Unable to estabish a SSL session

This is a multi-part message in MIME format.

------=_NextPartTM-000-20d68d7b-d1ab-4724-b061-d7c2bd768b9f
Content-Type: multipart/alternative ; boundary="----_=_NextPart_001_01C2185D.18DF6E1A"

------_=_NextPart_001_01C2185D.18DF6E1A
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Hi,

I try to replace an IBM edge server reverse proxy, by an APACHE 2.0.36 /
Mod_proxy / Mod_ssl / openssl 0.9.6d. The Reverse proxy deal the SSL
part with client, and work with my back end Server in HTTP.

I have 3 type of client which reach the Reverse Proxy : Standard
Browsers, Java client and CGI client. All of them call the same URL:
https://..........

All 3 client work fine with IBM Reverse Proxy. Only 2 of 3 clients work
fine with Apache Reverse Proxy: I'am not able to find why the CGI client
cannot establish an SSL session !

I'm searching some news ways to find the solution: a new trace, some
particulary settings, etc ...
Does someone knows how to read through the "BIO DUMP" ?

Here are the 3 traces from the 3 clients ( ssl_engine_log ):

######################From an IE 6
Browsers#################################################### ######
[20/Jun/2002 13:31:25 14914] [trace] OpenSSL: Handshake: start
[20/Jun/2002 13:31:25 14914] [trace] OpenSSL: Loop: before/accept
initialization
[20/Jun/2002 13:31:25 14914] [debug] OpenSSL: read 11/11 bytes from
BIO#301A2CC8 [mem: 301AC728] (BIO dump follows)
+----------------------------------------------------------- ------------
--+
| 0000: 16 03 00 00 61 01 00 00-5d 03 ....a...].
|
| 000b -
+----------------------------------------------------------- ------------
--+
[20/Jun/2002 13:31:25 14914] [debug] OpenSSL: read 91/91 bytes from
BIO#301A2CC8 [mem: 301AC733] (BIO dump follows)
+----------------------------------------------------------- ------------
--+
| 0000: 3d 11 be 01 d5 f6 b1 23-d5 62 52 d3 b1 4b d7 7d
=3D......#.bR..K.} |
| 0010: dc bd 91 70 ea 40 df 3e-3d a2 21 a6 bd 40 db e2
....p.@.>=3D.!..@.. |
| 0020: 20 29 bf bf 69 76 ad 4e-3e 78 73 1d 80 68 10 db
)..iv.N>xs..h.. |
| 0030: 44 41 68 8d f0 62 2f 96-c2 81 1a fa 2d a0 f1 f4
DAh..b/.....-... |
| 0040: 1b 00 16 00 04 00 05 00-0a 00 09 00 64 00 62 00
.............d.b. |
| 0050: 03 00 06 00 13 00 12 00-63 01 ........c.
|
| 005b -
+----------------------------------------------------------- ------------
--+
[20/Jun/2002 13:31:25 14914] [trace] Inter-Process Session Cache:
request=3DGET status=3DFOUND
id=3D29BFBF6976AD4E3E78731D806810DB4441688DF0622F96C2811AFA2 DA0F1F41B
(session reuse)
[20/Jun/2002 13:31:25 14914] [trace] OpenSSL: Loop: SSLv3 read client
hello A
[20/Jun/2002 13:31:25 14914] [trace] OpenSSL: Loop: SSLv3 write server
hello A
[20/Jun/2002 13:31:25 14914] [trace] OpenSSL: Loop: SSLv3 write change
cipher spec A
[20/Jun/2002 13:31:25 14914] [trace] OpenSSL: Loop: SSLv3 write finished
A
[20/Jun/2002 13:31:25 14914] [trace] OpenSSL: Loop: SSLv3 flush data
[20/Jun/2002 13:31:25 14914] [debug] OpenSSL: read 5/5 bytes from
BIO#301A2CC8 [mem: 301AC728] (BIO dump follows)
+----------------------------------------------------------- ------------
--+
| 0000: 14 03 00 00 01 .....
|
+----------------------------------------------------------- ------------
--+
[20/Jun/2002 13:31:25 14914] [debug] OpenSSL: read 1/1 bytes from
BIO#301A2CC8 [mem: 301AC72D] (BIO dump follows)
+----------------------------------------------------------- ------------
--+
| 0000: 01 .
|
+----------------------------------------------------------- ------------
--+
[20/Jun/2002 13:31:25 14914] [debug] OpenSSL: read 5/5 bytes from
BIO#301A2CC8 [mem: 301AC728] (BIO dump follows)
+----------------------------------------------------------- ------------
--+
| 0000: 16 03 00 00 38 ....8
|
+----------------------------------------------------------- ------------
--+
[20/Jun/2002 13:31:25 14914] [debug] OpenSSL: read 56/56 bytes from
BIO#301A2CC8 [mem: 301AC72D] (BIO dump follows)
+----------------------------------------------------------- ------------
--+
| 0000: 13 3a af b4 52 6a a1 f9-40 8b 29 2b 03 3f 36 f8
..:..Rj..@.)+.?6. |
| 0010: bc e0 2c 98 c1 ba 88 d8-db ff 43 5d 01 af 36 47
...,.......C]..6G |
| 0020: 76 81 2d 1b b1 a9 b1 75-fb 1c b6 49 70 04 d5 30
v.-....u...Ip..0 |
| 0030: da fa cd a0 82 98 12 ae- ........
|
+----------------------------------------------------------- ------------
--+
[20/Jun/2002 13:31:25 14914] [trace] OpenSSL: Loop: SSLv3 read finished
A
[20/Jun/2002 13:31:25 14914] [trace] OpenSSL: Handshake: done


