[Bug 558176] New: openssl "error in SSLv3 read client hello A"
http://bugzilla.novell.com/show_bug.cgi?id=558176
http://bugzilla.novell.com/show_bug.cgi?id=558176#c0
Summary: openssl "error in SSLv3 read client hello A"
Classification: openSUSE
Product: openSUSE 11.2
Version: Final
Platform: x86-64
OS/Version: openSUSE 11.2
Status: NEW
Severity: Major
Priority: P5 - None
Component: Apache
AssignedTo: bnc-team-apache@forge.provo.novell.com
ReportedBy: jc@phocean.net
QAContact: qa@suse.de
Found By: ---
Blocker: ---
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; fr; rv:1.9.1.4)
Gecko/20091016 SUSE/3.5.4-1.1.2 Firefox/3.5.4
I am having an issue with mod-ssl client authentifation.
After migrating a Debian Lenny box to openSUSE 11.2, I moved the certificates
and kept almost the same apache virtual host configuration.
However, I have never been able to get the client authentication to work. The
browser doesn't even prompt me for the client certificate and send out a
generic alert message : "ssl_error_handshake_failure_alert".
There is the debug trace :
[Tue Nov 24 16:56:15 2009] [debug] ssl_engine_kernel.c(1875): OpenSSL:
Handshake: start
[Tue Nov 24 16:56:15 2009] [debug] ssl_engine_kernel.c(1883): OpenSSL:
Loop: before accept initialization
[Tue Nov 24 16:56:15 2009] [debug] ssl_engine_kernel.c(1893): OpenSSL:
Write: SSLv3 read client hello A
[Tue Nov 24 16:56:15 2009] [debug] ssl_engine_kernel.c(1912): OpenSSL:
Exit: error in SSLv3 read client hello A
[Tue Nov 24 16:56:15 2009] [error] [client 194.2.193.253] Re-negotiation
handshake failed: Not accepted by client!?
[Tue Nov 24 16:56:23 2009] [debug] ssl_engine_io.c(1869): OpenSSL: I/O
error, 5 bytes expected to read on BIO#7f313d364fc0 [mem: 7f313d8641a0]
My virtual host directory configuration is pretty straight-forward :
My apache configuration hasn't changed :
http://bugzilla.novell.com/show_bug.cgi?id=558176
http://bugzilla.novell.com/show_bug.cgi?id=558176#c1
--- Comment #1 from jean-christophe baptiste
http://bugzilla.novell.com/show_bug.cgi?id=558176
http://bugzilla.novell.com/show_bug.cgi?id=558176#c
jean-christophe baptiste
http://bugzilla.novell.com/show_bug.cgi?id=558176
http://bugzilla.novell.com/show_bug.cgi?id=558176#c2
--- Comment #2 from jean-christophe baptiste
http://bugzilla.novell.com/show_bug.cgi?id=558176
http://bugzilla.novell.com/show_bug.cgi?id=558176#c3
--- Comment #3 from jean-christophe baptiste
http://bugzilla.novell.com/show_bug.cgi?id=558176
http://bugzilla.novell.com/show_bug.cgi?id=558176#c4
--- Comment #4 from jean-christophe baptiste
http://bugzilla.novell.com/show_bug.cgi?id=558176
http://bugzilla.novell.com/show_bug.cgi?id=558176#c5
Marcus Meissner
http://bugzilla.novell.com/show_bug.cgi?id=558176
http://bugzilla.novell.com/show_bug.cgi?id=558176#c6
Tomas Hoger
http://bugzilla.novell.com/show_bug.cgi?id=558176
http://bugzilla.novell.com/show_bug.cgi?id=558176#c7
--- Comment #7 from jean-christophe baptiste
http://bugzilla.novell.com/show_bug.cgi?id=558176
http://bugzilla.novell.com/show_bug.cgi?id=558176#c8
--- Comment #8 from Guanjun He
http://bugzilla.novell.com/show_bug.cgi?id=558176
http://bugzilla.novell.com/show_bug.cgi?id=558176#c9
Thomas Biege
http://bugzilla.novell.com/show_bug.cgi?id=558176
http://bugzilla.novell.com/show_bug.cgi?id=558176#c10
Thomas Schmühl
http://bugzilla.novell.com/show_bug.cgi?id=558176
http://bugzilla.novell.com/show_bug.cgi?id=558176#c13
Willy Weisz
As soon as the problem is really solved upstream we will release updates.
IT's already solved in openssl-0.9.8, but this version isn't available as openSuSE RPM. So please release a corresponding update!!! -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=558176
http://bugzilla.novell.com/show_bug.cgi?id=558176#c14
--- Comment #14 from Willy Weisz
As soon as the problem is really solved upstream we will release updates.
It's already solved in openssl-0.9.8m(!) which incorporates TLS renegotiation according to RFC 5746, but this version isn't available as openSuSE RPM. So please release a corresponding update!!! And please release an Apache 2.2.15 RPM compiled against openssl-0.9.8m which allows to accept or reject unsecure "old-style" TLS renegotiations. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com