error in SSLv2/v3 read client hello A

error in SSLv2/v3 read client hello A

am 23.11.2009 01:29:29 von Jean-Christophe Baptiste

--=-GqA1f0IobZ3N8TL07EHH
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hi all,

I have been using client certificate for a while (more than 2 years)
successfuly.

But now, after migrating a server, I am stuck with a problem that I have
no idea how to handle.
I just spent 10 hours googling around and reading the doc without
finding any clue.

On my new set-up, the web browser seems to reject the negociation :

[Sun Nov 22 22:51:36 2009] [info] [client ::1] Connection to child 2
established (server www.***.net:443)
[Sun Nov 22 22:51:36 2009] [info] Seeding PRNG with 656 bytes of entropy
[Sun Nov 22 22:51:36 2009] [debug] ssl_engine_kernel.c(1875): OpenSSL:
Handshake: start
[Sun Nov 22 22:51:36 2009] [debug] ssl_engine_kernel.c(1883): OpenSSL:
Loop: before/accept initialization
[Sun Nov 22 22:51:36 2009] [debug] ssl_engine_io.c(1858): OpenSSL: read
11/11 bytes from BIO#7f35d1213840 [mem: 7f35d1218f00] (BIO dump follows)
[Sun Nov 22 22:51:36 2009] [debug] ssl_engine_io.c(1791):
+----------------------------------------------------------- --------------+
[Sun Nov 22 22:51:36 2009] [debug] ssl_engine_io.c(1830): | 0000: 4f 50
54 49 4f 4e 53 20-2a 20 48 OPTIONS * H |
[Sun Nov 22 22:51:36 2009] [debug] ssl_engine_io.c(1836):
+----------------------------------------------------------- --------------+
[Sun Nov 22 22:51:36 2009] [debug] ssl_engine_kernel.c(1912): OpenSSL:
Exit: error in SSLv2/v3 read client hello A
[Sun Nov 22 22:51:36 2009] [info] [client ::1] SSL library error 1 in
handshake (server www.***.net:443)
[Sun Nov 22 22:51:36 2009] [info] SSL Library Error: 336027900
error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
speaking not SSL to HTTPS port!?
[Sun Nov 22 22:51:36 2009] [info] [client ::1] Connection closed to
child 2 with abortive shutdown (server www.***.net:443)

I have tried a bund of different settings. Of course, I re-generated
several times all the certificates, from the CA to the client.
Both the CA and the client were imported into the web browser.

The mod-ssl settings are in no point different from the previous
machine, so am I missing ?

So any help, any hint would be greatly appreciated.

Thank you in advance,

Regards,
Jean-Christophe





--=-GqA1f0IobZ3N8TL07EHH
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Ceci est une partie de message
=?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e?=

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (GNU/Linux)

iQIcBAABAgAGBQJLCddpAAoJEEElXOw26xO+4CgP/ieQEHn269sdyTMaKIrq VYHN
9bIYJedzekLrt1DhrToUOA3aE0diqWxLIDnKN5NYdlPcMjRPSsdI+HvflwIH qK7c
mUjSUyzcD5uDVUzE1KQBPf0MGtwlW/QjtNTC7VSUeDlLlElM5EecPFbsA2lC U7CO
cLGf1ubnGIVwtdSv0mmo19OmIJ/UBnNAQVhNjj35faA8yaG8SXZDGum3RGNE bzac
bteV0nY3vyEx2zfjdKi1C4JWFKDqOApx+dj/tPIacYdBaC2fqlKpPk03/4f4 usDz
tiHHNNFBVf542oSJgx30Uhi7twl+L1hEtZPadgsqQ4WS/mM5LTIIG8422Qw8 SmqU
fiQIAYy1LUgzKTI55A1aZ9XH9xfRLAHHyUEVKTbkTKnfisy26sG3uXVKffqu nmgr
gg4guhdyNJT55Ee4oOJMn+GRgxsIcFcNF7ovTwfi+nyFIO0yQfu5mGL6EVpX PV4u
jsuQ9bzwZ8jlbTMGxltZ3OmYRqHFmgYzodA++HnCH+XPXzOYoqnKg90HQY85 tiiK
5htLBheW0k9/TWLdTKmeGjZ8pc8i0Tja44m1fUTzAddwW9SELeUzZBYtiI16 gibv
OmPDgKRG3Rcxb7NeNVz8LiSAAPs4ec93PdKqeHCAwh4no6+Ha6pH924pnO4+ tFgZ
sEOz+zKDY5c80LnuueGJ
=Wsw8
-----END PGP SIGNATURE-----