#############################FROM a JAVA client
#######################################

[20/Jun/2002 13:30:38 10436] [trace] OpenSSL: Handshake: start
[20/Jun/2002 13:30:38 10436] [trace] OpenSSL: Loop: before/accept
initialization
[20/Jun/2002 13:30:38 10436] [debug] OpenSSL: read 11/11 bytes from
BIO#301A2CC8 [mem: 301AC728] (BIO dump follows)
+----------------------------------------------------------- ------------
--+
| 0000: 16 03 01 00 5d 01 00 00-59 03 01 ....]...Y..
|
+----------------------------------------------------------- ------------
--+
[20/Jun/2002 13:30:38 10436] [debug] OpenSSL: read 87/87 bytes from
BIO#301A2CC8 [mem: 301AC733] (BIO dump follows)
+----------------------------------------------------------- ------------
--+
| 0000: 3d 11 bd 7e 02 8f 4a 6d-a0 ca 8d 96 f8 45 bc b1
=3D..~..Jm.....E.. |
| 0010: 68 35 40 f5 de 70 1a 2b-b2 e4 bc 0a 00 90 d3 94
h5@..p.+........ |
| 0020: 20 85 e4 ff 82 ea 00 fb-fb 86 66 94 47 78 a4 98
..........f.Gx.. |
| 0030: 5d d4 5b e2 85 a1 b8 3a-ce 7c 0a 3e 25 85 27 92
].[....:.|.>%.'. |
| 0040: 07 00 12 00 04 00 05 00-09 00 0a 00 03 00 08 00
................. |
| 0050: 06 00 01 00 02 01 ......
|
| 0057 -
+----------------------------------------------------------- ------------
--+
[20/Jun/2002 13:30:38 10436] [trace] Inter-Process Session Cache:
request=3DGET status=3DMISSED
id=3D85E4FF82EA00FBFB8666944778A4985DD45BE285A1B83ACE7C0A3E2 585279207
(session renewal)
[20/Jun/2002 13:30:38 10436] [trace] OpenSSL: Loop: SSLv3 read client
hello A
[20/Jun/2002 13:30:38 10436] [trace] OpenSSL: Loop: SSLv3 write server
hello A
[20/Jun/2002 13:30:38 10436] [trace] OpenSSL: Loop: SSLv3 write
certificate A
[20/Jun/2002 13:30:38 10436] [trace] OpenSSL: Loop: SSLv3 write server
done A
[20/Jun/2002 13:30:38 10436] [trace] OpenSSL: Loop: SSLv3 flush data
[20/Jun/2002 13:30:38 10436] [debug] OpenSSL: read 5/5 bytes from
BIO#301A2CC8 [mem: 301AC728] (BIO dump follows)
+----------------------------------------------------------- ------------
--+
| 0000: 16 03 01 00 46 ....F
|
+----------------------------------------------------------- ------------
--+
[20/Jun/2002 13:30:38 10436] [debug] OpenSSL: read 70/70 bytes from
BIO#301A2CC8 [mem: 301AC72D] (BIO dump follows)
+----------------------------------------------------------- ------------
--+
| 0000: 10 00 00 42 00 40 36 5b-7b db 01 6a c6 dc 3f 3d
....B.@6[{..j..?=3D |
| 0010: f8 a4 36 c4 1a 9a 48 91-da 6a 93 88 4f 8f 56 17
...6...H..j..O.V. |
| 0020: d0 c1 2e ec 37 72 d1 af-2c 04 2b a0 e6 01 41 fd
.....7r..,.+...A. |
| 0030: d8 16 f5 4e e5 fc 47 66-01 61 2c 8e 87 ac 9f bb
....N..Gf.a,..... |
| 0040: 38 fb 4a b2 02 53 8.J..S
|
+----------------------------------------------------------- ------------
--+
[20/Jun/2002 13:30:38 10436] [trace] OpenSSL: Loop: SSLv3 read client
key exchange A
[20/Jun/2002 13:30:38 10436] [debug] OpenSSL: read 5/5 bytes from
BIO#301A2CC8 [mem: 301AC728] (BIO dump follows)
+----------------------------------------------------------- ------------
--+
| 0000: 14 03 01 00 01 .....
|
+----------------------------------------------------------- ------------
--+
[20/Jun/2002 13:30:38 10436] [debug] OpenSSL: read 1/1 bytes from
BIO#301A2CC8 [mem: 301AC72D] (BIO dump follows)
+----------------------------------------------------------- ------------
--+
| 0000: 01 .
|
+----------------------------------------------------------- ------------
--+
[20/Jun/2002 13:30:38 10436] [debug] OpenSSL: read 5/5 bytes from
BIO#301A2CC8 [mem: 301AC728] (BIO dump follows)
+----------------------------------------------------------- ------------
--+
| 0000: 16 03 01 ...
|
| 0005 -
+----------------------------------------------------------- ------------
--+
[20/Jun/2002 13:30:38 10436] [debug] OpenSSL: read 32/32 bytes from
BIO#301A2CC8 [mem: 301AC72D] (BIO dump follows)
+----------------------------------------------------------- ------------
--+
| 0000: b7 af 39 95 65 14 be c0-55 e8 df 25 b9 fe 62 e2
...9.e...U..%..b. |
| 0010: 80 eb 47 74 8b 74 cd 09-3d cf 1f a3 a7 85 2d 99
...Gt.t..=3D.....-. |
+----------------------------------------------------------- ------------
--+
[20/Jun/2002 13:30:38 10436] [trace] OpenSSL: Loop: SSLv3 read finished
A
[20/Jun/2002 13:30:38 10436] [trace] OpenSSL: Loop: SSLv3 write change
cipher spec A
[20/Jun/2002 13:30:38 10436] [trace] OpenSSL: Loop: SSLv3 write finished
A
[20/Jun/2002 13:30:38 10436] [trace] OpenSSL: Loop: SSLv3 flush data
[20/Jun/2002 13:30:38 10436] [trace] Inter-Process Session Cache:
request=3DSET status=3DOK
id=3DBAF123503A2978BE228BE6C2A7BE69CF58779AF1D98B1432175E0C7 45D6E3623
timeout=3D300s (session caching)
[20/Jun/2002 13:30:38 10436] [trace] OpenSSL: Handshake: done

################FROM a CGI client
##################################################

