I've build successfully Apache 2.2.3 with OpenSSL 0.9.9[dev] and generated the ECC cert using with curve secp521r1. When I tried with openssl s_server, my client (Firefox) could browse to my site running on ECC cert successfully. But when I use my client to connect to my apache web server via 443, my client is getting the error 'Firefox can't connect securely to localhost because the site uses a security protocol which isn't enabled'. Interestingly the loading of cert actually occurred 4 times. Is this normal? I've applied the fixes in bug 40132 to expose ECC cipher suites too. This is the latest log I've got when I set the log level to debug. [Tue Nov 07 10:18:25 2006] [info] Loading certificate & private key of SSL-aware server [Tue Nov 07 10:18:25 2006] [debug] ssl_engine_pphrase.c(469): unencrypted ECC private key - pass phrase not required [Tue Nov 07 10:18:27 2006] [info] Configuring server for SSL protocol [Tue Nov 07 10:18:27 2006] [debug] ssl_engine_init.c(408): Creating new SSL context (protocols: SSLv2, SSLv3, TLSv1) [Tue Nov 07 10:18:27 2006] [debug] ssl_engine_init.c(608): Configuring permitted SSL ciphers [ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL] [Tue Nov 07 10:18:27 2006] [debug] ssl_engine_init.c(784): Configuring ECC server private key [Tue Nov 07 10:18:28 2006] [info] Loading certificate & private key of SSL-aware server [Tue Nov 07 10:18:28 2006] [debug] ssl_engine_pphrase.c(469): unencrypted ECC private key - pass phrase not required [Tue Nov 07 10:18:29 2006] [info] Configuring server for SSL protocol [Tue Nov 07 10:18:29 2006] [debug] ssl_engine_init.c(408): Creating new SSL context (protocols: SSLv2, SSLv3, TLSv1) [Tue Nov 07 10:18:29 2006] [debug] ssl_engine_init.c(608): Configuring permitted SSL ciphers [ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL] [Tue Nov 07 10:18:29 2006] [debug] ssl_engine_init.c(784): Configuring ECC server private key [Tue Nov 07 10:18:30 2006] [info] Loading certificate & private key of SSL-aware server [Tue Nov 07 10:18:30 2006] [debug] ssl_engine_pphrase.c(469): unencrypted ECC private key - pass phrase not required [Tue Nov 07 10:18:30 2006] [info] Configuring server for SSL protocol [Tue Nov 07 10:18:30 2006] [debug] ssl_engine_init.c(408): Creating new SSL context (protocols: SSLv2, SSLv3, TLSv1) [Tue Nov 07 10:18:30 2006] [debug] ssl_engine_init.c(608): Configuring permitted SSL ciphers [ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL] [Tue Nov 07 10:18:30 2006] [debug] ssl_engine_init.c(784): Configuring ECC server private key [Tue Nov 07 10:18:31 2006] [info] Loading certificate & private key of SSL-aware server [Tue Nov 07 10:18:31 2006] [debug] ssl_engine_pphrase.c(469): unencrypted ECC private key - pass phrase not required [Tue Nov 07 10:18:33 2006] [info] Configuring server for SSL protocol [Tue Nov 07 10:18:33 2006] [debug] ssl_engine_init.c(408): Creating new SSL context (protocols: SSLv2, SSLv3, TLSv1) [Tue Nov 07 10:18:33 2006] [debug] ssl_engine_init.c(608): Configuring permitted SSL ciphers [ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL] [Tue Nov 07 10:18:33 2006] [debug] ssl_engine_init.c(784): Configuring ECC server private key [Tue Nov 07 10:18:38 2006] [info] [client 