Encripted page would not load into IE

Hello,

I am running Apache 1.3.37 and openssl 0.9.8b from Slackware-current
packages. I set up a https virtual host that listens on the default
address.

My problem is that the encrypted pages don't load in IE 6. They are
working just fine in Firefox.

There are no errors in the logs:
[06/Oct/2006 17:29:39 03090] [info] Connection to child 1 established
(server xxxxxxxxxxxxxxxxx:443, client xxxxxxxxxxxxx)
[06/Oct/2006 17:29:39 03090] [info] Seeding PRNG with 1160 bytes of entr=
opy
[06/Oct/2006 17:29:39 03090] [info] Connection: Client IP: xxxxxxxxxxx,
Protocol: SSLv3, Cipher: DHE-RSA-AES256-SHA (256/256 bits)
[06/Oct/2006 17:29:39 03090] [info] Initial (No.1) HTTPS request receive=
d
for child 1 (server xxxxxxxxxxxxxxxxx:443)
[06/Oct/2006 17:29:56 03090] [info] Connection to child 1 closed with
standard shutdown (server xxxxxxxxxxxx:443, client xxxxxxxxxxxxxxx)

I played around with the ciphers in mod_ssl.conf, allowing only 128 bits
ones (as IE is not 256 bits capable), but the result is the same.

I allowed all protocols, but no success.

Please tell me where shoud I look further?

Can this be a certificate problem? Should I re-generate the server's
certificates? If yes, with which parameters?

Thank you in advance,
BBR



____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Encripted page would not load into IE

BB said:
> Hello,
>
> I am running Apache 1.3.37 and openssl 0.9.8b from Slackware-current
> packages. I set up a https virtual host that listens on the default
> address.
>
> My problem is that the encrypted pages don't load in IE 6. They are
> working just fine in Firefox.


I've never seen anything like this. Apologies if I'm insulting your
intelligence but have you checked you don't have some strange proxy
settings in IE that could be causing this? Have you tried doing a netstat
on the server (or client) to prove that you are in fact making a TCP
connection? If you're not, it's not an Apache or mod_ssl issue.

--=20
Michael Pacey

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Encripted page would not load into IE

I made the tests with IE from at least 4 different computers, located in
networks from 3 different ISP's.

Yes, the connection is done, because ith shows up instantly with
tail -f /var/log/apache/ssl_engine_log


>> I am running Apache 1.3.37 and openssl 0.9.8b from Slackware-current
>> packages. I set up a https virtual host that listens on the default
>> address.
>>
>> My problem is that the encrypted pages don't load in IE 6. They are
>> working just fine in Firefox.
>
>
> I've never seen anything like this. Apologies if I'm insulting your
> intelligence but have you checked you don't have some strange proxy
> settings in IE that could be causing this? Have you tried doing a netst=
at
> on the server (or client) to prove that you are in fact making a TCP
> connection? If you're not, it's not an Apache or mod_ssl issue.


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Encripted page would not load into IE

If IE allows you might change the protocl or cipher
used (apache config also you to adjust order). Using
curl i noticed somethign funky (some of the times)
with ssl2 that did not appear with ssl3 (curl at
least does not capture the full data). Not sure if
this was a problem with curl, openssl or apache.

(if you have curl - curl -2 https://url will use ssl2
and curl -3 ... will use ssl3

--- BB wrote:

> I made the tests with IE from at least 4 different
> computers, located in
> networks from 3 different ISP's.
>=20
> Yes, the connection is done, because ith shows up
> instantly with
> tail -f /var/log/apache/ssl_engine_log
>=20
>=20
> >> I am running Apache 1.3.37 and openssl 0.9.8b
> from Slackware-current
> >> packages. I set up a https virtual host that
> listens on the default
> >> address.
> >>
> >> My problem is that the encrypted pages don't load
> in IE 6. They are
> >> working just fine in Firefox.
> >
> >
> > I've never seen anything like this. Apologies if
> I'm insulting your
> > intelligence but have you checked you don't have
> some strange proxy
> > settings in IE that could be causing this? Have
> you tried doing a netstat
> > on the server (or client) to prove that you are in
> fact making a TCP
> > connection? If you're not, it's not an Apache or
> mod_ssl issue.
>=20
>=20
>
____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) =20
> www.modssl.org
> User Support Mailing List =20
> modssl-users@modssl.org
> Automated List Manager =20
> majordomo@modssl.org
>=20


__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around=20
http://mail.yahoo.com=20
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: Encrypted page would not load into IE

Which OS have you tried? Were they all XP? Windows 2000? ME? 98? 95?
Is there any chance that the computers that you tried have a special
build or some software installed that might be causing a problem? I've
seen similar problems be caused by a particular company's standard
desktop build.=20
=20

-----Original Message-----
From: owner-modssl-users@modssl.org
[mailto:owner-modssl-users@modssl.org] On Behalf Of BB
Sent: Friday, October 06, 2006 11:18 AM
To: modssl-users@modssl.org
Subject: Re: Encripted page would not load into IE

I made the tests with IE from at least 4 different computers, located in
networks from 3 different ISP's.

Yes, the connection is done, because ith shows up instantly with
tail -f /var/log/apache/ssl_engine_log


>> I am running Apache 1.3.37 and openssl 0.9.8b from Slackware-current
>> packages. I set up a https virtual host that listens on the default
>> address.
>>
>> My problem is that the encrypted pages don't load in IE 6. They are
>> working just fine in Firefox.
>
>
> I've never seen anything like this. Apologies if I'm insulting your
> intelligence but have you checked you don't have some strange proxy
> settings in IE that could be causing this? Have you tried doing a
netstat
> on the server (or client) to prove that you are in fact making a TCP
> connection? If you're not, it's not an Apache or mod_ssl issue.


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Encripted page would not load into IE

BB said:
> I made the tests with IE from at least 4 different computers, located i=
n
> networks from 3 different ISP's.
>
> Yes, the connection is done, because ith shows up instantly with
> tail -f /var/log/apache/ssl_engine_log
>
>

Sounds weird. You could try installing an HTTP capture tool like IE Watch
and seeing if that gives any useful info.

--=20
Michael Pacey

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: Encrypted page would not load into IE

Sorry, forgot to mention. Yes, all are XP, different configurations, one
is company standard, but the others are just plain XP with updates, no
special builds, no special software.

> Which OS have you tried? Were they all XP? Windows 2000? ME? 98? 95?
> Is there any chance that the computers that you tried have a special
> build or some software installed that might be causing a problem? I've
> seen similar problems be caused by a particular company's standard
> desktop build.
>
>
> -----Original Message-----
> From: owner-modssl-users@modssl.org
> [mailto:owner-modssl-users@modssl.org] On Behalf Of BB
> Sent: Friday, October 06, 2006 11:18 AM
> To: modssl-users@modssl.org
> Subject: Re: Encripted page would not load into IE
>
> I made the tests with IE from at least 4 different computers, located i=
n
> networks from 3 different ISP's.
>
> Yes, the connection is done, because ith shows up instantly with
> tail -f /var/log/apache/ssl_engine_log
>
>
>>> I am running Apache 1.3.37 and openssl 0.9.8b from Slackware-current
>>> packages. I set up a https virtual host that listens on the default
>>> address.
>>>
>>> My problem is that the encrypted pages don't load in IE 6. They are
>>> working just fine in Firefox.
>>
>>


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Encripted page would not load into IE

>> I made the tests with IE from at least 4 different computers, located =
in
>> networks from 3 different ISP's.
>>
>> Yes, the connection is done, because ith shows up instantly with
>> tail -f /var/log/apache/ssl_engine_log
>
> Sounds weird. You could try installing an HTTP capture tool like IE Wat=
ch
> and seeing if that gives any useful info.

Thanks fot he suggestion. I'll try and keep you posted!

Regards,
BBR

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Encripted page would not load into IE

Apparently, it's someting wrong with the certificates, as IE Watch gets:

ERROR_INTERNET_SEC_INVALID_CERT

What could this be? Firefox works just fine with these certs. Additionaly=
,
pop3s and imaps from Dovecot work fine with the same certs, even with MS
Outlook and Outlook Express clients.

It's a self created CA, with self signed certificates.

Any suggestions for what should I check further?

Thank you in advance!

BBR


> BB said:
>> I made the tests with IE from at least 4 different computers, located =
in
>> networks from 3 different ISP's.
>>
>> Yes, the connection is done, because ith shows up instantly with
>> tail -f /var/log/apache/ssl_engine_log
>>
>>
>
> Sounds weird. You could try installing an HTTP capture tool like IE Wat=
ch
> and seeing if that gives any useful info.
>
> --
> Michael Pacey
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Encripted page would not load into IE

I tried also to install the certificate of the CA in the Trusted Root
Certification Authorities folder. It says Import Successfull, but my CA
doesn't show up in the list.

Any hints?

> Apparently, it's someting wrong with the certificates, as IE Watch gets=
:
>
> ERROR_INTERNET_SEC_INVALID_CERT
>
> What could this be? Firefox works just fine with these certs. Additiona=
ly,
> pop3s and imaps from Dovecot work fine with the same certs, even with M=
S
> Outlook and Outlook Express clients.
>
> It's a self created CA, with self signed certificates.
>
> Any suggestions for what should I check further?
>
> Thank you in advance!
>
> BBR
>
>
>> BB said:
>>> I made the tests with IE from at least 4 different computers, located
>>> in
>>> networks from 3 different ISP's.
>>>
>>> Yes, the connection is done, because ith shows up instantly with
>>> tail -f /var/log/apache/ssl_engine_log
>>>
>>>
>>
>> Sounds weird. You could try installing an HTTP capture tool like IE
>> Watch
>> and seeing if that gives any useful info.
>>
>> --
>> Michael Pacey
>>
>> ____________________________________________________________ __________
>> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>> User Support Mailing List modssl-users@modssl.org
>> Automated List Manager majordomo@modssl.org
>>
>
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Encripted page would not load into IE

Sorry, my mistake. The CA shows up in the list, but I get still the same
error.

> I tried also to install the certificate of the CA in the Trusted Root
> Certification Authorities folder. It says Import Successfull, but my CA
> doesn't show up in the list.
>
> Any hints?
>
>> Apparently, it's someting wrong with the certificates, as IE Watch get=
s:
>>
>> ERROR_INTERNET_SEC_INVALID_CERT
>>
>> What could this be? Firefox works just fine with these certs.
>> Additionaly,
>> pop3s and imaps from Dovecot work fine with the same certs, even with =
MS
>> Outlook and Outlook Express clients.
>>
>> It's a self created CA, with self signed certificates.
>>
>> Any suggestions for what should I check further?
>>
>> Thank you in advance!
>>
>> BBR
>>
>>
>>> BB said:
>>>> I made the tests with IE from at least 4 different computers, locate=
d
>>>> in
>>>> networks from 3 different ISP's.
>>>>
>>>> Yes, the connection is done, because ith shows up instantly with
>>>> tail -f /var/log/apache/ssl_engine_log
>>>>
>>>>
>>>
>>> Sounds weird. You could try installing an HTTP capture tool like IE
>>> Watch
>>> and seeing if that gives any useful info.
>>>
>>> --
>>> Michael Pacey
>>>
>>> ____________________________________________________________ _________=
_
>>> Apache Interface to OpenSSL (mod_ssl) www.modssl.or=
g
>>> User Support Mailing List modssl-users@modssl.or=
g
>>> Automated List Manager majordomo@modssl.or=
g
>>>
>>
>>
>> ____________________________________________________________ __________
>> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>> User Support Mailing List modssl-users@modssl.org
>> Automated List Manager majordomo@modssl.org
>>
>
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Encripted page would not load into IE

Hmmm, sorry I'm not an IE expert but it sounds like you are at least on
the right track. Maybe check on an IE list or forum?

BB said:
> Sorry, my mistake. The CA shows up in the list, but I get still the sam=
e
> error.
>
>> I tried also to install the certificate of the CA in the Trusted Root
>> Certification Authorities folder. It says Import Successfull, but my C=
A
>> doesn't show up in the list.
>>
>> Any hints?
>>
>>> Apparently, it's someting wrong with the certificates, as IE Watch
>>> gets:
>>>
>>> ERROR_INTERNET_SEC_INVALID_CERT
>>>
>>> What could this be? Firefox works just fine with these certs.
>>> Additionaly,
>>> pop3s and imaps from Dovecot work fine with the same certs, even with
>>> MS
>>> Outlook and Outlook Express clients.
>>>
>>> It's a self created CA, with self signed certificates.
>>>
>>> Any suggestions for what should I check further?
>>>
>>> Thank you in advance!
>>>
>>> BBR
>>>
>>>
>>>> BB said:
>>>>> I made the tests with IE from at least 4 different computers, locat=
ed
>>>>> in
>>>>> networks from 3 different ISP's.
>>>>>
>>>>> Yes, the connection is done, because ith shows up instantly with
>>>>> tail -f /var/log/apache/ssl_engine_log
>>>>>
>>>>>
>>>>
>>>> Sounds weird. You could try installing an HTTP capture tool like IE
>>>> Watch
>>>> and seeing if that gives any useful info.
>>>>
>>>> --
>>>> Michael Pacey
>>>>
>>>> ____________________________________________________________ ________=
__
>>>> Apache Interface to OpenSSL (mod_ssl) www.modssl.o=
rg
>>>> User Support Mailing List modssl-users@modssl.o=
rg
>>>> Automated List Manager majordomo@modssl.o=
rg
>>>>
>>>
>>>
>>> ____________________________________________________________ _________=
_
>>> Apache Interface to OpenSSL (mod_ssl) www.modssl.or=
g
>>> User Support Mailing List modssl-users@modssl.or=
g
>>> Automated List Manager majordomo@modssl.or=
g
>>>
>>
>>
>> ____________________________________________________________ __________
>> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>> User Support Mailing List modssl-users@modssl.org
>> Automated List Manager majordomo@modssl.org
>>
>
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>
>


--=20
Michael Pacey

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: Encrypted page would not load into IE

This definitly sounds like an IE problem. Check MSDN,
http://msdn.microsoft.com. =20
If you can't find anything there, then contact MicroSoft Support.
Unfortunately, unless you're a large corporation, its hard to get good
support from them.

-----Original Message-----
From: owner-modssl-users@modssl.org
[mailto:owner-modssl-users@modssl.org] On Behalf Of Michael Pacey
Sent: Tuesday, October 10, 2006 6:40 AM
To: modssl-users@modssl.org
Subject: Re: Encripted page would not load into IE

Hmmm, sorry I'm not an IE expert but it sounds like you are at least on
the right track. Maybe check on an IE list or forum?

BB said:
> Sorry, my mistake. The CA shows up in the list, but I get still the
same
> error.
>
>> I tried also to install the certificate of the CA in the Trusted Root
>> Certification Authorities folder. It says Import Successfull, but my
CA
>> doesn't show up in the list.
>>
>> Any hints?
>>
>>> Apparently, it's someting wrong with the certificates, as IE Watch
>>> gets:
>>>
>>> ERROR_INTERNET_SEC_INVALID_CERT
>>>
>>> What could this be? Firefox works just fine with these certs.
>>> Additionaly,
>>> pop3s and imaps from Dovecot work fine with the same certs, even
with
>>> MS
>>> Outlook and Outlook Express clients.
>>>
>>> It's a self created CA, with self signed certificates.
>>>
>>> Any suggestions for what should I check further?
>>>
>>> Thank you in advance!
>>>
>>> BBR
>>>
>>>
>>>> BB said:
>>>>> I made the tests with IE from at least 4 different computers,
located
>>>>> in
>>>>> networks from 3 different ISP's.
>>>>>
>>>>> Yes, the connection is done, because ith shows up instantly with
>>>>> tail -f /var/log/apache/ssl_engine_log
>>>>>
>>>>>
>>>>
>>>> Sounds weird. You could try installing an HTTP capture tool like IE
>>>> Watch
>>>> and seeing if that gives any useful info.
>>>>
>>>> --
>>>> Michael Pacey
>>>>
>>>>
____________________________________________________________ __________
>>>> Apache Interface to OpenSSL (mod_ssl)
www.modssl.org
>>>> User Support Mailing List
modssl-users@modssl.org
>>>> Automated List Manager
majordomo@modssl.org
>>>>
>>>
>>>
>>>
____________________________________________________________ __________
>>> Apache Interface to OpenSSL (mod_ssl)
www.modssl.org
>>> User Support Mailing List
modssl-users@modssl.org
>>> Automated List Manager
majordomo@modssl.org
>>>
>>
>>
>>
____________________________________________________________ __________
>> Apache Interface to OpenSSL (mod_ssl)
www.modssl.org
>> User Support Mailing List
modssl-users@modssl.org
>> Automated List Manager
majordomo@modssl.org
>>
>
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>
>


--=20
Michael Pacey

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Encrypted page would not load into IE

Hi Micheal:

Are you able to post the certificate here? It sounds like the issue may be the
key usage, or an entry in some other field - I've seen results like this if
you don't have key agreement set, or some of the other fields mangled, or
particular security settings enabled in your certificate.

Patrick.


On Tuesday 10 October 2006 10:20, Richters, Eriks A wrote:
> This definitly sounds like an IE problem. Check MSDN,
> http://msdn.microsoft.com.
> If you can't find anything there, then contact MicroSoft Support.
> Unfortunately, unless you're a large corporation, its hard to get good
> support from them.
>
> -----Original Message-----
> From: owner-modssl-users@modssl.org
> [mailto:owner-modssl-users@modssl.org] On Behalf Of Michael Pacey
> Sent: Tuesday, October 10, 2006 6:40 AM
> To: modssl-users@modssl.org
> Subject: Re: Encripted page would not load into IE
>
> Hmmm, sorry I'm not an IE expert but it sounds like you are at least on
> the right track. Maybe check on an IE list or forum?
>
> BB said:
> > Sorry, my mistake. The CA shows up in the list, but I get still the
>
> same
>
> > error.
> >
> >> I tried also to install the certificate of the CA in the Trusted Root
> >> Certification Authorities folder. It says Import Successfull, but my
>
> CA
>
> >> doesn't show up in the list.
> >>
> >> Any hints?
> >>
> >>> Apparently, it's someting wrong with the certificates, as IE Watch
> >>> gets:
> >>>
> >>> ERROR_INTERNET_SEC_INVALID_CERT
> >>>
> >>> What could this be? Firefox works just fine with these certs.
> >>> Additionaly,
> >>> pop3s and imaps from Dovecot work fine with the same certs, even
>
> with
>
> >>> MS
> >>> Outlook and Outlook Express clients.
> >>>
> >>> It's a self created CA, with self signed certificates.
> >>>
> >>> Any suggestions for what should I check further?
> >>>
> >>> Thank you in advance!
> >>>
> >>> BBR
> >>>
> >>>> BB said:
> >>>>> I made the tests with IE from at least 4 different computers,
>
> located
>
> >>>>> in
> >>>>> networks from 3 different ISP's.
> >>>>>
> >>>>> Yes, the connection is done, because ith shows up instantly with
> >>>>> tail -f /var/log/apache/ssl_engine_log
> >>>>
> >>>> Sounds weird. You could try installing an HTTP capture tool like IE
> >>>> Watch
> >>>> and seeing if that gives any useful info.
> >>>>
> >>>> --
> >>>> Michael Pacey
>
> ____________________________________________________________ __________
>
> >>>> Apache Interface to OpenSSL (mod_ssl)
>
> www.modssl.org
>
> >>>> User Support Mailing List
>
> modssl-users@modssl.org
>
> >>>> Automated List Manager
>
> majordomo@modssl.org
>
>
>
>
> ____________________________________________________________ __________
>
> >>> Apache Interface to OpenSSL (mod_ssl)
>
> www.modssl.org
>
> >>> User Support Mailing List
>
> modssl-users@modssl.org
>
> >>> Automated List Manager
>
> majordomo@modssl.org
>
>
>
>
> ____________________________________________________________ __________
>
> >> Apache Interface to OpenSSL (mod_ssl)
>
> www.modssl.org
>
> >> User Support Mailing List
>
> modssl-users@modssl.org
>
> >> Automated List Manager
>
> majordomo@modssl.org
>
> > ____________________________________________________________ __________
> > Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> > User Support Mailing List modssl-users@modssl.org
> > Automated List Manager majordomo@modssl.org

--
Patrick Patterson
President and Chief PKI Architect
Carillon Information Security Inc.
http://www.carillon.ca
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Encrypted page would not load into IE

------=_20061013152138_77835
Content-Type: text/plain; charset="iso-8859-2"
Content-Transfer-Encoding: quoted-printable

> Are you able to post the certificate here? It sounds like the issue may=
be
> the
> key usage, or an entry in some other field - I've seen results like thi=
s
> if
> you don't have key agreement set, or some of the other fields mangled, =
or
> particular security settings enabled in your certificate.

Hi,

Please find attached the CA cert and the server cert.

I can successfully import the CA cert into IE, under Trusted Root
Certification Authorities.

If I download the server cert and open it from Windows (XP), it's
description says:

"This certification authority does not appear to be allowed to issue
certificates or cannot be used as an end-entity certificate."

Thank you,
BBR



------=_20061013152138_77835
Content-Type: text/plain; name="servercert.pem.txt"
Content-Disposition: attachment; filename="servercert.pem.txt"
Content-Transfer-Encoding: quoted-printable

Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=3DRO, ST=3DRomania, O=3DViitorPlus - Asociatia pentru D=
ezvoltare Durabila, OU=3DMailserver, CN=3Dmail.viitorplus.ro/emailAddress=
=3Dpostmaster@viitorplus.ro
Validity
Not Before: Oct 13 11:05:36 2006 GMT
Not After : Oct 13 11:05:36 2007 GMT
Subject: C=3DRO, ST=3DRomania, L=3DBucuresti, O=3DViitorPlus - As=
ociatia pentru Dezvoltare Durabila, OU=3DMailserver, CN=3Dmail.viitorplus=
..ro/emailAddress=3Dpostmaster@viitorplus.ro
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:9d:fc:97:66:39:ea:e9:71:8f:ac:bc:61:6c:3c:
ea:22:c4:63:7b:5d:e0:30:90:36:0d:cb:e8:1a:fc:
94:c3:16:d2:3e:68:0a:28:7e:5b:f2:df:c1:26:db:
f9:7b:e7:ba:0c:db:ce:14:e1:7b:06:fc:de:84:f4:
c9:75:2e:2b:3c:59:35:77:2e:6f:69:86:f4:06:45:
b0:d0:d6:63:3c:f0:5a:e6:93:85:63:76:48:05:bc:
a4:f9:6c:c4:f2:46:52:b4:24:33:86:be:f7:8f:e3:
26:ac:c6:54:91:d0:22:90:ed:65:43:0f:ce:fd:3c:
0e:22:e2:a6:c6:3a:58:c9:f9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:=20
CA:FALSE
Netscape Comment:=20
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:=20
82:F6:EB:37:29:D0:01:77:69:9A:A6:D0:5B:96:1C:2B:11:56:BA:=
9B
X509v3 Authority Key Identifier:=20
keyid:B8:08:C2:8D:00:43:01:FD:1E:58:8C:6B:E2:4A:A2:93:EB:=
FC:50:0F

Signature Algorithm: sha1WithRSAEncryption
a4:ba:b4:28:8b:92:06:9d:a6:dc:e9:17:71:03:f8:51:52:a4:
da:62:86:ee:68:77:8f:e2:a7:cc:13:5e:91:a7:13:45:25:68:
37:4f:0b:01:5e:1c:5d:10:2b:6c:4b:7c:f7:0b:77:7a:f9:ea:
f7:8b:14:20:42:32:10:e5:12:9a:0a:f0:b9:fd:e1:bb:93:8d:
33:78:94:8a:d1:57:e7:25:d7:2b:d3:87:55:b2:95:48:5e:83:
f5:f9:fb:e4:1b:71:93:c4:0c:e4:e6:02:8a:c0:6f:44:bd:ed:
21:db:92:f0:ca:a3:c1:7e:d2:1f:6d:bd:92:09:7d:72:4b:a0:
f5:b0
-----BEGIN CERTIFICATE-----
MIIDczCCAtygAwIBAgIBATANBgkqhkiG9w0BAQUFADCBtjELMAkGA1UEBhMC Uk8x
EDAOBgNVBAgTB1JvbWFuaWExOjA4BgNVBAoTMVZpaXRvclBsdXMgLSBBc29j aWF0
aWEgcGVudHJ1IERlenZvbHRhcmUgRHVyYWJpbGExEzARBgNVBAsTCk1haWxz ZXJ2
ZXIxGzAZBgNVBAMTEm1haWwudmlpdG9ycGx1cy5ybzEnMCUGCSqGSIb3DQEJ ARYY
cG9zdG1hc3RlckB2aWl0b3JwbHVzLnJvMB4XDTA2MTAxMzExMDUzNloXDTA3 MTAx
MzExMDUzNlowgcoxCzAJBgNVBAYTAlJPMRAwDgYDVQQIEwdSb21hbmlhMRIw EAYD
VQQHEwlCdWN1cmVzdGkxOjA4BgNVBAoTMVZpaXRvclBsdXMgLSBBc29jaWF0 aWEg
cGVudHJ1IERlenZvbHRhcmUgRHVyYWJpbGExEzARBgNVBAsTCk1haWxzZXJ2 ZXIx
GzAZBgNVBAMTEm1haWwudmlpdG9ycGx1cy5ybzEnMCUGCSqGSIb3DQEJARYY cG9z
dG1hc3RlckB2aWl0b3JwbHVzLnJvMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB iQKB
gQCd/JdmOerpcY+svGFsPOoixGN7XeAwkDYNy+ga/JTDFtI+aAooflvy38Em 2/l7
57oM284U4XsG/N6E9Ml1Lis8WTV3Lm9phvQGRbDQ1mM88Frmk4VjdkgFvKT5 bMTy
RlK0JDOGvveP4yasxlSR0CKQ7WVDD879PA4i4qbGOljJ+QIDAQABo3sweTAJ BgNV
HRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0 aWZp
Y2F0ZTAdBgNVHQ4EFgQUgvbrNynQAXdpmqbQW5YcKxFWupswHwYDVR0jBBgw FoAU
uAjCjQBDAf0eWIxr4kqik+v8UA8wDQYJKoZIhvcNAQEFBQADgYEApLq0KIuS Bp2m
3OkXcQP4UVKk2mKG7mh3j+KnzBNekacTRSVoN08LAV4cXRArbEt89wt3evnq 94sU
IEIyEOUSmgrwuf3hu5ONM3iUitFX5yXXK9OHVbKVSF6D9fn75Btxk8QM5OYC isBv
RL3tIduS8MqjwX7SH229kgl9ckug9bA=3D
-----END CERTIFICATE-----
------=_20061013152138_77835
Content-Type: text/plain; name="cacert.pem.txt"
Content-Disposition: attachment; filename="cacert.pem.txt"
Content-Transfer-Encoding: quoted-printable

Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=3DRO, ST=3DRomania, O=3DViitorPlus - Asociatia pentru D=
ezvoltare Durabila, OU=3DMailserver, CN=3Dmail.viitorplus.ro/emailAddress=
=3Dpostmaster@viitorplus.ro
Validity
Not Before: Oct 13 11:04:32 2006 GMT
Not After : Oct 10 11:04:32 2016 GMT
Subject: C=3DRO, ST=3DRomania, O=3DViitorPlus - Asociatia pentru =
Dezvoltare Durabila, OU=3DMailserver, CN=3Dmail.viitorplus.ro/emailAddres=
s=3Dpostmaster@viitorplus.ro
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:e6:0e:73:93:1a:09:f0:ff:28:21:a4:81:47:25:
51:37:7d:92:d6:13:49:6d:e5:40:c3:9a:45:51:5c:
92:92:7c:cf:8c:77:28:36:91:d9:f5:07:8e:b1:a6:
2e:19:2b:a9:ae:19:df:37:8d:a1:7d:90:ce:0b:a0:
2c:75:66:10:50:eb:63:7a:96:5e:20:c4:05:e7:b3:
cb:3c:f0:cd:32:2a:54:fc:52:c0:7e:0d:7c:e8:ea:
14:1c:5d:5f:85:7a:b3:26:06:16:ca:64:c3:79:55:
6f:5d:69:a7:7d:e9:24:e4:e9:29:d0:ce:9e:ee:73:
06:d2:f6:c7:e2:52:d0:0a:3f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:=20
CA:FALSE
Netscape Comment:=20
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:=20
B8:08:C2:8D:00:43:01:FD:1E:58:8C:6B:E2:4A:A2:93:EB:FC:50:=
0F
X509v3 Authority Key Identifier:=20
keyid:B8:08:C2:8D:00:43:01:FD:1E:58:8C:6B:E2:4A:A2:93:EB:=
FC:50:0F

Signature Algorithm: sha1WithRSAEncryption
a7:5b:9e:c0:ab:ae:95:a9:93:1e:c8:10:41:9e:a9:f4:52:6c:
c6:b8:a1:71:ec:62:e7:71:2f:53:c8:e0:34:52:6e:ed:6f:a4:
50:86:78:ed:79:4c:41:bb:79:2a:b8:22:45:55:73:a6:63:66:
ca:2c:86:d1:80:eb:a8:5a:21:20:26:3b:05:e3:f3:07:01:6b:
e0:d7:16:ee:92:7a:1d:b6:ac:9d:de:78:3e:46:56:ae:9d:a5:
ac:ea:bb:5b:47:f0:8e:b4:62:7f:e8:7e:5a:aa:7f:49:8b:ba:
f2:77:bd:65:22:a6:1d:bf:3b:e1:4d:aa:dc:29:2a:5f:54:0d:
22:af
-----BEGIN CERTIFICATE-----
MIIDXzCCAsigAwIBAgIBADANBgkqhkiG9w0BAQUFADCBtjELMAkGA1UEBhMC Uk8x
EDAOBgNVBAgTB1JvbWFuaWExOjA4BgNVBAoTMVZpaXRvclBsdXMgLSBBc29j aWF0
aWEgcGVudHJ1IERlenZvbHRhcmUgRHVyYWJpbGExEzARBgNVBAsTCk1haWxz ZXJ2
ZXIxGzAZBgNVBAMTEm1haWwudmlpdG9ycGx1cy5ybzEnMCUGCSqGSIb3DQEJ ARYY
cG9zdG1hc3RlckB2aWl0b3JwbHVzLnJvMB4XDTA2MTAxMzExMDQzMloXDTE2 MTAx
MDExMDQzMlowgbYxCzAJBgNVBAYTAlJPMRAwDgYDVQQIEwdSb21hbmlhMTow OAYD
VQQKEzFWaWl0b3JQbHVzIC0gQXNvY2lhdGlhIHBlbnRydSBEZXp2b2x0YXJl IER1
cmFiaWxhMRMwEQYDVQQLEwpNYWlsc2VydmVyMRswGQYDVQQDExJtYWlsLnZp aXRv
cnBsdXMucm8xJzAlBgkqhkiG9w0BCQEWGHBvc3RtYXN0ZXJAdmlpdG9ycGx1 cy5y
bzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA5g5zkxoJ8P8oIaSBRyVR N32S
1hNJbeVAw5pFUVySknzPjHcoNpHZ9QeOsaYuGSuprhnfN42hfZDOC6AsdWYQ UOtj
epZeIMQF57PLPPDNMipU/FLAfg186OoUHF1fhXqzJgYWymTDeVVvXWmnfekk 5Okp
0M6e7nMG0vbH4lLQCj8CAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhC AQ0E
HxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFLgI wo0A
QwH9HliMa+JKopPr/FAPMB8GA1UdIwQYMBaAFLgIwo0AQwH9HliMa+JKopPr /FAP
MA0GCSqGSIb3DQEBBQUAA4GBAKdbnsCrrpWpkx7IEEGeqfRSbMa4oXHsYudx L1PI
4DRSbu1vpFCGeO15TEG7eSq4IkVVc6ZjZsoshtGA66haISAmOwXj8wcBa+DX Fu6S
eh22rJ3eeD5GVq6dpazqu1tH8I60Yn/oflqqf0mLuvJ3vWUiph2/O+FNqtwp Kl9U
DSKv
-----END CERTIFICATE-----
------=_20061013152138_77835--


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Encrypted page would not load into IE

On Friday 13 October 2006 08:21, BB wrote:
> > Are you able to post the certificate here? It sounds like the issue may
> > be the
> > key usage, or an entry in some other field - I've seen results like this
> > if
> > you don't have key agreement set, or some of the other fields mangled, or
> > particular security settings enabled in your certificate.
>
> Hi,
>
> Please find attached the CA cert and the server cert.
>
> I can successfully import the CA cert into IE, under Trusted Root
> Certification Authorities.
>
> If I download the server cert and open it from Windows (XP), it's
> description says:
>
> "This certification authority does not appear to be allowed to issue
> certificates or cannot be used as an end-entity certificate."
>
And that would most likely be your problem - the CA Certificate should have
the following extensions:

Basic Constraints: CA:TRUE
Key Usage: DigitalSignature, CertificateSign, CrlSign

If you re-gen your CA Certificate with those usages, and then re-sign your
Server certificate (which itself, should have the Key Usage extension set to
digital Signature and key Encipherment), your issue should go away :)


--
Patrick Patterson
President and Chief PKI Architect
Carillon Information Security Inc.
http://www.carillon.ca
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Encrypted page would not load into IE

Patrick Patterson schrieb:
> If you re-gen your CA Certificate with those usages, and then re-sign your
> Server certificate (which itself, should have the Key Usage extension set to
> digital Signature and key Encipherment), your issue should go away :)

There is also nice bundle of scripts from Yeak Nai Siew which
simplifies these steps a lot; especially for quick setups a nice
speedup: see http://www.openssl.org/contrib/ssl.ca-0.1.tar.gz

Greetings from Germany,
Eckard


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Encrypted page would not load into IE

Thank you Michael, Patrick, Eckard!

Problem solved, case closed. ;-)

Apparently, the problem lies in the CA.sh (and CA.pl) script that ships b=
y
default with open-ssl, at least on Slackware, and which generated the
faulty certificates.

Yeak Nai Siew's scripts worked like charm!

Thanks again!
BBR

> Patrick Patterson schrieb:
>> If you re-gen your CA Certificate with those usages, and then re-sign
>> your
>> Server certificate (which itself, should have the Key Usage extension
>> set to
>> digital Signature and key Encipherment), your issue should go away :)
>
> There is also nice bundle of scripts from Yeak Nai Siew which
> simplifies these steps a lot; especially for quick setups a nice
> speedup: see http://www.openssl.org/contrib/ssl.ca-0.1.tar.gz


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org