You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by "Szerdahelyi, Andras " <an...@citi.com> on 2009/02/18 14:31:53 UTC
[users@httpd] SSL library error 336151570 in handshake w/ confirmed cert (CN=ServerName, valid, etc)
Hey list,
I've been struggling with this error for weeks now, and still havent
even got close to a solution. I have the following setup
Server
Linux gdshu2.XXX 2.6.18-92.el5 #1 SMP Tue Apr 29 13:16:12 EDT 2008 i686
i686 i386 GNU/Linux
/usr/local/apache2/bin/httpd -v
Server version: Apache/2.0.63
Server built: Feb 18 2009 12:21:06
Log level is set to debug.
Server cert
openssl verify /usr/local/apache2/certs/server.crt
/usr/local/apache2/certs/server.crt:
/C=HU/ST=Budapest/L=Budapest/O=XXX/OU=GPS
UNIX/CN=gdshu2.XXX/emailAddress=XXX
(XXX is where I've applied some censorship :-)
Clients
A: - desktop, firefox
B: - desktop, internet explorer
C: - an enterprise service bus client
A complains about how the cert is not signed by a trusted CA. That's ok.
I add an exception on the client. This is what I see on the apache error
log
[Wed Feb 18 15:18:50 2009] [debug] ssl_engine_kernel.c(1744): OpenSSL:
Read: SSLv3 read client certificate A
[Wed Feb 18 15:18:50 2009] [debug] ssl_engine_kernel.c(1763): OpenSSL:
Exit: failed in SSLv3 read client certificate A
[Wed Feb 18 15:18:50 2009] [info] SSL library error 1 in handshake
(server gdshu2.XXX:443, client 169.XXX)
[Wed Feb 18 15:18:50 2009] [info] SSL Library Error: 336151576
error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
[Wed Feb 18 15:18:50 2009] [info] Connection to child 4 closed with
abortive shutdown(server gdshu2.XXX:443, client 169.XXX)
B complains about the same, halts the connection with a dialog box. (I
think handshake goes well here) debug on server side is
[Wed Feb 18 15:20:43 2009] [debug] ssl_engine_kernel.c(1739): OpenSSL:
Loop: SSLv3 read finished A
[Wed Feb 18 15:20:43 2009] [debug] ssl_engine_kernel.c(1739): OpenSSL:
Loop: SSLv3 write change cipher spec A
[Wed Feb 18 15:20:43 2009] [debug] ssl_engine_kernel.c(1739): OpenSSL:
Loop: SSLv3 write finished A
[Wed Feb 18 15:20:43 2009] [debug] ssl_engine_kernel.c(1739): OpenSSL:
Loop: SSLv3 flush data
[Wed Feb 18 15:20:43 2009] [debug] ssl_engine_kernel.c(1735): OpenSSL:
Handshake: done
[Wed Feb 18 15:20:43 2009] [info] Connection: Client IP:
169.162.137.225, Protocol: SSLv3, Cipher: RC4-MD5 (128/128 bits)
[Wed Feb 18 15:20:43 2009] [debug] ssl_engine_io.c(1708): OpenSSL: I/O
error, 5 bytes expected to read on BIO#9c50768 [mem: 9c62398]
[Wed Feb 18 15:20:43 2009] [info] (70014)End of file found: SSL input
filter read failed.
[Wed Feb 18 15:20:43 2009] [debug] ssl_engine_kernel.c(1749): OpenSSL:
Write: SSL negotiation finished successfully
[Wed Feb 18 15:20:43 2009] [info] Connection to child 2 closed with
standard shutdown(server gdshu2.XXX:443, client 169.XXX)
C fails miserably at handshake, and this is my problem. Debug log says
[Wed Feb 18 15:03:36 2009] [debug] ssl_engine_kernel.c(1744): OpenSSL:
Read: SSLv3 read client certificate A
[Wed Feb 18 15:03:36 2009] [debug] ssl_engine_kernel.c(1763): OpenSSL:
Exit: failed in SSLv3 read client certificate A
[Wed Feb 18 15:03:36 2009] [info] SSL library error 1 in handshake
(server gdshu2.XXX:443, client 169.XXX)
[Wed Feb 18 15:03:36 2009] [info] SSL Library Error: 336151570
error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
Subject CN in certificate not server name or identical to CA!?
[Wed Feb 18 15:03:36 2009] [info] Connection to child 3 closed with
abortive shutdown(server gdshu2.XXX:443, client 169.XXX)
Now, you would assume I have different CN on the cert and ServerName in
Apache. I don't ! Besides checking the cert and the config files
manually, Apache never complains about this at startup
[Wed Feb 18 15:23:28 2009] [info] Configuring server for SSL protocol
[Wed Feb 18 15:23:28 2009] [debug] ssl_engine_init.c(385): Creating new
SSL context (protocols: SSLv2, SSLv3, TLSv1)
[Wed Feb 18 15:23:28 2009] [debug] ssl_engine_init.c(696): Configuring
RSA server certificate
[Wed Feb 18 15:23:28 2009] [debug] ssl_engine_init.c(735): Configuring
RSA server private key
[Wed Feb 18 15:23:28 2009] [info] Loading certificate & private key of
SSL-aware server
[Wed Feb 18 15:23:28 2009] [debug] ssl_engine_pphrase.c(469):
unencrypted RSA private key - pass phrase not required
[Wed Feb 18 15:23:29 2009] [info] Configuring server for SSL protocol
[Wed Feb 18 15:23:29 2009] [debug] ssl_engine_init.c(385): Creating new
SSL context (protocols: SSLv2, SSLv3, TLSv1)
[Wed Feb 18 15:23:29 2009] [debug] ssl_engine_init.c(696): Configuring
RSA server certificate
[Wed Feb 18 15:23:29 2009] [debug] ssl_engine_init.c(735): Configuring
RSA server private key
My question is: how is this error invoked when my server cert is valid?
[Wed Feb 18 15:03:36 2009] [info] SSL Library Error: 336151570
error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
Subject CN in certificate not server name or identical to CA!?
Also, SSLVerifyCertificate is not enabled (it is not in any of the
loaded config files and it client certificate verification is disabled
by default, right?)
Thanks much & regards,
Andrew
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] SSL library error 336151570 in handshake w/
confirmed cert (CN=ServerName, valid, etc)
Posted by Eric Covener <co...@gmail.com>.
On Wed, Feb 18, 2009 at 8:31 AM, Szerdahelyi, Andras
<an...@citi.com> wrote:
> My question is: how is this error invoked when my server cert is valid?
> [Wed Feb 18 15:03:36 2009] [info] SSL Library Error: 336151570
> error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
> Subject CN in certificate not server name or identical to CA!?
I'm not terribly familiar with mod_ssl, but tou might look at a
wireshark trace and see if this Alert is actually being transmitted
over the wire by the client.
It looks like it happens early enough that it would be unencrypted.
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] SSL library error 336151570 in handshake w/
confirmed cert (CN=ServerName, valid, etc)
Posted by Peter Schober <pe...@univie.ac.at>.
* Szerdahelyi, Andras <an...@citi.com> [2009-02-18 14:32]:
> I've been struggling with this error for weeks now, and still havent
> even got close to a solution. I have the following setup
I'd suggest getting this to work with openssl s_client first.
cheers,
-peter
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org