--=-GqA1f0IobZ3N8TL07EHH--

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: error in SSLv2/v3 read client hello A

am 24.11.2009 17:24:17 von Jean-Christophe Baptiste

I am still stack with the same issue :

[Tue Nov 24 16:56:15 2009] [debug] ssl_engine_kernel.c(1875): OpenSSL:
Handshake: start
[Tue Nov 24 16:56:15 2009] [debug] ssl_engine_kernel.c(1883): OpenSSL:
Loop: before accept initialization
[Tue Nov 24 16:56:15 2009] [debug] ssl_engine_kernel.c(1893): OpenSSL:
Write: SSLv3 read client hello A
[Tue Nov 24 16:56:15 2009] [debug] ssl_engine_kernel.c(1912): OpenSSL:
Exit: error in SSLv3 read client hello A
[Tue Nov 24 16:56:15 2009] [error] [client 194.2.193.253] Re-negotiation
handshake failed: Not accepted by client!?
[Tue Nov 24 16:56:23 2009] [debug] ssl_engine_io.c(1869): OpenSSL: I/O
error, 5 bytes expected to read on BIO#7f313d364fc0 [mem: 7f313d8641a0]

I renewed one more time all my certificates, so I don't think there is
anything wrong with it.
My apache configuration hasn't changed :

SSLRequireSSL
SSLVerifyClient require
SSLVerifyDepth 1
Order allow,deny
allow from All


And any browser (Firefox, Opera) fail so I don't think it is a browser
issue.
Of course, I imported the CA and the client certificate...

And still no prompt for the client certificate...

Really no hint ? Could it be a bug in the distro package ?

Thanks.

On Mon, 23 Nov 2009 01:29:30 +0100, Jean-Christophe Baptiste
wrote:
> Hi all,
>=20
> I have been using client certificate for a while (more than 2 years)
> successfuly.
>=20
> But now, after migrating a server, I am stuck with a problem that I hav=
e
> no idea how to handle.
> I just spent 10 hours googling around and reading the doc without
> finding any clue.
>=20
> On my new set-up, the web browser seems to reject the negociation :
>=20
> [Sun Nov 22 22:51:36 2009] [info] [client ::1] Connection to child 2
> established (server www.***.net:443)
> [Sun Nov 22 22:51:36 2009] [info] Seeding PRNG with 656 bytes of entrop=
y
> [Sun Nov 22 22:51:36 2009] [debug] ssl_engine_kernel.c(1875): OpenSSL:
> Handshake: start
> [Sun Nov 22 22:51:36 2009] [debug] ssl_engine_kernel.c(1883): OpenSSL:
> Loop: before/accept initialization
> [Sun Nov 22 22:51:36 2009] [debug] ssl_engine_io.c(1858): OpenSSL: read
> 11/11 bytes from BIO#7f35d1213840 [mem: 7f35d1218f00] (BIO dump follows=
)
> [Sun Nov 22 22:51:36 2009] [debug] ssl_engine_io.c(1791):
>
+----------------------------------------------------------- -------------=
-+
> [Sun Nov 22 22:51:36 2009] [debug] ssl_engine_io.c(1830): | 0000: 4f 50
> 54 49 4f 4e 53 20-2a 20 48 OPTIONS * H |
> [Sun Nov 22 22:51:36 2009] [debug] ssl_engine_io.c(1836):
>
+----------------------------------------------------------- -------------=
-+
> [Sun Nov 22 22:51:36 2009] [debug] ssl_engine_kernel.c(1912): OpenSSL:
> Exit: error in SSLv2/v3 read client hello A
> [Sun Nov 22 22:51:36 2009] [info] [client ::1] SSL library error 1 in
> handshake (server www.***.net:443)
> [Sun Nov 22 22:51:36 2009] [info] SSL Library Error: 336027900
> error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
> speaking not SSL to HTTPS port!?
> [Sun Nov 22 22:51:36 2009] [info] [client ::1] Connection closed to
> child 2 with abortive shutdown (server www.***.net:443)
>=20
> I have tried a bund of different settings. Of course, I re-generated
> several times all the certificates, from the CA to the client.
> Both the CA and the client were imported into the web browser.
>=20
> The mod-ssl settings are in no point different from the previous
> machine, so am I missing ?
>=20
> So any help, any hint would be greatly appreciated.
>=20
> Thank you in advance,
>=20
> Regards,
> Jean-Christophe

