Fwd: secure connection works with ssl2 but not ssl3/tls

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Fwd: secure connection works with ssl2 but not ssl3/tls

Peter Rose



>I have been struggling with this problem for a while now, hopefully
>someone here can point me in the right direction:

It seems to be an openssl problem rather than an apache problem, but I
haven't had any response from that list so maybe someone here has
experienced the same problem. Here it is:


>I have compiled openssl-0.9.6g on RedHat 8.0 and it passes make test and
>installs OK.
>
>I then compiled and installed Apache-SSL 1.3.29+BenSSL-1.53, but https
>connections only work if the browser is set to SSL2 only.
>
>I can't see anything wrong with the Apache configuration, so tested as
>follows with the following results:
>
>
>openssl s_client -ssl3 -connect www2.cyberscreen.com:443
>CONNECTED(00000003)
>26858:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
>failure:s3_pkt.c:529:
>
>or, in debug mode I get the hex of the certificate displayed, it seems to
>read all the fields but then ends with
>
>read from 0816CB80 [08172138] (5 bytes => 0 (0x0))
>25427:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
>failure:s23_lib.c:226:
>
>===================================
>
>I also get the following message written to the Apache error log when
>attempting ssl3/tls connections:
>
>apache_ssl.c(298): error:1408C095:SSL routines:SSL3_GET_FINISHED:digest
>check failed
>apache_ssl.c(2042): CIPHER is AES256-SHA
>apache_ssl.c(294): SSL_accept returned 0
>
>however, openssl s_client -ssl2 -connect www2.cyberscreen.com:443 connects
>fine, reads the certificate and establishes the https connection.
>
>I am using self-signed certs for testing and have re-generated them
>several times in case of error, but always with the same result.
>On an older server running RedHat 6.2 and Apache-SSL 1.3.12,
>OpenSSL-0.9.5d, I have had no problems for four years.
>
>I have spent ages trawling the internet for this problem but have not
>found a definitive solution.
>Guidance appreciated.
>
>TIA
>
>Peter Rose
>London UK
>

I don't like your fashion business, mister -
   Leonard Cohen / First We Take Manhattan


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [hidden email]
   "   from the digest: [hidden email]
For additional commands, e-mail: [hidden email]