127.0.0.1] Connection to child 249 established (server www.example.com:443) [Tue Nov 07 10:18:38 2006] [info] Seeding PRNG with 144 bytes of entropy [Tue Nov 07 10:18:38 2006] [debug] ssl_engine_kernel.c(1780): OpenSSL: Handshake: start [Tue Nov 07 10:18:38 2006] [debug] ssl_engine_kernel.c(1788): OpenSSL: Loop: before/accept initialization [Tue Nov 07 10:18:38 2006] [debug] ssl_engine_io.c(1775): OpenSSL: read 11/11 bytes from BIO#53c8f8 [mem: 5d0010] (BIO dump follows) [Tue Nov 07 10:18:38 2006] [debug] ssl_engine_io.c(1722): +-------------------------------------------------------------------------+ [Tue Nov 07 10:18:38 2006] [debug] ssl_engine_io.c(1747): | 0000: 80 6d 01 03 00 00 54 00-00 00 10 .m....T.... | [Tue Nov 07 10:18:38 2006] [debug] ssl_engine_io.c(1753): +-------------------------------------------------------------------------+ [Tue Nov 07 10:18:38 2006] [debug] ssl_engine_io.c(1775): OpenSSL: read 100/100 bytes from BIO#53c8f8 [mem: 5d001b] (BIO dump follows) [Tue Nov 07 10:18:38 2006] [debug] ssl_engine_io.c(1722): +-------------------------------------------------------------------------+ [Tue Nov 07 10:18:38 2006] [debug] ssl_engine_io.c(1747): | 0000: 00 c0 0a 00 c0 14 00 00-39 00 00 38 00 c0 0f 00 ........9..8.... | [Tue Nov 07 10:18:38 2006] [debug] ssl_engine_io.c(1747): | 0010: c0 05 00 00 35 00 c0 07-00 c0 09 00 c0 11 00 c0 ....5........... | [Tue Nov 07 10:18:38 2006] [debug] ssl_engine_io.c(1747): | 0020: 13 00 00 33 00 00 32 00-c0 0c 00 c0 0e 00 c0 02 ...3..2......... | [Tue Nov 07 10:18:38 2006] [debug] ssl_engine_io.c(1747): | 0030: 00 c0 04 00 00 04 00 00-05 00 00 2f 00 c0 08 00 .........../.... | [Tue Nov 07 10:18:38 2006] [debug] ssl_engine_io.c(1747): | 0040: c0 12 00 00 16 00 00 13-00 c0 0d 00 c0 03 00 fe ................ | [Tue Nov 07 10:18:38 2006] [debug] ssl_engine_io.c(1747): | 0050: ff 00 00 0a 5b 50 b2 e9-25 9a 13 c4 60 5f 86 5e ....[P..%...`_.^ | [Tue Nov 07 10:18:38 2006] [debug] ssl_engine_io.c(1747): | 0060: 9e 50 2c d8 .P,. | [Tue Nov 07 10:18:38 2006] [debug] ssl_engine_io.c(1753): +-------------------------------------------------------------------------+ [Tue Nov 07 10:18:38 2006] [debug] ssl_engine_kernel.c(1798): OpenSSL: Write: SSLv3 read client hello B [Tue Nov 07 10:18:38 2006] [debug] ssl_engine_kernel.c(1817): OpenSSL: Exit: error in SSLv3 read client hello B [Tue Nov 07 10:18:38 2006] [debug] ssl_engine_kernel.c(1817): OpenSSL: Exit: error in SSLv3 read client hello B [Tue Nov 07 10:18:38 2006] [info] [client 127.0.0.1] SSL library error 1 in handshake (server www.example.com:443) [Tue Nov 07 10:18:38 2006] [info] SSL Library Error: 336109761 error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher Too restrictive SSLCipherSuite or using DSA server certificate? [Tue Nov 07 10:18:38 2006] [info] [client 127.0.0.1] Connection closed to child 249 with abortive shutdown (server www.example.com:443) Interestingly the loading of cert actually occurred 4 times. Is this normal? __________________________________ What is the internet to you? Contribute to the Yahoo! Time Capsule and be a part of internet history. http://timecapsule.yahoo.com/capsule.php?intl=sg --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx