[nycphp-talk] Requirements for a Verisign Cert?
Corey Fogarty
corey at bmfenterprises.com
Sat Sep 10 00:18:43 EDT 2005
I bought a Verisign Secure Site Pro cert for a client. It is not working
correctly...
I am running Apache 1.3.29 mod_ssl/2.8.16 OpenSSL/0.9.7c.
This is a Solaris 2.6 Ultra 5 running 64mb of memory, that may be part of
the problem, I am not sure.
Here are just a few of the errors that are kicking back when we start the
server and try to hit a page... I have replaced the domain name, I am not
working on dummy.com.
> [Fri Sep 9 22:30:55 2005] [error] mod_ssl: SSL handshake failed (server
> www.dummy.com:443, client 255.255.255.112) (OpenSSL library error follows)
> [Fri Sep 9 22:30:55 2005] [error] OpenSSL:
> error:140890C7:lib(20):func(137):reason(199)
> [Fri Sep 9 22:30:56 2005] [error] mod_ssl: SSL handshake failed (server
> www.dummy.com:443, client 255.255.255.112) (OpenSSL library error follows)
> [Fri Sep 9 22:30:56 2005] [error] OpenSSL:
> error:1408A10B:lib(20):func(138):reason(267)
> [Fri Sep 9 22:31:52 2005] [error] mod_ssl: SSL handshake failed (server
> www.dummy.com:443, client 255.255.255.112) (OpenSSL library error follows)
> [Fri Sep 9 22:31:52 2005] [error] OpenSSL:
> error:140890C7:lib(20):func(137):reason(199)
> [Fri Sep 9 22:31:52 2005] [error] mod_ssl: SSL handshake failed (server
> www.dummy.com:443, client 255.255.255.112) (OpenSSL library error follows)
> [Fri Sep 9 22:31:52 2005] [error] OpenSSL:
> error:1408A10B:lib(20):func(138):reason(267)
> [Fri Sep 9 22:49:04 2005] [error] mod_ssl: SSL handshake failed (server
> www.dummy.com:443, client 255.255.255.47) (OpenSSL library error follows)
> [Fri Sep 9 22:49:04 2005] [error] OpenSSL:
> error:1409441B:lib(20):func(148):reason(1051)
> [Fri Sep 9 22:55:53 2005] [error] mod_ssl: SSL handshake failed (server
> www.dummy.com:443, client 255.255.255.112) (OpenSSL library error follows)
> [Fri Sep 9 22:55:53 2005] [error] OpenSSL:
> error:140890C7:lib(20):func(137):reason(199)
> [Fri Sep 9 22:55:53 2005] [error] mod_ssl: SSL handshake failed (server
> www.dummy.com:443, client 255.255.255.112) (OpenSSL library error follows)
> [Fri Sep 9 22:55:53 2005] [error] OpenSSL:
> error:1408A10B:lib(20):func(138):reason(267)
> [Fri Sep 9 22:59:13 2005] [error] mod_ssl: SSL handshake failed (server
> www.dummy.com:443, client 255.255.255.112) (OpenSSL library error follows)
> [Fri Sep 9 22:59:13 2005] [error] OpenSSL:
> error:140890C7:lib(20):func(137):reason(199)
> [Fri Sep 9 22:59:13 2005] [error] mod_ssl: SSL handshake failed (server
> www.dummy.com:443, client 255.255.255.112) (OpenSSL library error follows)
> [Fri Sep 9 22:59:13 2005] [error] OpenSSL:
> error:1408A10B:lib(20):func(138):reason(267)
> [Fri Sep 9 23:00:22 2005] [error] mod_ssl: SSL handshake failed (server
> www.dummy.com:443, client 255.255.255.47) (OpenSSL library error follows)
> [Fri Sep 9 23:00:22 2005] [error] OpenSSL:
> error:1409441B:lib(20):func(148):reason(1051)
> [Fri Sep 9 23:06:13 2005] [error] mod_ssl: SSL handshake failed (server
> www.dummy.com:443, client 255.255.255.47) (OpenSSL library error follows)
> [Fri Sep 9 23:06:13 2005] [error] OpenSSL:
> error:1409441B:lib(20):func(148):reason(1051)
> [Fri Sep 9 23:42:34 2005] [error] mod_ssl: SSL handshake interrupted by
> system [Hint: Stop button pressed in browser?!] (System error follows)
> [Fri Sep 9 23:42:34 2005] [error] System: Connection reset by peer (errno:
> 131)
Here is a test I read out of the Professional Apache Security book by Wrox
Press...
> bash-2.02# openssl s_client -connect www.dummy.com:443
> CONNECTED(00000004)
> depth=1 /O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International
> Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97
> VeriSign
> verify error:num=20:unable to get local issuer certificate
> verify return:0
> 18006:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is
> not 01:rsa_pk1.c:100:
> 18006:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check
> failed:rsa_eay.c:580:
> 18006:error:1408D07B:SSL routines:SSL3_GET_KEY_EXCHANGE:bad
> signature:s3_clnt.c:1185:
>
Here is an excerpt from the ssl_engine_log from startup.
> [09/Sep/2005 23:05:43 17594] [info] Server: Apache/1.3.29, Interface:
> mod_ssl/2.8.16, Library: OpenSSL/0.9.7c
> [09/Sep/2005 23:05:43 17594] [info] Init: 1st startup round (still not
> detached)
> [09/Sep/2005 23:05:43 17594] [info] Init: Initializing OpenSSL library
> [09/Sep/2005 23:05:43 17594] [info] Init: Loading certificate & private key
> of SSL-aware server www.dummy.com:443
> [09/Sep/2005 23:05:43 17594] [info] Init: Requesting pass phrase via builtin
> terminal dialog
> [09/Sep/2005 23:05:46 17594] [info] Init: Loading certificate & private key
> of SSL-aware server 255.255.255.21:443
> [09/Sep/2005 23:05:46 17594] [info] Init: Loading certificate & private key
> of SSL-aware server 255.255.255.46:443
> [09/Sep/2005 23:05:46 17594] [info] Init: Wiped out the queried pass phrases
> from memory
> [09/Sep/2005 23:05:46 17594] [info] Init: Seeding PRNG with 136 bytes of
> entropy
> [09/Sep/2005 23:05:46 17594] [info] Init: Generating temporary RSA private
> keys (512/1024 bits)
> [09/Sep/2005 23:05:49 17594] [info] Init: Configuring temporary DH parameters
> (512/1024 bits)
> [09/Sep/2005 23:05:49 17595] [info] Init: 2nd startup round (already
> detached)
> [09/Sep/2005 23:05:49 17595] [info] Init: Reinitializing OpenSSL library
> [09/Sep/2005 23:05:49 17595] [info] Init: Seeding PRNG with 136 bytes of
> entropy
> [09/Sep/2005 23:05:49 17595] [info] Init: Configuring temporary RSA private
> keys (512/1024 bits)
> [09/Sep/2005 23:05:49 17595] [info] Init: Configuring temporary DH parameters
> (512/1024 bits)
> [09/Sep/2005 23:05:49 17595] [info] Init: Initializing (virtual) servers for
> SSL
> [09/Sep/2005 23:05:50 17595] [info] Init: Configuring server
> www.dummy.com:443 for SSL protocol
> [09/Sep/2005 23:05:50 17595] [info] Init: (www.dummy.com:443) RSA server
> certificate enables Server Gated Cryptography (SGC)
> [09/Sep/2005 23:05:50 17595] [info] Init: Configuring server
> 255.255.255.21:443 for SSL protocol
> [09/Sep/2005 23:05:50 17595] [warn] Init: (255.255.255.21:443) RSA server
> certificate CommonName (CN) `www.dummy2.com' does NOT match server name!?
> [09/Sep/2005 23:05:50 17595] [info] Init: Configuring server
> 255.255.255.46:443 for SSL protocol
> [09/Sep/2005 23:05:50 17595] [warn] Init: (255.255.255.46:443) RSA server
> certificate CommonName (CN) `www.dummy3.com' does NOT match server name!?
