Netscape ask always certificat

Hello

I have looked for information in Archive about my problem. I don't find=20
answer to my problem, sorry in advance to ask a question about a very=20
known problem.

I have developped Web application, that uses X509 certificat. Netscape=20
ask at each time (page) the certificat. As my users have several=20
certificates they do not use the option "Select Automaticly" in=20
netscape, I have to say to my user to use now this option and create a=20
netscape's profile for every certificat.

First, I have compile Apache with MM and use :
SSLSessionCache shm:/usr/local/apache/logs/ssl_gscache(2048000)
SSLSessionCacheTimeout 1800
but it does not work.

Does anyone got a better idea ?
Thanks in advance
--xj

--=20
____________________________________________________________ _____________=
____________________
Xavier Jeannin
UREC/CNRS Universit=E9 P. & M. Curie, Courrier : case 171, 4 place Jussie=
u 75252 PARIS CEDEX 05
T=E9l : 01 44 27 42 59 - Fax : 01 44 27 42 61 - Courriel : jeannin@urec.c=
nrs.fr


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Netscape ask always certificat

On Wed, Oct 29, 2003 at 05:15:13PM +0100, xavier jeannin wrote:
> I have developped Web application, that uses X509 certificat. Netscape
> ask at each time (page) the certificat. As my users have several
> certificates they do not use the option "Select Automaticly" in
> netscape, I have to say to my user to use now this option and create a
> netscape's profile for every certificat.
>
> First, I have compile Apache with MM and use :
> SSLSessionCache shm:/usr/local/apache/logs/ssl_gscache(2048000)
> SSLSessionCacheTimeout 1800
> but it does not work.
>
"but it does not work" - how should that be understood? that SSLSessionCache
does not work, or that the users are still being asked for the certificate?
The simplest way to test sessions away from the browser is to use openssl
s_client with the -reconnect option - that should tell you wether session
caching is in effect or not.
Usually when sessions are enabled in apache, but the browser keeps asking for
the cert, then it is a setting in the browser - I seem to recall that
Netscape had an option to ask for the password on every use.

vh

Mads Toftum
--
Speaking at ApacheCon 2003 - http://ApacheCon.com/
T03, "Apache 2 mod_ssl tutorial" (3h)
WE03, "Troubleshooting Apache configurations"
WE11, "Apache mod_rewrite, the Swiss Army Knife of URL manipulation"
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Netscape ask always certificat

Hi,

Try using the status module

ExtendedStatus On

SetHandler server-status


That gives some info about ssl sessions near the
bottom. Currently I'm using client certs and firebird
with ask every time set. This results in a prompt
every 300 seconds as the session times out. Which
version of netscape?

Regards
Matt

--- xavier jeannin
wrote:
> Hello
>
> I have looked for information in Archive about my
> problem. I don't find
> answer to my problem, sorry in advance to ask a
> question about a very
> known problem.
>
> I have developped Web application, that uses X509
> certificat. Netscape
> ask at each time (page) the certificat. As my users
> have several
> certificates they do not use the option "Select
> Automaticly" in
> netscape, I have to say to my user to use now this
> option and create a
> netscape's profile for every certificat.
>
> First, I have compile Apache with MM and use :
> SSLSessionCache
> shm:/usr/local/apache/logs/ssl_gscache(2048000)
> SSLSessionCacheTimeout 1800
> but it does not work.
>
> Does anyone got a better idea ?
> Thanks in advance
> --xj
>
> --
>
____________________________________________________________ _________________________________
> Xavier Jeannin
> UREC/CNRS Université P. & M. Curie, Courrier : case
> 171, 4 place Jussieu 75252 PARIS CEDEX 05
> Tél : 01 44 27 42 59 - Fax : 01 44 27 42 61 -
> Courriel : jeannin@urec.cnrs.fr
>
>
>
____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl)
> www.modssl.org
> User Support Mailing List
> modssl-users@modssl.org
> Automated List Manager
majordomo@modssl.org


__________________________________
Do you Yahoo!?
Exclusive Video Premiere - Britney Spears
http://launch.yahoo.com/promos/britneyspears/
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Netscape ask always certificat

--------------080700020008080904090404
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable

Hi

Thanks Mads for your answer :
I should write Netscape still ask the cert at each page instead of "it=20
does not work".
I mad the test you suggest, here is the result

root@engine jeannin]# openssl s_client -host intranet.stic.cnrs.fr -port=20
443 -cert /usr/local/apache/conf/ssl.crt/intranet.stic.cns.fr.crt -key=20
/usr/local/apache/conf/ssl.key/intranet.stic.cnrs.fr.key -CAfile=20
/usr/local/apache/conf/ssl.crt/ca-bundle.crt -reconect -ssl3
CONNECTED(00000003)
depth=3D2 /C=3DFR/O=3DCNRS/CN=3DCNRS
verify return:1
depth=3D1 /C=3DFR/O=3DCNRS/CN=3DCNRS-Standard
verify return:1
depth=3D0=20
/C=3DFR/O=3DCNRS/OU=3DUPS836/CN=3Dintranet.stic.cnrs.fr/Emai l=3DXavier.Je=
annin@urec.cnrs.fr
verify return:1
24359:error:14094413:SSL routines:SSL3_READ_BYTES:sslv3 alert=20
unsupported certificate:s3_pkt.c:1031:SSL alert number 43
24359:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake=20
failure:s3_pkt.c:514:

I am sorry but I do not understand the response. I am sure that my cert=20
is valid, my private key too, and my cafile too.
Do you know where I can read documentation that explain the error=20
message ? perhaps it is a bad used of openssl client.
thank you
--xj

Mads Toftum a =E9crit:

>On Wed, Oct 29, 2003 at 05:15:13PM +0100, xavier jeannin wrote:
> =20
>
>>I have developped Web application, that uses X509 certificat. Netscape=20
>>ask at each time (page) the certificat. As my users have several=20
>>certificates they do not use the option "Select Automaticly" in=20
>>netscape, I have to say to my user to use now this option and create =
a=20
>>netscape's profile for every certificat.
>>
>>First, I have compile Apache with MM and use :
>>SSLSessionCache shm:/usr/local/apache/logs/ssl_gscache(2048000)
>>SSLSessionCacheTimeout 1800
>>but it does not work.
>>
>> =20
>>
>"but it does not work" - how should that be understood? that SSLSession=
Cache
>does not work, or that the users are still being asked for the certifica=
te?
>The simplest way to test sessions away from the browser is to use openss=
l
>s_client with the -reconnect option - that should tell you wether sessio=
n
>caching is in effect or not.=20
>Usually when sessions are enabled in apache, but the browser keeps askin=
g for
>the cert, then it is a setting in the browser - I seem to recall that=20
>Netscape had an option to ask for the password on every use.
>
>vh
>
>Mads Toftum
> =20
>

--=20
____________________________________________________________ _____________=
____________________
Xavier Jeannin
UREC/CNRS Universit=E9 P. & M. Curie, Courrier : case 171, 4 place Jussie=
u 75252 PARIS CEDEX 05
T=E9l : 01 44 27 42 59 - Fax : 01 44 27 42 61 - Courriel : jeannin@urec.c=
nrs.fr



--------------080700020008080904090404
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit







Hi



Thanks Mads for your answer :

I should write Netscape still ask the cert at each page  instead of "it does
not work".

