This might be more a question for the mod_ssl forums, but I suspect it is more fundamentally rooted in openssl than that so here goes:
Intermittently, we receive the following block of errors in our Apache SSL logs: [Mon Jun 28 11:24:09 2010] [error] [client ip_address_scrubbed] Certificate Verification: Error (7): certificate signature failure [Mon Jun 28 11:24:09 2010] [info] [client ip_address_scrubbed] SSL library error 1 in handshake (server hostname_scrubbed:8443) [Mon Jun 28 11:24:09 2010] [info] SSL Library Error: 218910881 error:0D0C50A1:lib(13):func(197):reason(161) [Mon Jun 28 11:24:09 2010] [info] SSL Library Error: 218910881 error:0D0C50A1:lib(13):func(197):reason(161) [Mon Jun 28 11:24:09 2010] [info] SSL Library Error: 336105650 error:140890B2:lib(20):func(137):reason(178) We are using SSLVerifyClient because we need Apache to retrieve a cert and then pass it along to a Tomcat application. However, it's unimportant for Apache to verify the cert thus we specify optional_no_ca. The certs we are dealing with are signed by a CA that I have added to my certificate chain (depth 1 above) simply because Apache won't let us buy if it doesn't recognize the signer . This problem only appears to happen with certain hosts--so far--and those hosts are all running IIS. Is this an incompatibility with Windows' SSL software and OpenSSL? Unfortunately, I have no version information from our hosts. Our software versions are: Solaris 10, Apache/2.2.13 (Unix) mod_jk/1.2.25 mod_ssl/2.2.13 OpenSSL/0.9.8n Any help or further questions would be appreciated! Chris More detailed version of logs similar to those above: [info] [client ip_address_scrubbed] Connection to child 6 established (server hostname_scrubbed:8443) [info] Seeding PRNG with 136 bytes of entropy [debug] ssl_engine_kernel.c(1875): OpenSSL: Handshake: start [debug] ssl_engine_kernel.c(1883): OpenSSL: Loop: before/accept initialization [debug] ssl_scache_shmcb.c(393): ssl_scache_shmcb_retrieve (0x24 -> subcache 4) [debug] ssl_scache_shmcb.c(708): shmcb_subcache_retrieve found no match [debug] ssl_scache_shmcb.c(408): leaving ssl_scache_shmcb_retrieve successfully [debug] ssl_engine_kernel.c(1721): Inter-Process Session Cache: request=GET status=MISSED id=2487124D26FCBA59B4430C253E973FF62AA2876CD92F9FE3C92A7654EE41CE3C (session renewal) [debug] ssl_engine_kernel.c(1951): [client ip_address_scrubbed] SSL virtual host for servername hostname_scrubbed found [debug] ssl_engine_kernel.c(1883): OpenSSL: Loop: SSLv3 read client hello A [debug] ssl_engine_kernel.c(1883): OpenSSL: Loop: SSLv3 write server hello A [debug] ssl_engine_kernel.c(1883): OpenSSL: Loop: SSLv3 write certificate A [debug] ssl_engine_kernel.c(1263): [client ip_address_scrubbed] handing out temporary 1024 bit DH key [debug] ssl_engine_kernel.c(1883): OpenSSL: Loop: SSLv3 write key exchange A [debug] ssl_engine_kernel.c(1883): OpenSSL: Loop: SSLv3 write certificate request A [debug] ssl_engine_kernel.c(1883): OpenSSL: Loop: SSLv3 flush data [debug] ssl_engine_kernel.c(1310): [client ip_address_scrubbed] Certificate Verification: depth: 1, subject: /C=US/O=InCommon Federation/CN=InCommon Certification Authority, issuer: /C=US/O=InCommon Federation/CN=InCommon Certification Authority [debug] ssl_engine_kernel.c(1310): [client ip_address_scrubbed] Certificate Verification: depth: 0, subject: /CN=cn_scrubbed, issuer: /C=US/O=InCommon Federation/CN=InCommon Certification Authority [error] [client ip_address_scrubbed] Certificate Verification: Error (7): certificate signature failure [debug] ssl_engine_kernel.c(1893): OpenSSL: Write: SSLv3 read client certificate B [debug] ssl_engine_kernel.c(1912): OpenSSL: Exit: error in SSLv3 read client certificate B [debug] ssl_engine_kernel.c(1912): OpenSSL: Exit: error in SSLv3 read client certificate B [info] [client ip_address_scrubbed] SSL library error 1 in handshake (server hostname_scrubbed:8443) [info] SSL Library Error: 218910881 error:0D0C50A1:lib(13):func(197):reason(161) [info] SSL Library Error: 218910881 error:0D0C50A1:lib(13):func(197):reason(161) [info] SSL Library Error: 336105650 error:140890B2:lib(20):func(137):reason(178) [info] [client ip_address_scrubbed] Connection closed to child 6 with abortive shutdown (server hostname_scrubbed:8443) a good transaction from the same IP is shown here: [debug] ssl_scache_shmcb.c(393): ssl_scache_shmcb_retrieve (0x24 -> subcache 4) [debug] ssl_scache_shmcb.c(708): shmcb_subcache_retrieve found no match [debug] ssl_scache_shmcb.c(408): leaving ssl_scache_shmcb_retrieve successfully [debug] ssl_engine_kernel.c(1721): Inter-Process Session Cache: request=GET status=MISSED id=2487124D26FCBA59B4430C253E973FF62AA2876CD92F9FE3C92A7654EE41CE3C (session renewal) [debug] ssl_engine_kernel.c(1951): [client ip_address_scrubbed] SSL virtual host for servername hostname_scrubbed found [debug] ssl_engine_kernel.c(1883): OpenSSL: Loop: SSLv3 read client hello A [debug] ssl_engine_kernel.c(1883): OpenSSL: Loop: SSLv3 write server hello A [debug] ssl_engine_kernel.c(1883): OpenSSL: Loop: SSLv3 write certificate A [debug] ssl_engine_kernel.c(1263): [client ip_address_scrubbed] handing out temporary 1024 bit DH key [debug] ssl_engine_kernel.c(1883): OpenSSL: Loop: SSLv3 write key exchange A [debug] ssl_engine_kernel.c(1883): OpenSSL: Loop: SSLv3 write certificate request A [debug] ssl_engine_kernel.c(1883): OpenSSL: Loop: SSLv3 flush data [debug] ssl_engine_kernel.c(1310): [client ip_address_scrubbed] Certificate Verification: depth: 1, subject: /C=US/O=InCommon Federation/CN=InCommon Certification Authority, issuer: /C=US/O=InCommon Federation/CN=InCommon Certification Authority [debug] ssl_engine_kernel.c(1310): [client ip_address_scrubbed] Certificate Verification: depth: 0, subject: /CN=cn_scrubbed, issuer: /C=US/O=InCommon Federation/CN=InCommon Certification Authority [debug] ssl_engine_kernel.c(1883): OpenSSL: Loop: SSLv3 read client certificate A [debug] ssl_engine_kernel.c(1883): OpenSSL: Loop: SSLv3 read certificate verify A [debug] ssl_engine_kernel.c(1883): OpenSSL: Loop: SSLv3 read finished A [debug] ssl_engine_kernel.c(1883): OpenSSL: Loop: SSLv3 write change cipher spec A [debug] ssl_engine_kernel.c(1883): OpenSSL: Loop: SSLv3 write finished A [debug] ssl_engine_kernel.c(1883): OpenSSL: Loop: SSLv3 flush data [debug] ssl_scache_shmcb.c(353): ssl_scache_shmcb_store (0x77 -> subcache 23) [debug] ssl_scache_shmcb.c(645): insert happened at idx=0, data=0 [debug] ssl_scache_shmcb.c(647): finished insert, subcache: idx_pos/idx_used=0/1, data_pos/data_used=0/1495 [debug] ssl_scache_shmcb.c(378): leaving ssl_scache_shmcb_store successfully [debug] ssl_engine_kernel.c(1721): Inter-Process Session Cache: request=SET status=OK id=7756074A932659CF05270103003E16BCB6FA92093ADDB45B7FF0DD4F5B002EEA timeout=300s (session caching) [debug] ssl_engine_kernel.c(1879): OpenSSL: Handshake: done [info] Connection: Client IP: ip_address_scrubbed, Protocol: TLSv1, Cipher: DHE-RSA-AES256-SHA (256/256 bits) ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