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: error in SSLv2/v3 read client hello A

am 24.11.2009 22:37:50 von Jean-Christophe Baptiste

--=-yMWJ+M7XABLVfcLwL4++
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

I continue talking to myself about it.

Just to let people know that I submitted a bug to openSUSE, because it
took me less than 5 minutes to get a blank Debian virtual machine to
work with the exact same certificates, virtual host configuration and
browser.

There is definitely something weired...


Le mardi 24 novembre 2009 à 17:24 +0100, Jean-Christophe Baptiste a
écrit :
> I am still stack with the same issue :
>=20
> [Tue Nov 24 16:56:15 2009] [debug] ssl_engine_kernel.c(1875): OpenSSL:
> Handshake: start
> [Tue Nov 24 16:56:15 2009] [debug] ssl_engine_kernel.c(1883): OpenSSL:
> Loop: before accept initialization
> [Tue Nov 24 16:56:15 2009] [debug] ssl_engine_kernel.c(1893): OpenSSL:
> Write: SSLv3 read client hello A
> [Tue Nov 24 16:56:15 2009] [debug] ssl_engine_kernel.c(1912): OpenSSL:
> Exit: error in SSLv3 read client hello A
> [Tue Nov 24 16:56:15 2009] [error] [client 194.2.193.253] Re-negotiation
> handshake failed: Not accepted by client!?
> [Tue Nov 24 16:56:23 2009] [debug] ssl_engine_io.c(1869): OpenSSL: I/O
> error, 5 bytes expected to read on BIO#7f313d364fc0 [mem: 7f313d8641a0]
>=20
> I renewed one more time all my certificates, so I don't think there is
> anything wrong with it.
> My apache configuration hasn't changed :
>
> SSLRequireSSL
> SSLVerifyClient require
> SSLVerifyDepth 1
> Order allow,deny
> allow from All
>