I mad the test you suggest, here is the result



root@engine jeannin]# openssl s_client -host intranet.stic.cnrs.fr -port
443 -cert /usr/local/apache/conf/ssl.crt/intranet.stic.cns.fr.crt  -key /usr/local/apache/conf/ssl.key/intranet.stic.cnrs.fr.key
-CAfile /usr/local/apache/conf/ssl.crt/ca-bundle.crt -reconect -ssl3

CONNECTED(00000003)

depth=2 /C=FR/O=CNRS/CN=CNRS

verify return:1

depth=1 /C=FR/O=CNRS/CN=CNRS-Standard

verify return:1

depth=0 /C=FR/O=CNRS/OU=UPS836/CN=intranet.stic.cnrs.fr/Email=Xavier .Jeannin@urec.cnrs.fr

verify return:1

24359:error:14094413:SSL routines:SSL3_READ_BYTES:sslv3 alert unsupported
certificate:s3_pkt.c:1031:SSL alert number 43

24359:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:514:



I am sorry but I do not understand the response. I am sure that my cert is
valid, my private key too, and my cafile too.

Do you know where I can read documentation that explain the error message
? perhaps it is a bad used of openssl client.

thank  you

--xj



Mads Toftum a écrit:

On Wed, Oct 29, 2003 at 05:15:13PM +0100, xavier jeannin wrote:

  

I have developped Web application, that uses X509 certificat. Netscape 

ask at each time (page) the certificat. As my users have several 

certificates they do not use the option "Select Automaticly" in 

netscape,  I have to say to my user to use now this option and create  a 

netscape's profile for every certificat.



First, I have compile Apache with MM and use :

SSLSessionCache        shm:/usr/local/apache/logs/ssl_gscache(2048000)

SSLSessionCacheTimeout  1800

but  it does not work.



    

"but  it does not work" - how should that be understood? that SSLSessionCache

does not work, or that the users are still being asked for the certificate?

The simplest way to test sessions away from the browser is to use openssl

s_client with the -reconnect option - that should tell you wether session

caching is in effect or not. 

Usually when sessions are enabled in apache, but the browser keeps asking for

the cert, then it is a setting in the browser - I seem to recall that 

Netscape had an option to ask for the password on every use.



vh



Mads Toftum

  

-- 

 ____________________________________________________________ _________________________________

Xavier Jeannin

UREC/CNRS Université P. & M. Curie, Courrier : case 171, 4 place Jussieu 75252 PARIS CEDEX 05

Tél : 01 44 27 42 59 - Fax : 01 44 27 42 61 - Courriel : 

Re: Netscape ask always certificat

On Thu, Oct 30, 2003 at 09:24:04AM +0100, xavier jeannin wrote:
> 24359:error:14094413:SSL routines:SSL3_READ_BYTES:sslv3 alert
> unsupported certificate:s3_pkt.c:1031:SSL alert number 43
> 24359:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
> failure:s3_pkt.c:514:
>
> I am sorry but I do not understand the response. I am sure that my cert
> is valid, my private key too, and my cafile too.
> Do you know where I can read documentation that explain the error
> message ? perhaps it is a bad used of openssl client.

openssl s_client expects the certificate and key to be in PEM format -

openssl x509 -in cert.crt -inform DER -out cert.pem -outform PEM

vh

Mads Toftum
--
Speaking at ApacheCon 2003 - http://ApacheCon.com/
T03, "Apache 2 mod_ssl tutorial" (3h)
WE03, "Troubleshooting Apache configurations"
WE11, "Apache mod_rewrite, the Swiss Army Knife of URL manipulation"
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Netscape ask always certificat

--------------020103090009010106090102
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable

Ok Sorry I correct my mistake so now I can connect with SSL Client and=20
get my HTML Page.
Thank you it is a powerful tools to debug (redirect, etc)

I send to you the response I get, I am not capable to analyse the SSL=20
sequence.
Is it a normal sequence ?
Seeing this can we deduce the session cache work fine ?
In this example, I have only ask for one page, I have not browsed into=20
my site so can we deduce anything from this example ?
Is it possible to browse into a site with ssl_client (see cookie and=20
session pb) ?

thank you
--xj
=20
CONNECTED(00000003)
---
Certificate chain
0=20
s:/C=3DFR/O=3DCNRS/OU=3DUPS836/CN=3Dintranet.stic.cnrs.fr/Em ail=3DXavier.=
Jeannin@urec.cnrs.fr
i:/C=3DFR/O=3DCNRS/CN=3DCNRS-Standard
1 s:/C=3DFR/O=3DCNRS/CN=3DCNRS-Standard
i:/C=3DFR/O=3DCNRS/CN=3DCNRS
2 s:/C=3DFR/O=3DCNRS/CN=3DCNRS
i:/C=3DFR/O=3DCNRS/CN=3DCNRS
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEfzCCA2egAwIBAgICAvUwDQYJKoZIhvcNAQEEBQAwNDELMAkGA1UEBhMC RlIx
DTALBgNVBAoTBENOUlMxFjAUBgNVBAMTDUNOUlMtU3RhbmRhcmQwHhcNMDIw NjI0
MDcwODIyWhcNMDQwNjI0MDcwODIyWjB5MQswCQYDVQQGEwJGUjENMAsGA1UE ChME
-- zip --
p1vfh+sI/gmyoV5Fpx3cQ1ZhS6PsFxHmhe6bnQSbyOJjVmtvR7qx7iAZuo3+ NE8o
bNsDnc7NQrDxOts5mYQugiPpNwW+CS7Yj8uuXFPkF/G4pBPBRooiwoJ6o5X6 CZi5
uYKp
-----END CERTIFICATE-----
subject=3D/C=3DFR/O=3DCNRS/OU=3DUPS836/CN=3Dintranet.stic.cn rs.fr/Email=3D=
Xavier.Jeannin@urec.cnrs.fr
issuer=3D/C=3DFR/O=3DCNRS/CN=3DCNRS-Standard
---
Acceptable client certificate CA names
/C=3DFR/O=3DCNRS/CN=3DSSI
/C=3DFR/O=3DCNRS/CN=3DCNRS
/C=3DFR/O=3DCNRS/CN=3DDatagrid-fr
/C=3DFR/O=3DCNRS/CN=3DCNRS-Projets
/C=3DFR/O=3DCNRS/CN=3DCNRS-Standard
/Email=3Dca-administrateur@urec.cnrs.fr/CN=3DCNRS-Test/OU=3D UREC/O=3DCNRS=
/C=3DFR
/C=3DFR/O=3DCNRS/CN=3DCNRS-Plus
---
SSL handshake has read 3873 bytes and written 3551 bytes
---
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : EDH-RSA-DES-CBC3-SHA
Session-ID:
Session-ID-ctx:
Master-Key:=20
279FCDC4C400A75AE70E85755781EAA6F39429D8FC22AE69B6F95D982020 F5DFAD6DF5B55=
2DF21FE7DB23CC7FC09EE1A
Key-Arg : None
Start Time: 1067509174
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
drop connection and then reconnect
CONNECTED(00000003)
---
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
SSL-Session:
Protocol : TLSv1
Cipher : EDH-RSA-DES-CBC3-SHA
Session-ID:
Session-ID-ctx:
Master-Key:=20
0F8D50DBEAE85A067D6A631609D5728CE9AA91F7052E39115481D6787478 124CC43B290C4=
D164F858FBC2F44103F8C2A
Key-Arg : None
Start Time: 1067509174
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
drop connection and then reconnect
CONNECTED(00000003)
---
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
SSL-Session:
Protocol : TLSv1
Cipher : EDH-RSA-DES-CBC3-SHA
Session-ID:
Session-ID-ctx:
Master-Key:=20
C04F385EFFBC7FE29AB3503C3A55F264D5EB42D33F5AD15D988E7E030E3E 2D0A61BBF9540=
CD2CDFEF139A23F23656E42
Key-Arg : None
Start Time: 1067509174
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
drop connection and then reconnect
CONNECTED(00000003)
---
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
SSL-Session:
Protocol : TLSv1
Cipher : EDH-RSA-DES-CBC3-SHA
Session-ID:
Session-ID-ctx:
Master-Key:=20
0FBF55C5A75525AC4DE0A508D984DAAFD046C38C251744F4546358747FFD 7527BD88A6F5B=
5B2258DD8D99BD4F04D6227
Key-Arg : None
Start Time: 1067509174
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
drop connection and then reconnect
CONNECTED(00000003)
---
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
SSL-Session:
Protocol : TLSv1
Cipher : EDH-RSA-DES-CBC3-SHA
Session-ID:
Session-ID-ctx:
Master-Key:=20
1FA07645E42886ED343D5C7B7BA722675B35E298AC48791D981784FFE2F6 40914D7BDBE0A=
DD184DEE104C4BDDC251494
Key-Arg : None
Start Time: 1067509174
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
drop connection and then reconnect
CONNECTED(00000003)
---
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
SSL-Session:
Protocol : TLSv1
Cipher : EDH-RSA-DES-CBC3-SHA
Session-ID:
Session-ID-ctx:
Master-Key:=20
72B0D603F01C3416E2B39C650E7359B1123E959F49D54EB4654A9F26CF66 6089DDB071D30=
5CF267FDB95E6B3210DD9B3
Key-Arg : None
Start Time: 1067509174
Timeout : 300 (sec)
Verify return code: 0 (ok)
---


1">



MARGINWIDTH=3D"0">
My HTML page
closed



Mads Toftum a =E9crit:

>On Thu, Oct 30, 2003 at 09:24:04AM +0100, xavier jeannin wrote:
> =20
>
>>24359:error:14094413:SSL routines:SSL3_READ_BYTES:sslv3 alert=20
>>unsupported certificate:s3_pkt.c:1031:SSL alert number 43
>>24359:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake=20
>>failure:s3_pkt.c:514:
>>
>>I am sorry but I do not understand the response. I am sure that my cert=
=20
>>is valid, my private key too, and my cafile too.
>>Do you know where I can read documentation that explain the error=20
>>message ? perhaps it is a bad used of openssl client.
>> =20
>>
>
>openssl s_client expects the certificate and key to be in PEM format -
>
>openssl x509 -in cert.crt -inform DER -out cert.pem -outform PEM
>
>vh
>
>Mads Toftum
> =20
>

--=20
____________________________________________________________ _____________=
____________________
Xavier Jeannin
UREC/CNRS Universit=E9 P. & M. Curie, Courrier : case 171, 4 place Jussie=
u 75252 PARIS CEDEX 05
T=E9l : 01 44 27 42 59 - Fax : 01 44 27 42 61 - Courriel : jeannin@urec.c=
nrs.fr



--------------020103090009010106090102
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit








Ok Sorry I correct my mistake so now I  can connect  with SSL Client and
get my HTML Page.

Thank you it is a powerful tools to debug (redirect, etc)



I send to you the response I get, I am not capable to analyse the SSL sequence.

Is it a normal sequence ?

Seeing this can we deduce the session cache work fine ?

In this example, I have only ask for one page, I have not browsed into my
site so can we deduce anything from this example ?

Is  it possible to browse into a site with ssl_client (see cookie and session
pb) ?



thank you

--xj

 

CONNECTED(00000003)

---

Certificate chain

 0

   i:/C=FR/O=CNRS/CN=CNRS-Standard

 1 s:/C=FR/O=CNRS/CN=CNRS-Standard

   i:/C=FR/O=CNRS/CN=CNRS

 2 s:/C=FR/O=CNRS/CN=CNRS

   i:/C=FR/O=CNRS/CN=CNRS

---

Server certificate

-----BEGIN CERTIFICATE-----

MIIEfzCCA2egAwIBAgICAvUwDQYJKoZIhvcNAQEEBQAwNDELMAkGA1UEBhMC RlIx

DTALBgNVBAoTBENOUlMxFjAUBgNVBAMTDUNOUlMtU3RhbmRhcmQwHhcNMDIw NjI0

MDcwODIyWhcNMDQwNjI0MDcwODIyWjB5MQswCQYDVQQGEwJGUjENMAsGA1UE ChME

-- zip --

p1vfh+sI/gmyoV5Fpx3cQ1ZhS6PsFxHmhe6bnQSbyOJjVmtvR7qx7iAZuo3+ NE8o

bNsDnc7NQrDxOts5mYQugiPpNwW+CS7Yj8uuXFPkF/G4pBPBRooiwoJ6o5X6 CZi5

uYKp

-----END CERTIFICATE-----



issuer=/C=FR/O=CNRS/CN=CNRS-Standard

---

Acceptable client certificate CA names

/C=FR/O=CNRS/CN=SSI

/C=FR/O=CNRS/CN=CNRS

/C=FR/O=CNRS/CN=Datagrid-fr

/C=FR/O=CNRS/CN=CNRS-Projets

/C=FR/O=CNRS/CN=CNRS-Standard

/Email=ca-administrateur@urec.cnrs.fr/CN=CNRS-Test/OU=UREC/O =CNRS/C=FR

/C=FR/O=CNRS/CN=CNRS-Plus

---

SSL handshake has read 3873 bytes and written 3551 bytes

---

New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA

Server public key is 1024 bit

SSL-Session:

    Protocol  : TLSv1

    Cipher    : EDH-RSA-DES-CBC3-SHA

    Session-ID:

    Session-ID-ctx:

    Master-Key: 279FCDC4C400A75AE70E85755781EAA6F39429D8FC22AE69B6F95D982020 F5DFAD6DF5B552DF21FE7DB23CC7FC09EE1A

    Key-Arg   : None

    Start Time: 1067509174

    Timeout   : 300 (sec)

    Verify return code: 0 (ok)

---

drop connection and then reconnect

CONNECTED(00000003)

---

New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA

SSL-Session:

    Protocol  : TLSv1

    Cipher    : EDH-RSA-DES-CBC3-SHA

    Session-ID:

    Session-ID-ctx:

    Master-Key: 0F8D50DBEAE85A067D6A631609D5728CE9AA91F7052E39115481D6787478 124CC43B290C4D164F858FBC2F44103F8C2A

    Key-Arg   : None

    Start Time: 1067509174

    Timeout   : 300 (sec)

    Verify return code: 0 (ok)

---

drop connection and then reconnect

CONNECTED(00000003)

---

New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA

SSL-Session:

    Protocol  : TLSv1

    Cipher    : EDH-RSA-DES-CBC3-SHA

    Session-ID:

    Session-ID-ctx:

    Master-Key: C04F385EFFBC7FE29AB3503C3A55F264D5EB42D33F5AD15D988E7E030E3E 2D0A61BBF9540CD2CDFEF139A23F23656E42

    Key-Arg   : None

    Start Time: 1067509174

    Timeout   : 300 (sec)

    Verify return code: 0 (ok)

---

drop connection and then reconnect

CONNECTED(00000003)

---

New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA

SSL-Session:

    Protocol  : TLSv1

    Cipher    : EDH-RSA-DES-CBC3-SHA

    Session-ID:

    Session-ID-ctx:

    Master-Key: 0FBF55C5A75525AC4DE0A508D984DAAFD046C38C251744F4546358747FFD 7527BD88A6F5B5B2258DD8D99BD4F04D6227

    Key-Arg   : None

    Start Time: 1067509174

    Timeout   : 300 (sec)

    Verify return code: 0 (ok)

---

drop connection and then reconnect

CONNECTED(00000003)

---

New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA

SSL-Session:

    Protocol  : TLSv1

    Cipher    : EDH-RSA-DES-CBC3-SHA

    Session-ID:

    Session-ID-ctx:

    Master-Key: 1FA07645E42886ED343D5C7B7BA722675B35E298AC48791D981784FFE2F6 40914D7BDBE0ADD184DEE104C4BDDC251494

    Key-Arg   : None

    Start Time: 1067509174

    Timeout   : 300 (sec)

    Verify return code: 0 (ok)

---

drop connection and then reconnect

CONNECTED(00000003)

---

New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA

SSL-Session:

    Protocol  : TLSv1

    Cipher    : EDH-RSA-DES-CBC3-SHA

    Session-ID:

    Session-ID-ctx:

    Master-Key: 72B0D603F01C3416E2B39C650E7359B1123E959F49D54EB4654A9F26CF66 6089DDB071D305CF267FDB95E6B3210DD9B3

    Key-Arg   : None

    Start Time: 1067509174

    Timeout   : 300 (sec)

    Verify return code: 0 (ok)

---

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<HTML><HEAD><TITLE>Bienvenue sur l'Intranet du département
STIC du CNRS</TITLE>

<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">

<META content="MSHTML 6.00.2800.1170" name=GENERATOR>

<link rel="stylesheet" href="../style/main.css" type="text/css">

</HEAD>

<BODY bgColor=#ffffff leftMargin=0 topMargin=0 MARGINHEIGHT="0" MARGINWIDTH="0">

My HTML page

</BODY></HTML>closed







Mads Toftum a écrit:

On Thu, Oct 30, 2003 at 09:24:04AM +0100, xavier jeannin wrote:

  

24359:error:14094413:SSL routines:SSL3_READ_BYTES:sslv3 alert 

unsupported certificate:s3_pkt.c:1031:SSL alert number 43

24359:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake 

failure:s3_pkt.c:514:



I am sorry but I do not understand the response. I am sure that my cert 

is valid, my private key too, and my cafile too.

Do you know where I can read documentation that explain the error 

message ? perhaps it is a bad used of openssl client.

    

openssl s_client expects the certificate and key to be in PEM format -



openssl x509 -in cert.crt -inform DER -out cert.pem -outform PEM



vh



Mads Toftum

  

-- 

 ____________________________________________________________ _________________________________

Xavier Jeannin

UREC/CNRS Université P. & M. Curie, Courrier : case 171, 4 place Jussieu 75252 PARIS CEDEX 05

Tél : 01 44 27 42 59 - Fax : 01 44 27 42 61 - Courriel : 

Re: Netscape ask always certificat

On Thu, Oct 30, 2003 at 11:40:52AM +0100, xavier jeannin wrote:
[SNIP]

> ---
> drop connection and then reconnect
> CONNECTED(00000003)
> ---
> New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
> SSL-Session:
> Protocol : TLSv1
> Cipher : EDH-RSA-DES-CBC3-SHA
> Session-ID:
> Session-ID-ctx:
> Master-Key:
> 0F8D50DBEAE85A067D6A631609D5728CE9AA91F7052E39115481D6787478 124CC43B290C4D164F858FBC2F44103F8C2A
> Key-Arg : None
> Start Time: 1067509174
> Timeout : 300 (sec)
> Verify return code: 0 (ok)

Session caching seems to be off on the server side - when I use reconnect, I get

Protocol : TLSv1
Cipher : EDH-RSA-DES-CBC3-SHA
Session-ID: 1C7284F45FE7153AD082C737E2EBFD2176A4B0B34BCA41AE79663F9C8041 42EB
Session-ID-ctx:
Master-Key: 6D9E61B97ADE120B056E79A09B3489D23D7D2A74FE2D82E067CBEF50296B 76B5E6034ECDB32B4B062788BA9D9832DD3B


vh

Mads Toftum
--
Speaking at ApacheCon 2003 - http://ApacheCon.com/
T03, "Apache 2 mod_ssl tutorial" (3h)
WE03, "Troubleshooting Apache configurations"
WE11, "Apache mod_rewrite, the Swiss Army Knife of URL manipulation"
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org