Re: SSL on Apache 2.2.14

["John J. Consolati" <consolati1@xxxxxxxx>]

Thank you for the reply.

Unfortunately, upgrading Solaris isn't an option.  Here is the version  
I have to work with (quite old..):

bash-2.05# cat /etc/release
                        Solaris 9 4/04 s9s_u6wos_08a SPARC
           Copyright 2004 Sun Microsystems, Inc.  All Rights Reserved.
                        Use is subject to license terms.
                             Assembled 22 March 2004
bash-2.05# uname -a
SunOS lucky 5.9 Generic_118558-17 sun4u sparc SUNW,Sun-Fire-V250

I've been using the Sun cc, not gcc, to compile everything.


Here is the output from the openSSL commands:

openssl -certs....etc etc

Using default temp DH parameters
Using default temp ECDH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MHUCAQECAgMBBAIAOQQgXdTo4sJayMnyXJOOV7YI1JLumr7lqj4Sj+kZZTIeX2wE
MO2ne8Ry2DUppChW6xz01mi4gMU+WsyaH6SPREMHpFcSCBYmpX5sD+VVBS3F/Ajy
V6EGAgRLDXPAogQCAgEspAYEBAAAAAE=
-----END SSL SESSION PARAMETERS-----
Shared ciphers:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:EDH- 
RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DHE-RSA-AES128- 
SHA:DHE-DSS-AES128-SHA:AES128-SHA:IDEA-CBC-SHA:RC4-SHA:RC4-MD5:EDH-RSA- 
DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC- 
SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5
CIPHER is DHE-RSA-AES256-SHA



And on the other terminal:

bash-2.05$ openssl s_client -connect localhost:4433
CONNECTED(00000003)
depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of  
use at https://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure  
Server CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=US/ST=California/L=Livermore/O=Lawrence Livermore National  
Laboratory/OU=Environmental Restoration Division erdc/CN=www- 
erdc.llnl.gov
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use  
at https://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure  
Server CA
 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use  
at https://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure  
Server CA
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification  
Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
certificate hash...
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Livermore/O=Lawrence Livermore National  
Laboratory/OU=Environmental Restoration Division erdc/CN=www- 
erdc.llnl.gov
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of  
use at https://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure  
Server CA
---
No client certificate CA names sent
---
SSL handshake has read 2973 bytes and written 258 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID:  
5DD4E8E2C25AC8C9F25C938E57B608D492EE9ABEE5AA3E128FE91965321E5F6C
    Session-ID-ctx:
    Master-Key:  
EDA77BC472D83529A42856EB1CF4D668B880C53E5ACC9A1FA48F444307A45712081626A57E6C0FE555052DC5FC08F257
    Key-Arg   : None
    Start Time: 1259172800
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---

Looks like there is a problem with one of the certificates, but I'm  
not sure how to proceed...

Again, thank you for your help, I appreciate it.

Regards,
John


On Nov 25, 2009, at 10:00 AM, daniel.goulder@xxxxxxxxx wrote:

> This sounds like a Solaris bug.
>
> Make sure you have a recent version of Solaris or the latest patches
> installed...
>
> What release/patch level are you using?
>
> Danny
>
> ________________________________
>
> From: "John J. Consolati" <consolati1@xxxxxxxx> [mailto:"John J.
> Consolati" <consolati1@xxxxxxxx>]
> Sent: 25 November 2009 17:23
> To: users@xxxxxxxxxxxxxxxx
> Subject:  SSL on Apache 2.2.14
>
>
> Hello,
>
> Hopefully someone will be able to help, as I've been working on this
> problem for quite a while and have hit a wall. I'm trying to upgrade
> Apache 2.0.47 to 2.2.14, and I need SSL support. Everything seems to
> build and compile okay, but when I try to access my site running on
> 2.2.14, I get a strange error from Firefox: "Secure connection
> failed. An error occurred during a connection to xxxxxx. SSL peer
> reports incorrect Message Authentication Code. (Error code:
> ssl_error_bad_mac_alert)."
>
> I've tried compiling with OpenSSL 0.9.8L and 0.9.8G with the same
> results. This is hosted on a Solaris sparc box. The 2.2.14 server is
> utilizing all the same files and SSL certificates as the 2.0.47
> server. I've called Verisign; I have valid certificates, but they've
> never heard of this error before. If I self-sign a certificate and
> test it with the 2.2.14 server, it seems to work (except for the
> expected error message regarding self-signed certificates).
>
> Searching on Google has led me to try forcing Apache to compile with
> prefork enabled (but it seems to default to that anyway on Solaris).
> I've also tried statically linking Apache during compile with the same
> results.
>
> If anyone has any ideas or suggestions, I'd very much appreciate  
> them...
> Thank you,
> John
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See < URL:http://*httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>
>
> ______________________________________________________________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://*www.*messagelabs.com/email
> ______________________________________________________________________
>
>
> ______________________________________________________________________
> This e-mail and any attached files are intended for the named  
> addressee only. It contains information, which may be confidential  
> and legally privileged and also protected by copyright. Unless you  
> are the named addressee (or authorised to receive for the addressee)  
> you may not copy or use it, or disclose it to anyone else. If you  
> received it in error please notify the sender immediately and then  
> delete it from your system. Please be advised that the views and  
> opinions expressed in this e-mail may not reflect the views and  
> opinions of Associated Newspapers Limited or any of its subsidiary  
> companies. We make every effort to keep our network free from  
> viruses. However, you do need to check this e-mail and any  
> attachments to it for viruses as we can take no responsibility for  
> any computer virus which may be transferred by way of this e-mail.  
> Use of this or any other e-mail facility signifies consent to any  
> interception we might lawfully carry out to prevent abuse of these  
> faciliti
> es.
> Associated Newspapers Ltd. Registered Office: Northcliffe House, 2  
> Derry St, Kensington, London, W8 5TT. Registered No 84121 England.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx