CJ Holmes <[EMAIL PROTECTED]> writes:
> on 9/17/01 10:50 AM, Eric Rescorla at [EMAIL PROTECTED] wrote:
>
> >> I get the same error connecting from other client machines using Netscape
> >> 4.7, but not if I use 4.7.5. There's clearly a bug in Netscape 4.7 and
> >> earlier versions, but why is it just affecting our implementation of
> >> OpenSSL?
> > That's a good question.
>
> Well, I found out that Netscape only sends the invalid CSS message if the
> certificate used by the server is a SGC cert or the common name on the
> certificate was different from the hostname used to contact the machine.
> (eg: the URL was https://testing1.berkeley.4d.com/ but the common name on
> the certificate is "any.other.name.com").
>
> If you use a non-SGC certificate whose common name matches the hostname of
> the server, then everything is fine.
This is still unusual. Netscape certainly doesn't behave this way for me.
> Still unanswered is why OpenSSL feels the need to respond to an invalid CSS
> message with an equally invalid CSS message. I've only glanced at the
> OpenSSL handshake code in the past, so I'm not keen on diving into it right
> now. But if nobody else is willing...
It's typically a lot easier to do this if you can reproduce the
problem locally :(
Can you reproduce the problem on a Unix box runing OpenSSL
(via s_server or mod_ssl?).
-Ekr
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
