Need SSL debug help
am 11.03.2003 13:01:27 von Aaron StromasHello,
I need help interpreting mod_ssl log below. Does "error in SSLv3 read client
hello B" mean that the client sent something invalid? What happens is that
the client (browser) connects to the server using server authenticated SSL,
downloads an applet that logs into PKI and opens a mutually authenticated
SSL connection to a servlet. I really need help with this one. Thanks.
-a
[11/Mar/2003 07:39:41 00544] [trace] OpenSSL: Handshake: start
[11/Mar/2003 07:39:41 00544] [trace] OpenSSL: Loop: before/accept
initialization[11/Mar/2003 07:39:41 00544] [trace] Inter-Process Session Cache (DBM)
Expiry: old: 2, new: 2, removed: 0
[11/Mar/2003 07:39:41 00544] [trace] Inter-Process Session Cache:
request=GET status=FOUND
id=4D94A143C716A1719F474DE73312788D67C17DC2169FC073A2E83751E 5C87721 (session
reuse)
[11/Mar/2003 07:39:41 00544] [trace] OpenSSL: Loop: SSLv3 read client hello A
[11/Mar/2003 07:39:41 00544] [trace] OpenSSL: Loop: SSLv3 write server
hello A[11/Mar/2003 07:39:41 00544] [trace] OpenSSL: Loop: SSLv3 write change
cipher spec A
[11/Mar/2003 07:39:41 00544] [trace] OpenSSL: Loop: SSLv3 write finished A
[11/Mar/2003 07:39:41 00544] [trace] OpenSSL: Loop: SSLv3 flush data
[11/Mar/2003 07:39:41 00544] [trace] OpenSSL: Loop: SSLv3 read finished A
[11/Mar/2003 07:39:41 00544] [trace] OpenSSL: Handshake: done
[11/Mar/2003 07:39:41 00544] [info] Connection: Client IP: 164.95.119.43,
Protocol: TLSv1, Cipher: EDH-RSA-DES-CBC3-SHA (168/168 bits)
[11/Mar/2003 07:39:42 00544] [info] Initial (No.1) HTTPS request received
for child 2 (server www-sps.sps.fms.treas.gov:443)
[11/Mar/2003 07:39:42 00544] [trace] Changed client verification type will
force renegotiation
[11/Mar/2003 07:39:42 00544] [info] Requesting connection re-negotiation
[11/Mar/2003 07:39:42 00544] [trace] Performing full renegotiation: complete
handshake protocol
[11/Mar/2003 07:39:50 00544] [trace] I/O: sucked 4708 bytes of input data
from SSL/TLS I/O layer for delayed injection into Apache I/O layer
[11/Mar/2003 07:39:50 00544] [trace] OpenSSL: Handshake: start
[11/Mar/2003 07:39:50 00544] [trace] OpenSSL: Loop: SSL renegotiate ciphers
[11/Mar/2003 07:39:50 00544] [trace] OpenSSL: Loop: SSLv3 write hello
request A[11/Mar/2003 07:39:50 00544] [trace] OpenSSL: Loop: SSLv3 flush data
[11/Mar/2003 07:39:50 00544] [info] Awaiting re-negotiation handshake
[11/Mar/2003 07:39:50 00544] [trace] OpenSSL: Handshake: start
[11/Mar/2003 07:39:50 00544] [trace] OpenSSL: Loop: before accept
initialization[11/Mar/2003 07:39:50 00544] [trace] Inter-Process Session Cache:
request=REM status=OK
id=4D94A143C716A1719F474DE73312788D67C17DC2169FC073A2E83751E 5C87721 (session
dead)
[11/Mar/2003 07:39:50 00544] [trace] OpenSSL: Write: SSLv3 read client
hello B[11/Mar/2003 07:39:50 00544] [trace] OpenSSL: Exit: error in SSLv3 read
client hello B
[11/Mar/2003 07:39:50 00544] [error] Re-negotiation handshake failed: Not
accepted by client!?
[11/Mar/2003 07:39:50 00544] [trace] I/O: injecting 4708 bytes of pre-sucked
data into Apache I/O layer
[11/Mar/2003 07:39:50 00544] [trace] OpenSSL: Write: SSLv3 read client
hello B[11/Mar/2003 07:39:50 00544] [trace] OpenSSL: Exit: error in SSLv3 read
client hello B
[11/Mar/2003 07:39:50 00544] [error] SSL error on writing data (OpenSSL
library error follows)
[11/Mar/2003 07:39:50 00544] [error] OpenSSL: error:140940F5:SSL
routines:SSL3_READ_BYTES:unexpected record
[11/Mar/2003 07:39:50 00544] [info] Connection to child 2 closed with
standard shutdown (server www-sps.sps.fms.treas.gov:443, client
164.95.119.43)[11/Mar/2003 07:39:53 00545] [trace] OpenSSL: Write: SSL negotiation
finished successfully
[11/Mar/2003 07:39:53 00545] [info] Connection to child 3 closed with
standard shutdown (server www-sps.sps.fms.treas.gov:443, client
164.95.119.43)[11/Mar/2003 07:42:47 00747] [trace] OpenSSL: Exit: error in SSLv2/v3 read
client hello A
[11/Mar/2003 07:42:47 00747] [error] SSL handshake timed out (client
164.95.119.43, server www-sps.sps.fms.treas.gov:443)
--
Aaron Stromas | "Tik-tik-tik!!!... ja, Pantani is weg..."
ams@izoard.com | BRTN commentator
+1 (301) 493 4933 | L'Alpe d'Huez
http://www.izoard.com | 1995 Tour de France
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org