SSL library error 336151570 in handshake w/ confirmed cert (CN=ServerName, valid, etc)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hey list,

I've been struggling with this error for weeks now, and still havent
even got close to a solution. I have the following setup

Server
Linux gdshu2.XXX 2.6.18-92.el5 #1 SMP Tue Apr 29 13:16:12 EDT 2008 i686
i686 i386 GNU/Linux
/usr/local/apache2/bin/httpd -v
Server version: Apache/2.0.63
Server built:   Feb 18 2009 12:21:06

Log level is set to debug.

Server cert
openssl verify /usr/local/apache2/certs/server.crt
/usr/local/apache2/certs/server.crt:
/C=HU/ST=Budapest/L=Budapest/O=XXX/OU=GPS
UNIX/CN=gdshu2.XXX/emailAddress=XXX

(XXX is where I've applied some censorship :-)

Clients
A: - desktop, firefox
B: - desktop, internet explorer
C: - an enterprise service bus client

A complains about how the cert is not signed by a trusted CA. That's ok.
I add an exception on the client. This is what I see on the apache error
log
[Wed Feb 18 15:18:50 2009] [debug] ssl_engine_kernel.c(1744): OpenSSL:
Read: SSLv3 read client certificate A
[Wed Feb 18 15:18:50 2009] [debug] ssl_engine_kernel.c(1763): OpenSSL:
Exit: failed in SSLv3 read client certificate A
[Wed Feb 18 15:18:50 2009] [info] SSL library error 1 in handshake
(server gdshu2.XXX:443, client 169.XXX)
[Wed Feb 18 15:18:50 2009] [info] SSL Library Error: 336151576
error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
[Wed Feb 18 15:18:50 2009] [info] Connection to child 4 closed with
abortive shutdown(server gdshu2.XXX:443, client 169.XXX)

B complains about the same, halts the connection with a dialog box. (I
think handshake goes well here) debug on server side is

[Wed Feb 18 15:20:43 2009] [debug] ssl_engine_kernel.c(1739): OpenSSL:
Loop: SSLv3 read finished A
[Wed Feb 18 15:20:43 2009] [debug] ssl_engine_kernel.c(1739): OpenSSL:
Loop: SSLv3 write change cipher spec A
[Wed Feb 18 15:20:43 2009] [debug] ssl_engine_kernel.c(1739): OpenSSL:
Loop: SSLv3 write finished A
[Wed Feb 18 15:20:43 2009] [debug] ssl_engine_kernel.c(1739): OpenSSL:
Loop: SSLv3 flush data
[Wed Feb 18 15:20:43 2009] [debug] ssl_engine_kernel.c(1735): OpenSSL:
Handshake: done
[Wed Feb 18 15:20:43 2009] [info] Connection: Client IP:
169.162.137.225, Protocol: SSLv3, Cipher: RC4-MD5 (128/128 bits)
[Wed Feb 18 15:20:43 2009] [debug] ssl_engine_io.c(1708): OpenSSL: I/O
error, 5 bytes expected to read on BIO#9c50768 [mem: 9c62398]
[Wed Feb 18 15:20:43 2009] [info] (70014)End of file found: SSL input
filter read failed.
[Wed Feb 18 15:20:43 2009] [debug] ssl_engine_kernel.c(1749): OpenSSL:
Write: SSL negotiation finished successfully
[Wed Feb 18 15:20:43 2009] [info] Connection to child 2 closed with
standard shutdown(server gdshu2.XXX:443, client 169.XXX)

C fails miserably at handshake, and this is my problem. Debug log says

[Wed Feb 18 15:03:36 2009] [debug] ssl_engine_kernel.c(1744): OpenSSL:
Read: SSLv3 read client certificate A
[Wed Feb 18 15:03:36 2009] [debug] ssl_engine_kernel.c(1763): OpenSSL:
Exit: failed in SSLv3 read client certificate A
[Wed Feb 18 15:03:36 2009] [info] SSL library error 1 in handshake
(server gdshu2.XXX:443, client 169.XXX)
[Wed Feb 18 15:03:36 2009] [info] SSL Library Error: 336151570
error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
Subject CN in certificate not server name or identical to CA!?
[Wed Feb 18 15:03:36 2009] [info] Connection to child 3 closed with
abortive shutdown(server gdshu2.XXX:443, client 169.XXX)

Now, you would assume I have different CN on the cert and ServerName in
Apache. I don't ! Besides checking the cert and the config files
manually, Apache never complains about this at startup

[Wed Feb 18 15:23:28 2009] [info] Configuring server for SSL protocol
[Wed Feb 18 15:23:28 2009] [debug] ssl_engine_init.c(385): Creating new
SSL context (protocols: SSLv2, SSLv3, TLSv1)
[Wed Feb 18 15:23:28 2009] [debug] ssl_engine_init.c(696): Configuring
RSA server certificate
[Wed Feb 18 15:23:28 2009] [debug] ssl_engine_init.c(735): Configuring
RSA server private key
[Wed Feb 18 15:23:28 2009] [info] Loading certificate & private key of
SSL-aware server
[Wed Feb 18 15:23:28 2009] [debug] ssl_engine_pphrase.c(469):
unencrypted RSA private key - pass phrase not required
[Wed Feb 18 15:23:29 2009] [info] Configuring server for SSL protocol
[Wed Feb 18 15:23:29 2009] [debug] ssl_engine_init.c(385): Creating new
SSL context (protocols: SSLv2, SSLv3, TLSv1)
[Wed Feb 18 15:23:29 2009] [debug] ssl_engine_init.c(696): Configuring
RSA server certificate
[Wed Feb 18 15:23:29 2009] [debug] ssl_engine_init.c(735): Configuring
RSA server private key

My question is: how is this error invoked when my server cert is valid?
[Wed Feb 18 15:03:36 2009] [info] SSL Library Error: 336151570
error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
Subject CN in certificate not server name or identical to CA!?

Also, SSLVerifyCertificate is not enabled (it is not in any of the
loaded config files and it client certificate verification is disabled
by default, right?)

Thanks much & regards,
Andrew

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux