On Nov 25, 2009, at 9:23 AM, John J. Consolati wrote: > Hopefully someone will be able to help, as I've been working on this problem for quite a while and have hit a wall. I'm trying to upgrade Apache 2.0.47 to 2.2.14, and I need SSL support. Everything seems to build and compile okay, but when I try to access my site running on 2.2.14, I get a strange error from Firefox: "Secure connection failed. An error occurred during a connection to xxxxxx. SSL peer reports incorrect Message Authentication Code. (Error code: ssl_error_bad_mac_alert)." This means that, after the handshake, the client and server have a different idea of what their session keys are. This happens when the pre-master secret that the client sent was decrypted with a private key that does not belong to the certificate that the server passed to the client. Do you by any chance use a Hardware Security Module to protect the private key? Can you try using your key file and certs with a simple test server included with openssl? Like so: openssl s_server -cert /path/to/yourSSLCertificateFile -key /path/to/yourSSLCertificateKeyFile -CAfile /path/to/yourSSLCertificateChainFile -www and then from a different terminal connect to localhost:4433 curl -i https://localhost:4433/ or openssl s_client -connect localhost:4433 and see if that works. S. > I've tried compiling with OpenSSL 0.9.8L and 0.9.8G with the same results. This is hosted on a Solaris sparc box. The 2.2.14 server is utilizing all the same files and SSL certificates as the 2.0.47 server. I've called Verisign; I have valid certificates, but they've never heard of this error before. If I self-sign a certificate and test it with the 2.2.14 server, it seems to work (except for the expected error message regarding self-signed certificates). > > Searching on Google has led me to try forcing Apache to compile with prefork enabled (but it seems to default to that anyway on Solaris). I've also tried statically linking Apache during compile with the same results. > > If anyone has any ideas or suggestions, I'd very much appreciate them... > > Thank you, > John > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > > -- Sander Temme sctemme@xxxxxxxxxx PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF
Attachment:
smime.p7s
Description: S/MIME cryptographic signature