[ale] SSL, Apache, and Windows 98

Keith Hopkins hne at hopnet.net
Wed Jun 22 11:37:12 EDT 2005 

Let me think out loud for a min....

The important details:
5 2  0.0016 (0.0005)  S>C  Handshake
       ServerHello
         Version 3.1
         session_id[32]=
           7e 80 0d c5 97 8b d4 80 37 af 00 97 02 8f 42 de
           a4 45 fe 00 36 41 92 0e 1c 3a f5 04 8a 50 26 ca
         cipherSuite         TLS_RSA_WITH_RC4_128_MD5
         compressionMethod                   NULL
5 3  0.0016 (0.0000)  S>C  Handshake
       Certificate
5 4  0.0016 (0.0000)  S>C  Handshake
       ServerHelloDone
5 5  0.0062 (0.0045)  C>S  Handshake
       ClientKeyExchange
5 6  0.0062 (0.0000)  C>S  ChangeCipherSpec
5 7  0.0062 (0.0000)  C>S  Handshake
5 8  0.0070 (0.0008)  S>C  Alert
     level           fatal
     value           bad_record_mac

bad_record_mac    This alert is returned if a record is received with an incorrect MAC.  This message is always fatal.

MAC = message authentication codes

The Change Cipher Spec Protocol signals a transition of the cipher suite to be used on the connection between the client and server. This protocol is composed of a single message which is encrypted and compressed with the current cipher suite. This message consists of a single byte with the value 1. Message after this will be encrypted and compressed using the new cipher suite.


   Sure sounds like Win98/IE is not doing the encryption correctly.  I'd suggest changing the cipher on the ssl/apache server to a different method (SSLCipherSuite for mod_ssl).

--
from Downunder (and a little to the left)
   Keith



Brian Akins wrote:
> Apache 2.0.54 with ssl as dso
> openssl 0.9.7g
> RHAS 2.1
> 
> WIn 98 with any version  of IE gets the generic page caoont be displayed 
> message.
> 
> Errors in apache log:
> Tue Jun 21 11:22:09 2005] [info] Connection to child 35 established 
> (server account.nascar.com:443, client 10.188.33.199)
> [Tue Jun 21 11:22:09 2005] [info] SSL library error 1 in handshake 
> (server account.nascar.com:443, client 10.188.33.199)
> [Tue Jun 21 11:22:09 2005] [info] Connection to child 35 closed with 
> abortive shutdown(server account.nascar.com:443, client 10.188.33.199)
> [Tue Jun 21 11:22:09 2005] [info] Connection to child 36 established 
> (server account.nascar.com:443, client 10.188.33.199)
> [Tue Jun 21 11:22:09 2005] [info] Connection to child 36 closed with 
> abortive shutdown(server account.nascar.com:443, client 10.188.33.199)
> 
> 
> 
> output from ssldump:
> 
> New TCP connection #5: 10.188.33.199(1493) <-> pay8rly2.turner.com(443)
> 5 1  0.0011 (0.0011)  C>S SSLv2 compatible client hello
>   Version 3.1
>   cipher suites
>   TLS_RSA_WITH_RC4_128_MD5
>   TLS_RSA_WITH_RC4_128_SHA
>   TLS_RSA_WITH_3DES_EDE_CBC_SHA
>   SSL2_CK_RC4
>   SSL2_CK_3DES
>   SSL2_CK_RC2
>   TLS_RSA_WITH_DES_CBC_SHA
>   SSL2_CK_DES
>   TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
>   TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
>   TLS_RSA_EXPORT_WITH_RC4_40_MD5
>   TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
>   SSL2_CK_RC4_EXPORT40
>   SSL2_CK_RC2_EXPORT40
> 5 2  0.0016 (0.0005)  S>C  Handshake
>       ServerHello
>         Version 3.1
>         session_id[32]=
>           7e 80 0d c5 97 8b d4 80 37 af 00 97 02 8f 42 de
>           a4 45 fe 00 36 41 92 0e 1c 3a f5 04 8a 50 26 ca
>         cipherSuite         TLS_RSA_WITH_RC4_128_MD5
>         compressionMethod                   NULL
> 5 3  0.0016 (0.0000)  S>C  Handshake
>       Certificate
> 5 4  0.0016 (0.0000)  S>C  Handshake
>       ServerHelloDone
> 5 5  0.0062 (0.0045)  C>S  Handshake
>       ClientKeyExchange
> 5 6  0.0062 (0.0000)  C>S  ChangeCipherSpec
> 5 7  0.0062 (0.0000)  C>S  Handshake
> 5 8  0.0070 (0.0008)  S>C  Alert
>     level           fatal
>     value           bad_record_mac
> 5    0.0073 (0.0002)  S>C  TCP FIN
> 5    0.0079 (0.0006)  C>S  TCP FIN
> New TCP connection #6: 10.188.33.199(1494) <-> pay8rly2.turner.com(443)
> Version 2 Client.
> 6    0.0036 (0.0036)  C>S  TCP FIN
> 6    0.0037 (0.0001)  S>C  TCP FIN
> 
> 
> 
> 
> Apache config stuff:
> 
> SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown 
> downgrade-1.0 force-response-1.0
> 
> 
> SSLSessionCache shm:/logs/https-relay.ssl_session_cache(512000)
> SSLSessionCacheTimeout 300
> SSLMutex sem
> SSLRandomSeed startup builtin
> SSLRandomSeed connect builtin
> 
> I have tried the following as well:
> 
>    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
>    SSLProtocol all -SSLv3
> 
> 
> 
> to no avail.
> 
> Seems to work on all other OS's
> 
> 
> 
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3383 bytes
Desc: S/MIME Cryptographic Signature

More information about the Ale mailing list