Hello

I have looked for information in Archive about my problem. I don't find
answer to my problem, sorry in advance to ask a question about a very
known problem.

I have developped Web application, that uses X509 certificat. Netscape
ask at each time (page) the certificat. As my users have several
certificates they do not use the option "Select Automaticly" in
netscape, I have to say to my user to use now this option and create a
netscape's profile for every certificat.

First, I have compile Apache with MM and use :
SSLSessionCache shm:/usr/local/apache/logs/ssl_gscache(2048000)
SSLSessionCacheTimeout 1800
but it does not work.

Does anyone got a better idea ?
Thanks in advance
--xj

--
____________________________________________________________ _____________=
____________________
Xavier Jeannin
UREC/CNRS Universit=E9 P. & M. Curie, Courrier : case 171, 4 place Jussie=
u 75252 PARIS CEDEX 05
T=E9l : 01 44 27 42 59 - Fax : 01 44 27 42 61 - Courriel : jeannin [at] urec.c=
nrs.fr


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users [at] modssl.org
Automated List Manager majordomo [at] modssl.org

On Wed, Oct 29, 2003 at 05:15:13PM +0100, xavier jeannin wrote:
> I have developped Web application, that uses X509 certificat. Netscape
> ask at each time (page) the certificat. As my users have several
> certificates they do not use the option "Select Automaticly" in
> netscape, I have to say to my user to use now this option and create a
> netscape's profile for every certificat.
>
> First, I have compile Apache with MM and use :
> SSLSessionCache shm:/usr/local/apache/logs/ssl_gscache(2048000)
> SSLSessionCacheTimeout 1800
> but it does not work.
>
"but it does not work" - how should that be understood? that SSLSessionCache
does not work, or that the users are still being asked for the certificate?
The simplest way to test sessions away from the browser is to use openssl
s_client with the -reconnect option - that should tell you wether session
caching is in effect or not.
Usually when sessions are enabled in apache, but the browser keeps asking for
the cert, then it is a setting in the browser - I seem to recall that
Netscape had an option to ask for the password on every use.

vh

Mads Toftum
--
Speaking at ApacheCon 2003 - http://ApacheCon.com/
T03, "Apache 2 mod_ssl tutorial" (3h)
WE03, "Troubleshooting Apache configurations"
WE11, "Apache mod_rewrite, the Swiss Army Knife of URL manipulation"
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users [at] modssl.org
Automated List Manager majordomo [at] modssl.org

Hi,

Try using the status module

ExtendedStatus On
<Location /server-status>
SetHandler server-status
</Location>

That gives some info about ssl sessions near the
bottom. Currently I'm using client certs and firebird
with ask every time set. This results in a prompt
every 300 seconds as the session times out. Which
version of netscape?

Regards
Matt

--- xavier jeannin <xavier.jeannin [at] urec.cnrs.fr>
wrote:
> Hello
>
> I have looked for information in Archive about my
> problem. I don't find
> answer to my problem, sorry in advance to ask a
> question about a very
> known problem.
>
> I have developped Web application, that uses X509
> certificat. Netscape
> ask at each time (page) the certificat. As my users
> have several
> certificates they do not use the option "Select
> Automaticly" in
> netscape, I have to say to my user to use now this
> option and create a
> netscape's profile for every certificat.
>
> First, I have compile Apache with MM and use :
> SSLSessionCache
> shm:/usr/local/apache/logs/ssl_gscache(2048000)
> SSLSessionCacheTimeout 1800
> but it does not work.
>
> Does anyone got a better idea ?
> Thanks in advance
> --xj
>
> --
>
____________________________________________________________ _________________________________
> Xavier Jeannin
> UREC/CNRS Université P. & M. Curie, Courrier : case
> 171, 4 place Jussieu 75252 PARIS CEDEX 05
> Tél : 01 44 27 42 59 - Fax : 01 44 27 42 61 -
> Courriel : jeannin [at] urec.cnrs.fr
>
>
>
____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl)
> www.modssl.org
> User Support Mailing List
> modssl-users [at] modssl.org
> Automated List Manager
majordomo [at] modssl.org


__________________________________
Do you Yahoo!?
Exclusive Video Premiere - Britney Spears
http://launch.yahoo.com/promos/britneyspears/
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users [at] modssl.org
Automated List Manager majordomo [at] modssl.org

--------------080700020008080904090404
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable

Hi

Thanks Mads for your answer :
I should write Netscape still ask the cert at each page instead of "it
does not work".
I mad the test you suggest, here is the result

root [at] engine jeannin]# openssl s_client -host intranet.stic.cnrs.fr -port
443 -cert /usr/local/apache/conf/ssl.crt/intranet.stic.cns.fr.crt -key
/usr/local/apache/conf/ssl.key/intranet.stic.cnrs.fr.key -CAfile
/usr/local/apache/conf/ssl.crt/ca-bundle.crt -reconect -ssl3
CONNECTED(00000003)
depth=3D2 /C=3DFR/O=3DCNRS/CN=3DCNRS
verify return:1
depth=3D1 /C=3DFR/O=3DCNRS/CN=3DCNRS-Standard
verify return:1
depth=3D0
/C=3DFR/O=3DCNRS/OU=3DUPS836/CN=3Dintranet.stic.cnrs.fr/Emai l=3DXavier.Je=
annin [at] urec.cnrs.fr
verify return:1
24359:error:14094413:SSL routines:SSL3_READ_BYTES:sslv3 alert
unsupported certificate:s3_pkt.c:1031:SSL alert number 43
24359:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
failure:s3_pkt.c:514:

I am sorry but I do not understand the response. I am sure that my cert
is valid, my private key too, and my cafile too.
Do you know where I can read documentation that explain the error
message ? perhaps it is a bad used of openssl client.
thank you
--xj

Mads Toftum a =E9crit:

>On Wed, Oct 29, 2003 at 05:15:13PM +0100, xavier jeannin wrote:
>
>
>>I have developped Web application, that uses X509 certificat. Netscape
>>ask at each time (page) the certificat. As my users have several
>>certificates they do not use the option "Select Automaticly" in
>>netscape, I have to say to my user to use now this option and create =
a
>>netscape's profile for every certificat.
>>
>>First, I have compile Apache with MM and use :
>>SSLSessionCache shm:/usr/local/apache/logs/ssl_gscache(2048000)
>>SSLSessionCacheTimeout 1800
>>but it does not work.
>>
>>
>>
>"but it does not work" - how should that be understood? that SSLSession=
Cache
>does not work, or that the users are still being asked for the certifica=
te?
>The simplest way to test sessions away from the browser is to use openss=
l
>s_client with the -reconnect option - that should tell you wether sessio=
n
>caching is in effect or not.
>Usually when sessions are enabled in apache, but the browser keeps askin=
g for
>the cert, then it is a setting in the browser - I seem to recall that
>Netscape had an option to ask for the password on every use.
>
>vh
>
>Mads Toftum
>
>

--
____________________________________________________________ _____________=
____________________
Xavier Jeannin
UREC/CNRS Universit=E9 P. & M. Curie, Courrier : case 171, 4 place Jussie=
u 75252 PARIS CEDEX 05
T=E9l : 01 44 27 42 59 - Fax : 01 44 27 42 61 - Courriel : jeannin [at] urec.c=
nrs.fr



--------------080700020008080904090404
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title></title>
</head>
<body>
Hi <br>
<br>
Thanks Mads for your answer :<br>
I should write Netscape still ask the cert at each page  instead of "it does
not work".<br>
I mad the test you suggest, here is the result<br>
<br>
root [at] engine jeannin]# openssl s_client -host intranet.stic.cnrs.fr -port
443 -cert /usr/local/apache/conf/ssl.crt/intranet.stic.cns.fr.crt  -key /usr/local/apache/conf/ssl.key/intranet.stic.cnrs.fr.key
-CAfile /usr/local/apache/conf/ssl.crt/ca-bundle.crt -reconect -ssl3<br>
CONNECTED(00000003)<br>
depth=2 /C=FR/O=CNRS/CN=CNRS<br>
verify return:1<br>
depth=1 /C=FR/O=CNRS/CN=CNRS-Standard<br>
verify return:1<br>
depth=0 /C=FR/O=CNRS/OU=UPS836/CN=intranet.stic.cnrs.fr/Email=Xavier .Jeannin [at] urec.cnrs.fr<br>
verify return:1<br>
24359:error:14094413:SSL routines:SSL3_READ_BYTES:sslv3 alert unsupported
certificate:s3_pkt.c:1031:SSL alert number 43<br>
24359:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:514:<br>
<br>
I am sorry but I do not understand the response. I am sure that my cert is
valid, my private key too, and my cafile too. <br>
Do you know where I can read documentation that explain the error message
? perhaps it is a bad used of openssl client.<br>
thank  you<br>
--xj<br>
<br>
Mads Toftum a écrit:<br>
<blockquote type="cite" cite="mid20031029170741.GC27125 [at] toftum.dk">
<pre wrap="">On Wed, Oct 29, 2003 at 05:15:13PM +0100, xavier jeannin wrote:
</pre>
<blockquote type="cite">
<pre wrap="">I have developped Web application, that uses X509 certificat. Netscape
ask at each time (page) the certificat. As my users have several
certificates they do not use the option "Select Automaticly" in
netscape, I have to say to my user to use now this option and create a
netscape's profile for every certificat.

First, I have compile Apache with MM and use :
SSLSessionCache shm:/usr/local/apache/logs/ssl_gscache(2048000)
SSLSessionCacheTimeout 1800
but it does not work.

