[users@httpd] Fwd: secure connection works with ssl2 but not ssl3/tls

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 
I have been struggling with this problem for a while now, hopefully someone here can point me in the right direction:
It seems to be an openssl problem rather than an apache problem, but I haven't had any response from that list so maybe someone here has experienced the same problem. Here it is:
I have compiled openssl-0.9.6g on RedHat 8.0 and it passes make test and installs OK.
I then compiled and installed Apache-SSL 1.3.29+BenSSL-1.53, but https connections only work if the browser is set to SSL2 only.
I can't see anything wrong with the Apache configuration, so tested as follows with the following results: 


openssl s_client -ssl3 -connect www2.cyberscreen.com:443
CONNECTED(00000003)
26858:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:529:
or, in debug mode I get the hex of the certificate displayed, it seems to read all the fields but then ends with 

read from 0816CB80 [08172138] (5 bytes => 0 (0x0))
25427:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:226: 

===================================
I also get the following message written to the Apache error log when attempting ssl3/tls connections:
apache_ssl.c(298): error:1408C095:SSL routines:SSL3_GET_FINISHED:digest check failed 
apache_ssl.c(2042): CIPHER is AES256-SHA
apache_ssl.c(294): SSL_accept returned 0
however, openssl s_client -ssl2 -connect www2.cyberscreen.com:443 connects fine, reads the certificate and establishes the https connection.
I am using self-signed certs for testing and have re-generated them several times in case of error, but always with the same result. On an older server running RedHat 6.2 and Apache-SSL 1.3.12, OpenSSL-0.9.5d, I have had no problems for four years.
I have spent ages trawling the internet for this problem but have not found a definitive solution. 
Guidance appreciated.

TIA

Peter Rose
London UK



I don't like your fashion business, mister -
  Leonard Cohen / First We Take Manhattan


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux