Mac IE 5 ssl errors

Just noticed that Mac IE 5 is having problems with ssl connections to my
apache 1.3.29 server. I either get the 'Security failure. Data decryption
error,' or it'll connect but graphics won't load on https pages, and I get
this error in httpd error.log:

[Fri Mar 26 12:05:06 2004] [error] mod_ssl: SSL handshake interrupted by
system [Hint: Stop button pressed in browser?!] (System error follows)
[Fri Mar 26 12:05:06 2004] [error] System: Connection reset by peer (errno:
54)

Found these changes to httpd.conf on searching the list, and implemented
them, but to no avail. Anyone got a solution?

>
> I just solved it. Do not use an SSLProtocol line. Comment out the
> SetEnvIf line that does nokeepalive for MSIE. Use the following
> instead.
>
> BrowserMatch "MSIE [1-4]" nokeepalive ssl-unclean-shutdown \
> downgrade-1.0 force-response-1.0
> BrowserMatch "MSIE [5-9]" ssl-unclean-shutdown
>
> I'm also using this cipher suite line, but the default might work, too:
>
> SSLCipherSuite
> !EXP1024-RC4-SHA:!EXP1024-DES-CBC-SHA:ALL:!ADH:!EXP56:RC4+RS A:+HIGH:+MEDIUM:
> +LOW:+SSLv2:+EXP:+eNULL

--
Randall Perry
sysTame

Xserve Web Hosting/Co-location
Website Development/Promotion
Mac Consulting/Sales

http://www.systame.com/


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Mac IE 5 ssl errors

What's the underlying OS?

SSL Session caching just doesn't seem to work on older Linuxes is what I've
discovered, and falling back to SSL2 is one thing.

Another is the Mac IE is very picky and may crap out if a page includes
non-SSL content.

P.
On Fri, Mar 26, 2004 at 12:14:43PM -0500, Randall Perry wrote:
>=20
> Just noticed that Mac IE 5 is having problems with ssl connections to my
> apache 1.3.29 server. I either get the 'Security failure. Data decryption
> error,' or it'll connect but graphics won't load on https pages, and I get
> this error in httpd error.log:
>=20
> [Fri Mar 26 12:05:06 2004] [error] mod_ssl: SSL handshake interrupted by
> system [Hint: Stop button pressed in browser?!] (System error follows)
> [Fri Mar 26 12:05:06 2004] [error] System: Connection reset by peer (errn=
o:
> 54)
>=20
> Found these changes to httpd.conf on searching the list, and implemented
> them, but to no avail. Anyone got a solution?
>=20
> >=20
> > I just solved it. Do not use an SSLProtocol line. Comment out the
> > SetEnvIf line that does nokeepalive for MSIE. Use the following
> > instead.
> >=20
> > BrowserMatch "MSIE [1-4]" nokeepalive ssl-unclean-shutdown \
> > downgrade-1.0 force-response-1.0
> > BrowserMatch "MSIE [5-9]" ssl-unclean-shutdown
> >=20
> > I'm also using this cipher suite line, but the default might work, too:
> >=20
> > SSLCipherSuite=20
> > !EXP1024-RC4-SHA:!EXP1024-DES-CBC-SHA:ALL:!ADH:!EXP56:RC4+RS A:+HIGH:+ME=
DIUM:
> > +LOW:+SSLv2:+EXP:+eNULL
>=20
> --=20
> Randall Perry
> sysTame
>=20
> Xserve Web Hosting/Co-location
> Website Development/Promotion
> Mac Consulting/Sales
>=20
> http://www.systame.com/
>=20
>=20
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
-------------------------------------------+---------------- -------------+
|Peter Burkholder, System Administrator | |
|Digital Library for Earth System Education| Email) peterb@ucar.edu |
|DLESE=AE -- http://www.dlese.org | Office) +1-303-497-2663 |
|DLESE Program Center (DPC) | Fax) +1 303-497-8336 |
|UCAR/DPC, P.O. Box 3000 | Pager) +1-303-201-1284 |
|Boulder, CO 80307-3000 | or peterb-page@dpc.ucar.edu |
| |
| ~~~ ~~ ~~~ __o |
| ~~~ ~~~ ~~ _`\<,_ |
| ~~~ ~~~ ~~~~ (*)/ (*) |
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Mac IE 5 ssl errors

>> Just noticed that Mac IE 5 is having problems with ssl connections to my
>> apache 1.3.29 server. I either get the 'Security failure. Data decryption
>> error,' or it'll connect but graphics won't load on https pages, and I get
>> this error in httpd error.log:
>>
>> [Fri Mar 26 12:05:06 2004] [error] mod_ssl: SSL handshake interrupted by
>> system [Hint: Stop button pressed in browser?!] (System error follows)
>> [Fri Mar 26 12:05:06 2004] [error] System: Connection reset by peer (errno:
>> 54)
>
> What's the underlying OS?
>
> SSL Session caching just doesn't seem to work on older Linuxes is what I've
> discovered, and falling back to SSL2 is one thing.
>
> Another is the Mac IE is very picky and may crap out if a page includes
> non-SSL content.

I dunno, it sounds exactly like the errors I got with my RH7 server till I
put a session cache in:

SSLSessionCache dbm:/var/cache/httpd/ssl_cache
SSLSessionCacheTimeout 300

Just before the final tag in httpd.conf

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Mac IE 5 ssl errors

on 3/26/04 12:23 PM, Peter Burkholder at peterb@ucar.edu wrote:

> What's the underlying OS?
Mac OS X Server 10.3.2

>
> SSL Session caching just doesn't seem to work on older Linuxes is what I've
> discovered, and falling back to SSL2 is one thing.
>
> Another is the Mac IE is very picky and may crap out if a page includes
> non-SSL content.
This must be a server-side config issue as I don't have problems connecting
to most secure sites running apache with Mac IE.


--
Randall Perry
sysTame

Xserve Web Hosting/Co-location
Website Development/Promotion
Mac Consulting/Sales

http://www.systame.com/


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Mac IE 5 ssl errors

..
>
> I dunno, it sounds exactly like the errors I got with my RH7 server till I
> put a session cache in:
>
> SSLSessionCache dbm:/var/cache/httpd/ssl_cache
> SSLSessionCacheTimeout 300
>
> Just before the final tag in httpd.conf
Got that in my config also.


--
Randall Perry
sysTame

Xserve Web Hosting/Co-location
Website Development/Promotion
Mac Consulting/Sales

http://www.systame.com/


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Apache 2.0 + SSL + FreeBSD 5.1

Has anyone been able to successfully build Apache 2.0.48 --with-ssl and --enable-ssl?

It seems the stock SSL library with FreeBSD 5.1-RELEASE-p16 isn't up to snuff. Below is the section of the config.log related to mod_ssl.


configure:9764: checking whether to enable mod_ssl
configure:9800: result: checking dependencies
configure:9805: checking for SSL/TLS toolkit base
configure:9856: result: /usr
configure:9859: checking for SSL/TLS toolkit version
configure:9861: result: OpenSSL 0.9.7a-p1 Feb 19 2003
configure:9879: checking for SSL/TLS toolkit includes
configure:9897: result: /usr/include
configure:9900: checking for SSL/TLS toolkit libraries
configure:9915: result: /usr/lib
configure:10036: checking for SSL_set_state
configure:10073: gcc -o conftest -g -O2 -D_REENTRANT -D_THREAD_SAFE -L/usr/local/lib conftest.c -lssl -lcrypto >&5
/var/tmp//ccZ69MDl.o: In function `main':
/usr/local/src.local/httpd/httpd-2.0.48/configure:10063: undefined reference to `SSL_set_state'
configure:10076: $? = 1
configure: failed program was:
#line 10041 "configure"
#include "confdefs.h"
/* System header to define __stub macros and hopefully few prototypes,
which can conflict with char SSL_set_state (); below. */
#include
/* Override any gcc2 internal prototype to avoid an error. */
#ifdef __cplusplus
extern "C"
#endif
/* We use char because int might match the return type of a gcc2
builtin and then its argument prototype would still apply. */
char SSL_set_state ();
char (*f) ();

int
main ()
{
/* The GNU C library defines this for functions which it implements
to always fail with ENOSYS. Some functions are actually named
something starting with __ and the normal name is an alias. */
#if defined (__stub_SSL_set_state) || defined (__stub___SSL_set_state)
choke me
#else
f = SSL_set_state;
#endif

;
return 0;
}
configure:10092: result: no
configure:10106: checking for SSL_set_cert_store
configure:10143: gcc -o conftest -g -O2 -D_REENTRANT -D_THREAD_SAFE -L/usr/local/lib conftest.c -lssl -lcrypto >&5
/var/tmp//ccgL31OW.o: In function `main':
/usr/local/src.local/httpd/httpd-2.0.48/configure:10133: undefined reference to `SSL_set_cert_store'
configure:10146: $? = 1
configure: failed program was:
#line 10111 "configure"
#include "confdefs.h"
/* System header to define __stub macros and hopefully few prototypes,
which can conflict with char SSL_set_cert_store (); below. */
#include
/* Override any gcc2 internal prototype to avoid an error. */
#ifdef __cplusplus
extern "C"
#endif
/* We use char because int might match the return type of a gcc2
builtin and then its argument prototype would still apply. */
char SSL_set_cert_store ();
char (*f) ();

int
main ()
{
/* The GNU C library defines this for functions which it implements
to always fail with ENOSYS. Some functions are actually named
something starting with __ and the normal name is an alias. */
#if defined (__stub_SSL_set_cert_store) || defined (__stub___SSL_set_cert_store)
choke me
#else
f = SSL_set_cert_store;
#endif

;
return 0;
}
configure:10162: result: no

--
Colin Faber
FPSN.Net Development staff
email: cfaber@fpsn.net

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org