> [09/Sep/2005 23:06:03 17596] [info] Connection to child 0 established (server
> 255.255.255.46:443, client 255.255.255.46)
> [09/Sep/2005 23:06:03 17596] [info] Seeding PRNG with 1160 bytes of entropy
> [09/Sep/2005 23:06:03 17596] [error] SSL handshake failed (server
> 255.255.255.46:443, client 255.255.255.46) (OpenSSL library error follows)
> [09/Sep/2005 23:06:03 17596] [error] OpenSSL:
> error:1409441B:lib(20):func(148):reason(1051)
> [09/Sep/2005 23:06:13 17597] [info] Connection to child 1 established (server
> www.dummy.com:443, client 255.255.255.47)
> [09/Sep/2005 23:06:13 17597] [info] Seeding PRNG with 1160 bytes of entropy
> [09/Sep/2005 23:06:13 17597] [error] SSL handshake failed (server
> www.dummy.com:443, client 255.255.255.47) (OpenSSL library error follows)
> [09/Sep/2005 23:06:13 17597] [error] OpenSSL:
> error:1409441B:lib(20):func(148):reason(1051)
> [09/Sep/2005 23:41:49 17598] [info] Connection to child 2 established (server
> 255.255.255.21:443, client 255.255.255.112)
> [09/Sep/2005 23:41:49 17598] [info] Seeding PRNG with 1160 bytes of entropy
> [09/Sep/2005 23:41:50 17598] [info] Initial (No.1) HTTPS request received for
> child 2 (server 255.255.255.21:443)
> [09/Sep/2005 23:41:51 17599] [info] Connection to child 3 established (server
> 255.255.255.21:443, client 255.255.255.112)
> [09/Sep/2005 23:41:51 17599] [info] Seeding PRNG with 1160 bytes of entropy
> [09/Sep/2005 23:41:52 17600] [info] Connection to child 4 established (server
> 255.255.255.21:443, client 255.255.255.112)
> [09/Sep/2005 23:41:52 17600] [info] Seeding PRNG with 1160 bytes of entropy
> [09/Sep/2005 23:41:53 17600] [info] Initial (No.1) HTTPS request received for
> child 4 (server 255.255.255.21:443)
> [09/Sep/2005 23:41:53 17599] [info] Initial (No.1) HTTPS request received for
> child 3 (server 255.255.255.21:443)
> [09/Sep/2005 23:42:08 17598] [info] Connection to child 2 closed with
> standard shutdown (server 255.255.255.21:443, client 255.255.255.112)
> [09/Sep/2005 23:42:09 17600] [info] Connection to child 4 closed with
> standard shutdown (server 255.255.255.21:443, client 255.255.255.112)
> [09/Sep/2005 23:42:10 17599] [info] Connection to child 3 closed with
> standard shutdown (server 255.255.255.21:443, client 255.255.255.112)
> [09/Sep/2005 23:42:11 17596] [info] Connection to child 0 established (server
> 255.255.255.21:443, client 255.255.255.112)
> [09/Sep/2005 23:42:11 17596] [info] Seeding PRNG with 1160 bytes of entropy
> [09/Sep/2005 23:42:20 17596] [info] Initial (No.1) HTTPS request received for
> child 0 (server 255.255.255.21:443)
> [09/Sep/2005 23:42:21 17605] [info] Connection to child 5 established (server
> 255.255.255.21:443, client 255.255.255.112)
> [09/Sep/2005 23:42:21 17605] [info] Seeding PRNG with 1160 bytes of entropy
> [09/Sep/2005 23:42:21 17596] [info] Connection to child 0 closed with unclean
> shutdown (server 255.255.255.21:443, client 255.255.255.112)
> [09/Sep/2005 23:42:21 17597] [info] Connection to child 1 established (server
> 255.255.255.21:443, client 255.255.255.112)
> [09/Sep/2005 23:42:21 17597] [info] Seeding PRNG with 1160 bytes of entropy
> [09/Sep/2005 23:42:22 17605] [info] Initial (No.1) HTTPS request received for
> child 5 (server 255.255.255.21:443)
> [09/Sep/2005 23:42:22 17605] [info] Connection to child 5 closed with unclean
> shutdown (server 255.255.255.21:443, client 255.255.255.112)
> [09/Sep/2005 23:42:22 17597] [info] Initial (No.1) HTTPS request received for
> child 1 (server 255.255.255.21:443)
> [09/Sep/2005 23:42:22 17597] [info] Connection to child 1 closed with unclean
> shutdown (server 255.255.255.21:443, client 255.255.255.112)
> [09/Sep/2005 23:42:31 17901] [info] Connection to child 6 established (server
> www.dummy.com:443, client 255.255.255.112)
> [09/Sep/2005 23:42:31 17901] [info] Seeding PRNG with 1160 bytes of entropy
> [09/Sep/2005 23:42:34 17901] [error] SSL handshake interrupted by system
> [Hint: Stop button pressed in browser?!] (System error follows)
> [09/Sep/2005 23:42:34 17901] [error] System: Connection reset by peer (errno:
> 131)
> [09/Sep/2005 23:54:22 17902] [info] Connection to child 7 established (server
> www.dummy.com:443, client 255.255.255.47)
> [09/Sep/2005 23:54:22 17902] [info] Seeding PRNG with 1160 bytes of entropy
> [09/Sep/2005 23:54:23 17902] [error] SSL handshake failed (server
> www.dummy.com:443, client 255.255.255.47) (OpenSSL library error follows)
> [09/Sep/2005 23:54:23 17902] [error] OpenSSL:
> error:1409441B:lib(20):func(148):reason(1051)
>
The funny part is that I have actually had some luck signing my own certs. I
still get errors but at least the page loads... With the Verisign cert, the
page doesn¹t even load.
Hopefully someone else has found their way through this maze and can shoot
up a flare for me!
Thanks all!
Corey
P.S. I have tried tech support at Verisign with very little luck. They are
very clear on the fact that they don¹t support open source. I am guessing
they have their fingers in their ears a bit there...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050910/7fcb573a/attachment.html>
More information about the talk
mailing list