile /path/to/yourSSLCertificateChainFile -www

and then from a different terminal connect to localhost:4433

curl -i https://localhost:4433/ or

openssl s_client -connect localhost:4433 

and see if that works.  

S. 

> I've tried compiling with OpenSSL 0.9.8L and 0.9.8G with the same results.  This is hosted
on a Solaris sparc box.  The 2.2.14 server is utilizing all the same files and SSL certificates
as the 2.0.47 server.  I've called Verisign; I have valid certificates, but they've never
heard of this error before.  If I self-sign a certificate and test it with the 2.2.14 server,
it seems to work (except for the expected error message regarding self-signed certificates).
> 
> Searching on Google has led me to try forcing Apache to compile with prefork enabled
(but it seems to default to that anyway on Solaris).  I've also tried statically linking Apache
during compile with the same results.
> 
> If anyone has any ideas or suggestions, I'd very much appreciate them...
> 
> Thank you,
> John
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>  "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
> 



-- 
Sander Temme
sctemme@apache.org
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF




Mime
View raw message