On Wed, Feb 08, 2006, Michael Smith wrote: > > A follow-up to my own post from last week. I've done some more digging - > hopefully this is enough for someone to offer some suggestions. > > I have been trying different versions of openssl with apache on solaris and > sun cc. With versions >= 0.9.7 (see below exact list of releases tested) I > get the following error when trying to connect with Firefox with SSL3: > > [Wed Feb 8 14:08:07 2006] [error] mod_ssl: SSL handshake failed (server > xxx:443, client 192.168.0.4) (OpenSSL library error follows) > [Wed Feb 8 14:08:07 2006] [error] OpenSSL: error:1408F455:SSL > routines:SSL3_GET_RECORD:decryption failed or bad record mac > > And the browser displays a popup saying "incorrect Message Authentication > Code" > > Note that there are no problems whatsoever with IE, and that I can also get > things to work fine if I set firefox or the web server not to use SSL3. > > The exact versions of openssl that I have tested are: > > * openssl-0.9.6b: works fine > * openssl-0.9.6m: works fine > * openssl-0.9.7a: fails > * openssl-0.9.7e: fails > * openssl-0.9.7i: fails > * openssl-0.9.8: fails > * openssl-0.9.8-stable-SNAP-20060131: fails > > Any ideas would be greatfully received. Of course, using old versions of > openssl causes other problems ... >
Firstly don't use apache for your tests instead use the OpenSSL s_server utility. If you include the -www option it will display a status page in a web browser if it works OK. You can also check various options out such as -bugs and -no_tls1 to see if that helps. If you created the certificates yourself check that the certificate chain you are using doesn't include duplicate serial numbers. This wont happen if you use the CA.pl command (be careful with 0.9.8 because it has a bug: use a recent snapshot instead). However there are numerous "cookbooks" out there of varying quality which use all manner of weird commands and can produce non-compliant certificates. It might be an idea to start with a fresh firefox certificate database when doing the tests. If you create a new profile you'll start with the default one. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
