http://bugzilla.novell.com/show_bug.cgi?id=558176 http://bugzilla.novell.com/show_bug.cgi?id=558176#c0 Summary: openssl "error in SSLv3 read client hello A" Classification: openSUSE Product: openSUSE 11.2 Version: Final Platform: x86-64 OS/Version: openSUSE 11.2 Status: NEW Severity: Major Priority: P5 - None Component: Apache AssignedTo: bnc-team-apache@forge.provo.novell.com ReportedBy: jc@phocean.net QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; fr; rv:1.9.1.4) Gecko/20091016 SUSE/3.5.4-1.1.2 Firefox/3.5.4 I am having an issue with mod-ssl client authentifation. After migrating a Debian Lenny box to openSUSE 11.2, I moved the certificates and kept almost the same apache virtual host configuration. However, I have never been able to get the client authentication to work. The browser doesn't even prompt me for the client certificate and send out a generic alert message : "ssl_error_handshake_failure_alert". There is the debug trace : [Tue Nov 24 16:56:15 2009] [debug] ssl_engine_kernel.c(1875): OpenSSL: Handshake: start [Tue Nov 24 16:56:15 2009] [debug] ssl_engine_kernel.c(1883): OpenSSL: Loop: before accept initialization [Tue Nov 24 16:56:15 2009] [debug] ssl_engine_kernel.c(1893): OpenSSL: Write: SSLv3 read client hello A [Tue Nov 24 16:56:15 2009] [debug] ssl_engine_kernel.c(1912): OpenSSL: Exit: error in SSLv3 read client hello A [Tue Nov 24 16:56:15 2009] [error] [client 194.2.193.253] Re-negotiation handshake failed: Not accepted by client!? [Tue Nov 24 16:56:23 2009] [debug] ssl_engine_io.c(1869): OpenSSL: I/O error, 5 bytes expected to read on BIO#7f313d364fc0 [mem: 7f313d8641a0] My virtual host directory configuration is pretty straight-forward : My apache configuration hasn't changed : <Directory /secured> SSLRequireSSL SSLVerifyClient require SSLVerifyDepth 1 Order allow,deny allow from All </Directory> Of course, I have tried all possible combination that a non-ssl specialist can do (I have been searching almost exclusively for 3 days). I mean I : - renewed several time all the certificates, from the CA to the client - tried several mod-ssl tweak, related to the browser, session cache, etc. - tried several browser - tried several ssl keys and cipher protocols At the end, I took a blank Debian virtual machine. Within 5 minutes, I configure a directory with the same settings, transfered the certificates and... it worked !!! So there is definitely something wrong, but neither with my certificates nor the apache configuration. Why could it be ? Is there anything specific with the openssl version embedded with openSUSE ? Thank you in advance for looking at it. Reproducible: Always Steps to Reproduce: 1. 2. 3. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.