This is what my Apache log says. Note the "SSL Library Error":
[Tue Jul 07 15:12:27 2009] [info] [client 10.10.10.4] Connection to child 14
established (server 10.10.10.4:443)
[Tue Jul 07 15:12:27 2009] [info] Seeding PRNG with 656 bytes of entropy
[Tue Jul 07 15:12:27 2009] [error] Certificate Verification: Error (7):
certificate signature failure
[Tue Jul 07 15:12:27 2009] [info] [client 10.10.10.4] SSL library error 1 in
handshake (server 10.10.10.4:443)
[Tue Jul 07 15:12:27 2009] [info] SSL Library Error: 218910881
error:0D0C50A1:lib(13):func(197):reason(161)
[Tue Jul 07 15:12:27 2009] [info] SSL Library Error: 336105650
error:140890B2:lib(20):func(137):reason(178)
[Tue Jul 07 15:12:27 2009] [info] [client 10.10.10.4] Connection closed to
child 14 with abortive shutdown (server 10.10.10.4:443)
I have the following configuration:
Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny3 with Suhosin-Patch mod_ssl/2.2.9
OpenSSL/0.9.8g, AMD64 hardware, installed as AMD64. I have Apache configured
to require client certificates (self-signed). I am also seeing this same
problem on a Gentoo install on an Intel box (64 bit). If I remove the client
certificate requirement, the issue goes away.
Once this problem starts to happen, it occurs more frequently as time goes on until
Apache is restarted. What causes the issue to start is not clear as it takes a few hours
to begin. This is what I am seeing in testing using "openssl s_client -connect
10.10.10.4/test.php:443 -debug -state -CAfile ca.crt -cert dev.crt -key dev.key"
once the problem has started.
A failed connection attempt:
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
CONNECTED(00000003)
write to 0x6ad810 [0x6af090] (118 bytes => 118 (0x76))
read from 0x6ad810 [0x6b45f0] (7 bytes => 7 (0x7))
read from 0x6ad810 [0x6b45f7] (72 bytes => 72 (0x48))
read from 0x6ad810 [0x6b45f0] (5 bytes => 5 (0x5))
read from 0x6ad810 [0x6b45f5] (1303 bytes => 1303 (0x517))
verify return:1
depth=0 <text deleted>
verify return:1
SSL_connect:SSLv3 read server certificate A
read from 0x6ad810 [0x6b45f0] (5 bytes => 5 (0x5))
read from 0x6ad810 [0x6b45f5] (397 bytes => 397 (0x18D))
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
read from 0x6ad810 [0x6b45f0] (5 bytes => 5 (0x5))
read from 0x6ad810 [0x6b45f5] (153 bytes => 153 (0x99))
write to 0x6ad810 [0x6be730] (1281 bytes => 1281 (0x501))
SSL_connect:SSLv3 write client key exchange A
SSL_connect:error in SSLv3 write change cipher spec A
SSL_connect:error in SSLv3 write change cipher spec A
write:errno=32
write to 0x6ad810 [0x6be730] (139 bytes => 139 (0x8B))
write to 0x6ad810 [0x6be730] (139 bytes => -1 (0xFFFFFFFFFFFFFFFF))
A successful connection:
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
CONNECTED(00000003)
write to 0xa92810 [0xa94090] (118 bytes => 118 (0x76))
read from 0xa92810 [0xa995f0] (7 bytes => 7 (0x7))
read from 0xa92810 [0xa995f7] (72 bytes => 72 (0x48))
read from 0xa92810 [0xa995f0] (5 bytes => 5 (0x5))
read from 0xa92810 [0xa995f5] (1303 bytes => 1303 (0x517))
verify return:1
depth=0 <text deleted>
verify return:1
SSL_connect:SSLv3 read server certificate A
read from 0xa92810 [0xa995f0] (5 bytes => 5 (0x5))
read from 0xa92810 [0xa995f5] (397 bytes => 397 (0x18D))
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
read from 0xa92810 [0xa995f0] (5 bytes => 5 (0x5))
read from 0xa92810 [0xa995f5] (153 bytes => 153 (0x99))
write to 0xa92810 [0xaa3730] (1281 bytes => 1281 (0x501))
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write certificate verify A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
write to 0xa92810 [0xaa3730] (139 bytes => 139 (0x8B))
write to 0xa92810 [0xaa3730] (139 bytes => 139 (0x8B))
write to 0xa92810 [0xaa3730] (6 bytes => 6 (0x6))
write to 0xa92810 [0xaa3730] (53 bytes => 53 (0x35))
read from 0xa92810 [0xa995f0] (5 bytes => 5 (0x5))
read from 0xa92810 [0xa995f5] (1 bytes => 1 (0x1))
read from 0xa92810 [0xa995f0] (5 bytes => 5 (0x5))
read from 0xa92810 [0xa995f5] (48 bytes => 48 (0x30))
SSL handshake has read 2006 bytes and written 1736 bytes
Here is my Apache configuration:
<VirtualHost 10.10.10.4:443>
ServerName 10.10.10.4
DocumentRoot /srv/www/dev/
<Directory "/srv/www/dev/">
Options FollowSymLinks
AllowOverride None
SSLRequireSSL
</Directory>
<Directory "/srv/www/dev/testing">
Allow from all
SSLRequire %{SSL_CLIENT_S_DN_OU} eq "dev"
</Directory>
ErrorLog /var/log/apache2/dev-error.log
LogLevel info
CustomLog /var/log/apache2/netPark-dev-access.log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x %{SSL_CLIENT_VERIFY}x
%{SSL_CLIENT_S_DN_OU}x %{SSL_CIPHER_USEKEYSIZE}x %r %b"
SSLEngine on
SSLCertificateFile /etc/apache2/ssl-certs/dev.crt
SSLCertificateKeyFile /etc/apache2/ssl-certs/dev.key
SSLCertificateChainFile /etc/apache2/ssl-certs/ca.crt
SSLCACertificateFile /etc/apache2/ssl-certs/ca.crt
SSLVerifyClient require
SSLVerifyDepth 1
SSLOptions +StrictRequire
</VirtualHost>
I have searched extensively to try and find other reports of this issue but
have had little success. Any help you can provide would be greatly appreciated.
Thank you for your time!
Jon
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