[20/Jun/2002 11:05:50 13532] [trace] OpenSSL: Handshake: start
[20/Jun/2002 11:05:50 13532] [trace] OpenSSL: Loop: before/accept
initialization
[20/Jun/2002 11:05:50 13532] [debug] OpenSSL: read 11/11 bytes from
BIO#3017F2A8 [mem: 301C7EF8] (BIO dump follows)
+----------------------------------------------------------- ------------
--+
| 0000: 80 6b 01 03 01 00 42 .k....B
|
| 000b -
+----------------------------------------------------------- ------------
--+
[20/Jun/2002 11:05:50 13532] [debug] OpenSSL: read 98/98 bytes from
BIO#3017F2A8 [mem: 301C7F03] (BIO dump follows)
+----------------------------------------------------------- ------------
--+
| 0000: 00 00 16 00 00 13 00 00-0a 00 00 07 00 00 05 00
................. |
| 0010: 00 04 00 00 15 00 00 12-00 00 09 07 00 c0 05 00
................. |
| 0020: 80 03 00 80 01 00 80 08-00 80 06 00 40 00 00 14
.............@... |
| 0030: 00 00 11 00 00 08 00 00-06 00 00 03 04 00 80 02
................. |
| 0040: 00 80 6d a5 18 58 b9 cd-c8 bd 02 1d 7e 20 20 6c ..m..X......~
l |
| 0050: 46 2d ec 6b 71 ad 31 5a-fe f6 d9 19 8f ba 84 f3
F-.kq.1Z........ |
| 0060: 8b 9c ..
|
+----------------------------------------------------------- ------------
--+
[20/Jun/2002 11:05:50 13532] [trace] OpenSSL: Loop: SSLv3 read client
hello A
[20/Jun/2002 11:05:50 13532] [trace] OpenSSL: Loop: SSLv3 write server
hello A
[20/Jun/2002 11:05:50 13532] [trace] OpenSSL: Loop: SSLv3 write
certificate A
[20/Jun/2002 11:05:50 13532] [trace] handing out temporary 1024 bit DH
key
[20/Jun/2002 11:05:51 13532] [trace] OpenSSL: Loop: SSLv3 write key
exchange A
[20/Jun/2002 11:05:51 13532] [trace] OpenSSL: Loop: SSLv3 write
certificate request A
[20/Jun/2002 11:05:51 13532] [trace] OpenSSL: Loop: SSLv3 flush data
[20/Jun/2002 11:05:52 13532] [debug] OpenSSL: read 5/5 bytes from
BIO#3017F2A8 [mem: 301C7EF8] (BIO dump follows)
+----------------------------------------------------------- ------------
--+
| 0000: 16 03 01 00 07 .....
|
+----------------------------------------------------------- ------------
--+
[20/Jun/2002 11:05:52 13532] [debug] OpenSSL: read 7/7 bytes from
BIO#3017F2A8 [mem: 301C7EFD] (BIO dump follows)
+----------------------------------------------------------- ------------
--+
| 0000: 0b 00 00 03 ....
|
| 0007 -
+----------------------------------------------------------- ------------
--+
[20/Jun/2002 11:05:52 13532] [trace] OpenSSL: Loop: SSLv3 read client
certificate A
[20/Jun/2002 11:05:52 13532] [debug] OpenSSL: read 5/5 bytes from
BIO#3017F2A8 [mem: 301C7EF8] (BIO dump follows)
+----------------------------------------------------------- ------------
--+
| 0000: 16 03 01 00 86 .....
|
+----------------------------------------------------------- ------------
--+
[20/Jun/2002 11:05:52 13532] [debug] OpenSSL: read 134/134 bytes from
