There are the only messages that were appearing in the log: [Fri Feb 24 15:16:23 2012] [error] [client XX.XX.XXX.XX] Certificate Verification: Error (20): unable to get local issuer certificate [Fri Feb 24 15:16:23 2012] [error] [client XX.XX.XXX.XX] Re-negotiation handshake failed: Not accepted by client!?
I needed to have SSL 3.0 and TLS 1.0 enabled on the browser as some other (I suspect IIS) sites are TLS only. Finally when we rolled OpenSSL back to 0.9.8r, were we able to negotiate a successful handshake with Windows 7/IE8. This is the current working configuration on the server: SSLProtocol -all +SSLv3 +TLSv1 SSLCipherSuite SSLv3:TLSv1 SSLHonorCipherOrder on I'm unfamiliar with the s_server utility. Do you have specific instructions on how/what to test? Curtis N. Tammany -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Saturday, February 25, 2012 12:27 To: openssl-users@openssl.org Subject: Re: Windows 7/IE8 CAC enabled sites On Fri, Feb 24, 2012, Tammany, Curtis wrote: > Hello- > > We have a Apache 2.2.22/ OpenSSL 1.0.0g/ PHP 5.3.10 CAC-enabled website on a > government location. We have a few users with Windows 7/IE8 who used to be > able to access the site but were unable to after a Microsoft patch (KB2585542 > http://support.microsoft.com/kb/2643584 )was pushed. > > The server has the following configuration: > SSLProtocol -all +SSLv3 +TLSv1 > SSLCipherSuite HIGH:MEDIUM > SSLHonorCipherOrder on > > My understanding is that the server should listen for either SSLv3 or TLSv1 > protocols. > > I've been working with a Windows7/ IE8 box to troubleshoot the situation. It > seems I can access the Apache site if SSL 3.0 only is enabled in the browser. > If TLS 1.0 is enabled, the browser will prompt for a client certificate but > will error out "Internet explorer cannot display the webpage" before > prompting the user for their PIN. TLS 1.0 needs to be enabled in the browser > as other (IIS) sites are TLS only. > > Can you offer any insight as to why our Apache site is accessible with only > SSL 3.0 enabled in the browser???? > > If you need more information on the issue, please let me know. > > Check to see if there is a corresponding error message in the server log. If possible try to reproduce with the s_server utility. I've an idea what this might be. Try disabling RSA key exchange ciphersuites on the server too (adding :!kRSA to SSLCipherSuite) and see if that resolves the problem. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
