no, I can't connect to Apache using SSL via my browser. And yes: I can connect to other SSL websites. I recompiled Apache but the result is the same.
Here is what Apache logs to ssl_engine.log:
07/Sep/2003 23:42:44 08446] [info] Server: Apache/1.3.28, Interface: mod_ssl/2.8.15, Library: OpenSSL/0.9.7b
[07/Sep/2003 23:42:44 08446] [info] Init: 1st startup round (still not detached)
[07/Sep/2003 23:42:44 08446] [info] Init: Initializing OpenSSL library
[07/Sep/2003 23:42:44 08446] [info] Init: Loading certificate & private key of SSL-aware server www.valdorian.de:443
[07/Sep/2003 23:42:44 08446] [info] Init: Requesting pass phrase from dialog filter program (/usr/sbin/passphrase)
[07/Sep/2003 23:42:44 08446] [trace] Init: (www.valdorian.de:443) encrypted RSA private key - pass phrase requested
[07/Sep/2003 23:42:44 08446] [info] Init: Wiped out the queried pass phrases from memory
[07/Sep/2003 23:42:44 08446] [info] Init: Seeding PRNG with 136 bytes of entropy
[07/Sep/2003 23:42:44 08446] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[07/Sep/2003 23:42:45 08446] [info] Init: Configuring temporary DH parameters (512/1024 bits)
[07/Sep/2003 23:42:46 08449] [info] Init: 2nd startup round (already detached)
[07/Sep/2003 23:42:46 08449] [info] Init: Reinitializing OpenSSL library
[07/Sep/2003 23:42:46 08449] [trace] Inter-Process Session Cache (DBM) Expiry: old: 0, new: 0, removed: 0
[07/Sep/2003 23:42:46 08449] [info] Init: Seeding PRNG with 136 bytes of entropy
[07/Sep/2003 23:42:46 08449] [info] Init: Configuring temporary RSA private keys (512/1024 bits)
[07/Sep/2003 23:42:46 08449] [info] Init: Configuring temporary DH parameters (512/1024 bits)
[07/Sep/2003 23:42:46 08449] [info] Init: Initializing (virtual) servers for SSL
[07/Sep/2003 23:42:46 08449] [info] Init: Configuring server www.valdorian.de:443 for SSL protocol
[07/Sep/2003 23:42:46 08449] [trace] Init: (www.valdorian.de:443) Creating new SSL context (protocols: SSLv3, TLSv1)
[07/Sep/2003 23:42:46 08449] [trace] Init: (www.valdorian.de:443) Configuring permitted SSL ciphers [!EXP:!NULL:!ADH:!EXPORT56:+HIGH:+MEDIUM:-LOW]
[07/Sep/2003 23:42:46 08449] [trace] Init: (www.valdorian.de:443) Configuring client authentication
[07/Sep/2003 23:42:46 08449] [trace] CA certificate: /C=DE/ST=Hessen/L=Frankfurt/O=Home/CN=www.valdorian.de/ [EMAIL PROTECTED]
[07/Sep/2003 23:42:46 08449] [trace] Init: (www.valdorian.de:443) Configuring certificate revocation facility
[07/Sep/2003 23:42:46 08449] [trace] Init: (www.valdorian.de:443) Configuring RSA server certificate
[07/Sep/2003 23:42:46 08449] [trace] Init: (www.valdorian.de:443) Configuring RSA server private key
[07/Sep/2003 23:42:57 08450] [info] Connection to child 0 established (server www.valdorian.de:443, client 127.0.0.1)
[07/Sep/2003 23:42:57 08450] [info] Seeding PRNG with 1160 bytes of entropy
[07/Sep/2003 23:42:57 08450] [debug] OpenSSL: read 11/11 bytes from BIO#003B0670 [mem: 002EC000] (BIO dump follows)
+----------------------------------------------------------------------- --+
| 0000: 80 92 01 03 01 00 69 ......i |
| 000b - <SPACES/NULS>
+----------------------------------------------------------------------- --+
[07/Sep/2003 23:42:57 08450] [debug] OpenSSL: read 137/137 bytes from BIO#003B0670 [mem: 002EC00B] (BIO dump follows)
+----------------------------------------------------------------------- --+
| 0000: 00 00 39 00 00 38 00 00-35 00 00 16 00 00 13 00 ..9..8..5....... |
| 0010: 00 0a 07 00 c0 00 00 33-00 00 32 00 00 2f 00 00 .......3..2../.. |
| 0020: 07 05 00 80 03 00 80 00-00 66 00 00 05 00 00 04 .........f...... |
| 0030: 01 00 80 08 00 80 00 00-63 00 00 62 00 00 61 00 ........c..b..a. |
| 0040: 00 15 00 00 12 00 00 09-06 00 40 00 00 65 00 00 [EMAIL PROTECTED] |
| 0050: 64 00 00 60 00 00 14 00-00 11 00 00 08 00 00 06 d..`............ |
| 0060: 04 00 80 00 00 03 02 00-80 84 b3 9f f4 ba 00 16 ................ |
| 0070: eb 84 21 6e ff 7a ac 93-1b 42 97 99 f9 ed 0a b6 ..!n.z...B...... |
| 0080: 92 63 50 c0 23 9b a1 bb-71 .cP.#...q |
+----------------------------------------------------------------------- --+
[07/Sep/2003 23:42:57 08450] [debug] OpenSSL: write 7/7 bytes to BIO#003B0670 [mem: 003BC200] (BIO dump follows)
+----------------------------------------------------------------------- --+
| 0000: 15 03 01 00 02 02 28 ......( |
+----------------------------------------------------------------------- --+
[07/Sep/2003 23:42:57 08450] [error] SSL handshake failed (server www.valdorian.de:443, client 127.0.0.1) (OpenSSL library error follows)
[07/Sep/2003 23:42:57 08450] [error] OpenSSL: error:1408A0C1:lib(20):func(138):reason(193)
Regards Jörg
Am Freitag, 05.09.03 um 17:52 Uhr schrieb Geoff Thorpe:
Hi there,
On September 5, 2003 04:10 am, Jörg Horchler wrote:I understand that the ciphers are my problem. But what is wrong with my
installation in thias case? Do I have the need to recreate my
certificates? (CA-certificate? server-certificate?) Or do I have to
recompile OpenSSL? Or do I have to specify other ciphers in my
httpd.conf?
Well your certificate(s) shouldn't matter (unless perhaps it's DSA rather
than RSA, but even then it should be fine). If you re-enabled all
protocols and cipher-suites and the handshake still failed, then either
your Apache installation or your openssl (s_client) executable is screwed
up. Can you connect to your apache installation from a web-browser? Can
you connect to other secure web-sites using your s_client? Have you tried
putting the SSL logging level in apache up to the maximum to see if any
other hints turn up? Have you tried running 'ssldump' between the client
and server to see what cipher-suites are being passed each direction
during the handshake? There's plenty more fishing to be done ...
Cheers, Geoff
-- Geoff Thorpe [EMAIL PROTECTED] http://www.geoffthorpe.net/
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
