On Wed, Jun 24, 2009 at 08:48:28PM -0400, Robert Jacobson wrote:
>
> I'm having a problem with Firefox connecting to a web site at work. I
> found that openssl also has problems with it. I can connect with other
> browsers like IE, Chrome, and Safari.
>
> There is a Firefox bug report, but no one is working on it. See:
> https://bugzilla.mozilla.org/show_bug.cgi?id=448303
>
>
> Here is the openssl s_client output:
>
> # openssl s_client -connect cds.gsfc.nasa.gov:443
> CONNECTED(00000003)
> depth=0 /C=US/ST=Maryland/L=Greenbelt/O=National Aeronautics and Space
> Administration/OU=CDS / Code 444/CN=*.gsfc.nasa.gov
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 /C=US/ST=Maryland/L=Greenbelt/O=National Aeronautics and Space
> Administration/OU=CDS / Code 444/CN=*.gsfc.nasa.gov
> verify error:num=27:certificate not trusted
> verify return:1
> depth=0 /C=US/ST=Maryland/L=Greenbelt/O=National Aeronautics and Space
> Administration/OU=CDS / Code 444/CN=*.gsfc.nasa.gov
> verify error:num=21:unable to verify the first certificate
> verify return:1
> 5008:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
> failure:s23_lib.c:188:
The server is misconfigured, it advertises support for ciphers that
it fails to properly implement. If you exclude the 256-bit AES
ciphers:
openssl s_client -connect cds.gsfc.nasa.gov:443 \
-cipher 'DEFAULT:!DHE-RSA-AES256-SHA:!DHE-DSS-AES256-SHA:!AES256-SHA'
the connection works. My guess is that the server is a SunOS (5.10?)
system with Sun's libcrypto containing AES 128 and no AES256, and you
have configured a non-default server cipherlist.
If Sun upgrade to a more recent OpenSSL version, the partly implemented
AES suite will work even with a non-default cipherlist.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