BIO#3017F2A8 [mem: 301C7EFD] (BIO dump follows)
+----------------------------------------------------------- ------------
--+
| 0000: 10 00 00 82 00 80 86 ab-42 68 68 eb 1d b1 7c 97
.........Bhh...|. |
| 0010: 3d 0d da 91 a4 3d 5f f6-c7 6f 07 a9 9b 41 98 c4
=3D....=3D_..o...A.. |
| 0020: 20 88 89 99 32 4c 52 92-e1 9c 35 1b 19 84 18 b2
....2LR...5..... |
| 0030: 7d ac b0 d2 08 05 51 16-bf 9d d8 d2 26 15 dc a3
}.....Q.....&... |
| 0040: a3 f8 ae fc fc 2b 9f 57-a2 6d f8 46 a3 08 4a 49
......+.W.m.F..JI |
| 0050: dd 8d cd b6 2f a3 49 13-8b 11 86 d0 49 10 05 b6
...../.I.....I... |
| 0060: 44 09 9f c0 1d 0d db 96-34 e2 f1 34 a3 e6 7a f5
D.......4..4..z. |
| 0070: 8e a7 31 60 62 0a 87 51-f4 87 a8 69 3c 2b 65 b8
...1`b..Q...i<+e. |
| 0080: 9f bc 6e 16 2d f7 ..n.-.
|
+----------------------------------------------------------- ------------
--+
[20/Jun/2002 11:05:52 13532] [trace] OpenSSL: Loop: SSLv3 read client
key exchange A
[20/Jun/2002 11:05:52 13532] [debug] OpenSSL: read 5/5 bytes from
BIO#3017F2A8 [mem: 301C7EF8] (BIO dump follows)
+----------------------------------------------------------- ------------
--+
| 0000: 14 03 01 00 01 .....
|
+----------------------------------------------------------- ------------
--+
[20/Jun/2002 11:05:52 13532] [debug] OpenSSL: read 1/1 bytes from
BIO#3017F2A8 [mem: 301C7EFD] (BIO dump follows)
+----------------------------------------------------------- ------------
--+
| 0000: 01 .
|
+----------------------------------------------------------- ------------
--+
[20/Jun/2002 11:05:52 13532] [debug] OpenSSL: read 5/5 bytes from
BIO#3017F2A8 [mem: 301C7EF8] (BIO dump follows)
+----------------------------------------------------------- ------------
--+
| 0000: 16 03 01 00 28 ....(
|
+----------------------------------------------------------- ------------
--+
[20/Jun/2002 11:05:52 13532] [debug] OpenSSL: read 40/40 bytes from
BIO#3017F2A8 [mem: 301C7EFD] (BIO dump follows)
+----------------------------------------------------------- ------------
--+
| 0000: db 7a 62 c2 e4 f9 08 b7-de 2a a7 c9 65 16 f0 97
..zb......*..e... |
| 0010: 66 9f 32 fc 10 ea 0d 02-49 9f 26 12 fe 2c 83 d1
f.2.....I.&..,.. |
| 0020: ef 66 40 32 5f cd d5 61- .f@2_..a
|
+----------------------------------------------------------- ------------
--+
[20/Jun/2002 11:05:52 13532] [trace] OpenSSL: Write: SSLv3 read
certificate verify A
[20/Jun/2002 11:05:52 13532] [trace] OpenSSL: Exit: error in SSLv3 read
certificate verify A
[20/Jun/2002 11:05:52 13532] [trace] OpenSSL: Exit: error in SSLv3 read
certificate verify A
[20/Jun/2002 11:05:52 13532] [error] SSL handshake failed (server
www.tst.creditagricol.fr:443, client 10.117.5.4) (OpenSSL library error
follows)
[20/Jun/2002 11:05:52 13532] [error] OpenSSL: error:1408F455:SSL
routines:SSL3_GET_RECORD:decryption failed or bad record mac