>=20
> And any browser (Firefox, Opera) fail so I don't think it is a browser
> issue.
> Of course, I imported the CA and the client certificate...
>=20
> And still no prompt for the client certificate...
>=20
> Really no hint ? Could it be a bug in the distro package ?
>=20
> Thanks.
>=20
> On Mon, 23 Nov 2009 01:29:30 +0100, Jean-Christophe Baptiste
> wrote:
> > Hi all,
> >=20
> > I have been using client certificate for a while (more than 2 years)
> > successfuly.
> >=20
> > But now, after migrating a server, I am stuck with a problem that I hav=
e
> > no idea how to handle.
> > I just spent 10 hours googling around and reading the doc without
> > finding any clue.
> >=20
> > On my new set-up, the web browser seems to reject the negociation :
> >=20
> > [Sun Nov 22 22:51:36 2009] [info] [client ::1] Connection to child 2
> > established (server www.***.net:443)
> > [Sun Nov 22 22:51:36 2009] [info] Seeding PRNG with 656 bytes of entrop=
y
> > [Sun Nov 22 22:51:36 2009] [debug] ssl_engine_kernel.c(1875): OpenSSL:
> > Handshake: start
> > [Sun Nov 22 22:51:36 2009] [debug] ssl_engine_kernel.c(1883): OpenSSL:
> > Loop: before/accept initialization
> > [Sun Nov 22 22:51:36 2009] [debug] ssl_engine_io.c(1858): OpenSSL: read
> > 11/11 bytes from BIO#7f35d1213840 [mem: 7f35d1218f00] (BIO dump follows=
)
> > [Sun Nov 22 22:51:36 2009] [debug] ssl_engine_io.c(1791):
> >
> +----------------------------------------------------------- -------------=
-+
> > [Sun Nov 22 22:51:36 2009] [debug] ssl_engine_io.c(1830): | 0000: 4f 50
> > 54 49 4f 4e 53 20-2a 20 48 OPTIONS * H |
> > [Sun Nov 22 22:51:36 2009] [debug] ssl_engine_io.c(1836):
> >
> +----------------------------------------------------------- -------------=
-+
> > [Sun Nov 22 22:51:36 2009] [debug] ssl_engine_kernel.c(1912): OpenSSL:
> > Exit: error in SSLv2/v3 read client hello A
> > [Sun Nov 22 22:51:36 2009] [info] [client ::1] SSL library error 1 in
> > handshake (server www.***.net:443)
> > [Sun Nov 22 22:51:36 2009] [info] SSL Library Error: 336027900
> > error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
> > speaking not SSL to HTTPS port!?
> > [Sun Nov 22 22:51:36 2009] [info] [client ::1] Connection closed to
> > child 2 with abortive shutdown (server www.***.net:443)
> >=20
> > I have tried a bund of different settings. Of course, I re-generated
> > several times all the certificates, from the CA to the client.
> > Both the CA and the client were imported into the web browser.
> >=20
> > The mod-ssl settings are in no point different from the previous
> > machine, so am I missing ?
> >=20
> > So any help, any hint would be greatly appreciated.
> >=20
> > Thank you in advance,
> >=20
> > Regards,
> > Jean-Christophe

--=-yMWJ+M7XABLVfcLwL4++
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Ceci est une partie de message
=?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e?=

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (GNU/Linux)

iQIcBAABAgAGBQJLDFIuAAoJEEElXOw26xO+eOUP/3wYLMd2pkOggOFl/hvN CE62
0qwYNXIJNXv6otirSY7S1tUWlAMpvkK40rX4IsXlCemQOBVsEEdnunfOpzDr uD2l
eGWg3kLXZNyaRmYNYuzjNjWz3GbvdYVTLXGvZToHqkFzGC7OCCeDA5nr6ae0 T6Zq
hEIkWIMcoYUuhRR6/40dw4rjayGlPWC5m/jNhn9/ZuzBEzmjhaR7T7g+SGNC BWu9
yPZmuU4bnszBQKMPQ8w+2rHD0SBTXAzNzjzoOqcv6XiI5Vu4nWICY37vUjpV vKMt
WhgNzJFfSS3OAsHclEOKBRa5BKWtXijwjcIssthmpxDVkhKBmSn89HZJPhvL 6GZE
KmrNsk/iOTABsqeZ+1e9ev26/OealQWqm9ue5TVSvnGU/RdeIUG+s2bJNYIH 9kvZ
dsSAAQtNHnbrGKoS1KBuGrzzgoL0Mth4qkV//TNPlzCzzlLRDAdkJClQ3q9m YUk/
Tntb64L57FMCfHKLYULkp+IZ+WoxE/Zpv0zO4fq367M5nv/Y+xUldJuYSpMM W5z0
dbGnzvy/43h2e314yM7TTHM6qOfyPJVFvR6uwGbszWucThOMbPD23Iq3K9Jd i6Ug
gi4yMxB+ly5dcLuvZSdiz9Ry10Ljo62zRWBIEnHoAI5WI90vpHq9YW8kmXRY bEJc
wZlIVPLyAtZmF5q3XfRs
=2uLa
-----END PGP SIGNATURE-----

--=-yMWJ+M7XABLVfcLwL4++--

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org