[users@httpd] SSL on Apache 2.2.14

["John J. Consolati" <co...@llnl.gov>]

Hello,

Hopefully someone will be able to help, as I've been working on this  
problem for quite a while and have hit a wall.  I'm trying to upgrade  
Apache 2.0.47 to 2.2.14, and I need SSL support.  Everything seems to  
build and compile okay, but when I try to access my site running on  
2.2.14, I get a strange error from Firefox: "Secure connection  
failed.  An error occurred during a connection to xxxxxx.  SSL peer  
reports incorrect Message Authentication Code.  (Error code:  
ssl_error_bad_mac_alert)."

I've tried compiling with OpenSSL 0.9.8L and 0.9.8G with the same  
results.  This is hosted on a Solaris sparc box.  The 2.2.14 server is  
utilizing all the same files and SSL certificates as the 2.0.47  
server.  I've called Verisign; I have valid certificates, but they've  
never heard of this error before.  If I self-sign a certificate and  
test it with the 2.2.14 server, it seems to work (except for the  
expected error message regarding self-signed certificates).

Searching on Google has led me to try forcing Apache to compile with  
prefork enabled (but it seems to default to that anyway on Solaris).   
I've also tried statically linking Apache during compile with the same  
results.

If anyone has any ideas or suggestions, I'd very much appreciate them...

Thank you,
John

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] SSL on Apache 2.2.14

[Sander Temme <sc...@apache.org>]

On Nov 25, 2009, at 9:23 AM, John J. Consolati wrote:

> Hopefully someone will be able to help, as I've been working on this problem for quite a while and have hit a wall.  I'm trying to upgrade Apache 2.0.47 to 2.2.14, and I need SSL support.  Everything seems to build and compile okay, but when I try to access my site running on 2.2.14, I get a strange error from Firefox: "Secure connection failed.  An error occurred during a connection to xxxxxx.  SSL peer reports incorrect Message Authentication Code.  (Error code: ssl_error_bad_mac_alert)."

This means that, after the handshake, the client and server have a different idea of what their session keys are.  This happens when the pre-master secret that the client sent was decrypted with a private key that does not belong to the certificate that the server passed to the client.  

Do you by any chance use a Hardware Security Module to protect the private key? 

Can you try using your key file and certs with a simple test server included with openssl?  Like so: 

openssl s_server -cert /path/to/yourSSLCertificateFile -key /path/to/yourSSLCertificateKeyFile -CAfile /path/to/yourSSLCertificateChainFile -www

and then from a different terminal connect to localhost:4433

curl -i https://localhost:4433/ or

openssl s_client -connect localhost:4433 

and see if that works.  

S. 

> I've tried compiling with OpenSSL 0.9.8L and 0.9.8G with the same results.  This is hosted on a Solaris sparc box.  The 2.2.14 server is utilizing all the same files and SSL certificates as the 2.0.47 server.  I've called Verisign; I have valid certificates, but they've never heard of this error before.  If I self-sign a certificate and test it with the 2.2.14 server, it seems to work (except for the expected error message regarding self-signed certificates).
> 
> Searching on Google has led me to try forcing Apache to compile with prefork enabled (but it seems to default to that anyway on Solaris).  I've also tried statically linking Apache during compile with the same results.
> 
> If anyone has any ideas or suggestions, I'd very much appreciate them...
> 
> Thank you,
> John
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>  "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
> 



-- 
Sander Temme
sctemme@apache.org
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF

Re: [users@httpd] SSL on Apache 2.2.14

[Da...@YMP.GOV]

John,

This is a (very) short explanation of the error code at:

http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html

and this one has a possible cause:

http://serverfault.com/questions/63167/sslerrorbadmacalert-error-in-firefox

You might want to Google the message for more info.

Dan



Please respond to users@httpd.apache.org

To:     users@httpd.apache.org
cc:      (bcc: Dan Mitton/YD/RWDOE)
Subject:        [users@httpd] SSL on Apache 2.2.14
LSN: Not Relevant
User Filed as: Not a Record

Hello,

Hopefully someone will be able to help, as I've been working on this 
problem for quite a while and have hit a wall.  I'm trying to upgrade 
Apache 2.0.47 to 2.2.14, and I need SSL support.  Everything seems to 
build and compile okay, but when I try to access my site running on 
2.2.14, I get a strange error from Firefox: "Secure connection 
failed.  An error occurred during a connection to xxxxxx.  SSL peer 
reports incorrect Message Authentication Code.  (Error code: 
ssl_error_bad_mac_alert)."

I've tried compiling with OpenSSL 0.9.8L and 0.9.8G with the same 
results.  This is hosted on a Solaris sparc box.  The 2.2.14 server is 
utilizing all the same files and SSL certificates as the 2.0.47 
server.  I've called Verisign; I have valid certificates, but they've 
never heard of this error before.  If I self-sign a certificate and 
test it with the 2.2.14 server, it seems to work (except for the 
expected error message regarding self-signed certificates).

Searching on Google has led me to try forcing Apache to compile with 
prefork enabled (but it seems to default to that anyway on Solaris). 
I've also tried statically linking Apache during compile with the same 
results.

If anyone has any ideas or suggestions, I'd very much appreciate them...

Thank you,
John

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org