############################################################ ############
########################

Thanks in advance for your help.


Cordialement,
=20
Pierre HURET
Mail: pierre.huret@ca-sctbrunoy.fr




------------------------------------------------------------ ---------

Ce message et toutes les pieces jointes sont a l'intention exclusive de ses=
destinataires et sont confidentiels. Si vous recevez ce message par erreur=
, merci de le detruire et d'en avertir immediatement l'expediteur.
Toute utilisation de ce message non conforme a sa destination, toute diffus=
ion ou toute duplication, totale ou partielle, est interdite, sauf autorisa=
tion prealable.
L'internet ne permettant pas d'assurer l'integrite de ce message, nous decl=
inons toute responsabilite au titre de ce message, dans l'hypothese ou il a=
urait ete modifie.

-------------------

This message and any attachements are intended solely for the addressees an=
d are confidential. If you receive this message by error, please delete it =
and immediately notify the sender.
Any use not in accord with its purpose, any dissemination or disclosure, ei=
ther whole or partial, is prohibited except previous approval.
The internet can not guarantee the integrity of this message. We will not =
therefore be liable for the message if modified.

------------------------------------------------------------ ---------

------_=_NextPart_001_01C2185D.18DF6E1A
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

=3D"en-gb">Hi,

I try to re=
place an IBM edge server reverse proxy, by an APACHE 2.0.36 / Mod_proxy / M=
od_ssl / openssl  0.9.6d. The Reverse proxy deal the SSL part with cli=
ent, and work with my back end Server in HTTP.

I have 3 ty=
pe of client which reach the Reverse Proxy : Standard Browsers, Java client=
and CGI client. All of them call the same URL: fr"> > E=3D"Arial">https:// NG=3D"fr"> =3D2 FACE=3D"Arial">..........

All 3 clien=
t work fine with IBM Reverse Proxy. Only 2 of 3 clients work fine with Apac=
he Reverse Proxy: I’am not able to find why the CGI client cannot est=
ablish an SSL session !

I’m s=
earching some news ways to find the solution: a new trace, some particulary=
settings, etc …

Does someon=
e knows how to read through the “BIO DUMP” ?

Here are th=
e 3 traces from the 3 clients ( ssl_engine_log ):

###########=
###########From an IE 6 Browsers###########################################=
###############

[20/Jun/200=
2 13:31:25 14914] [trace] OpenSSL: Handshake: start

[20/Jun/200=
2 13:31:25 14914] [trace] OpenSSL: Loop: before/accept initialization >