</pre>
</blockquote>
<pre wrap=""><!---->"but it does not work" - how should that be understood? that SSLSessionCache
does not work, or that the users are still being asked for the certificate?
The simplest way to test sessions away from the browser is to use openssl
s_client with the -reconnect option - that should tell you wether session
caching is in effect or not.
Usually when sessions are enabled in apache, but the browser keeps asking for
the cert, then it is a setting in the browser - I seem to recall that
Netscape had an option to ask for the password on every use.

vh

Mads Toftum
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="$mailwrapcol">--
____________________________________________________________ _________________________________
Xavier Jeannin
UREC/CNRS Université P. & M. Curie, Courrier : case 171, 4 place Jussieu 75252 PARIS CEDEX 05
Tél : 01 44 27 42 59 - Fax : 01 44 27 42 61 - Courriel : <a class="moz-txt-link-abbreviated" href="mailto:jeannin [at] urec.cnrs.fr">jeannin [at] urec.cnrs.fr</a>
</pre>
<br>
</body>
</html>

--------------080700020008080904090404--

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users [at] modssl.org
Automated List Manager majordomo [at] modssl.org

On Thu, Oct 30, 2003 at 09:24:04AM +0100, xavier jeannin wrote:
> 24359:error:14094413:SSL routines:SSL3_READ_BYTES:sslv3 alert
> unsupported certificate:s3_pkt.c:1031:SSL alert number 43
> 24359:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
> failure:s3_pkt.c:514:
>
> I am sorry but I do not understand the response. I am sure that my cert
> is valid, my private key too, and my cafile too.
> Do you know where I can read documentation that explain the error
> message ? perhaps it is a bad used of openssl client.

openssl s_client expects the certificate and key to be in PEM format -

openssl x509 -in cert.crt -inform DER -out cert.pem -outform PEM

vh

Mads Toftum
--
Speaking at ApacheCon 2003 - http://ApacheCon.com/
T03, "Apache 2 mod_ssl tutorial" (3h)
WE03, "Troubleshooting Apache configurations"
WE11, "Apache mod_rewrite, the Swiss Army Knife of URL manipulation"
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users [at] modssl.org
Automated List Manager majordomo [at] modssl.org

--------------020103090009010106090102
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable

Ok Sorry I correct my mistake so now I can connect with SSL Client and
get my HTML Page.
Thank you it is a powerful tools to debug (redirect, etc)

I send to you the response I get, I am not capable to analyse the SSL
sequence.
Is it a normal sequence ?
Seeing this can we deduce the session cache work fine ?
In this example, I have only ask for one page, I have not browsed into
my site so can we deduce anything from this example ?
Is it possible to browse into a site with ssl_client (see cookie and
session pb) ?

thank you
--xj

CONNECTED(00000003)
---
Certificate chain
0
s:/C=3DFR/O=3DCNRS/OU=3DUPS836/CN=3Dintranet.stic.cnrs.fr/Em ail=3DXavier.=
Jeannin [at] urec.cnrs.fr
i:/C=3DFR/O=3DCNRS/CN=3DCNRS-Standard
1 s:/C=3DFR/O=3DCNRS/CN=3DCNRS-Standard
i:/C=3DFR/O=3DCNRS/CN=3DCNRS
2 s:/C=3DFR/O=3DCNRS/CN=3DCNRS
i:/C=3DFR/O=3DCNRS/CN=3DCNRS
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEfzCCA2egAwIBAgICAvUwDQYJKoZIhvcNAQEEBQAwNDELMAkGA1UEBhMC RlIx
DTALBgNVBAoTBENOUlMxFjAUBgNVBAMTDUNOUlMtU3RhbmRhcmQwHhcNMDIw NjI0
MDcwODIyWhcNMDQwNjI0MDcwODIyWjB5MQswCQYDVQQGEwJGUjENMAsGA1UE ChME
-- zip --
p1vfh+sI/gmyoV5Fpx3cQ1ZhS6PsFxHmhe6bnQSbyOJjVmtvR7qx7iAZuo3+ NE8o
bNsDnc7NQrDxOts5mYQugiPpNwW+CS7Yj8uuXFPkF/G4pBPBRooiwoJ6o5X6 CZi5
uYKp
-----END CERTIFICATE-----
subject=3D/C=3DFR/O=3DCNRS/OU=3DUPS836/CN=3Dintranet.stic.cn rs.fr/Email=3D=
Xavier.Jeannin [at] urec.cnrs.fr
issuer=3D/C=3DFR/O=3DCNRS/CN=3DCNRS-Standard
---
Acceptable client certificate CA names
/C=3DFR/O=3DCNRS/CN=3DSSI
/C=3DFR/O=3DCNRS/CN=3DCNRS
/C=3DFR/O=3DCNRS/CN=3DDatagrid-fr
/C=3DFR/O=3DCNRS/CN=3DCNRS-Projets
/C=3DFR/O=3DCNRS/CN=3DCNRS-Standard
/Email=3Dca-administrateur [at] urec.cnrs.fr/CN=3DCNRS-Test/OU=3D UREC/O=3DCNRS=
/C=3DFR
/C=3DFR/O=3DCNRS/CN=3DCNRS-Plus
---
SSL handshake has read 3873 bytes and written 3551 bytes
---
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : EDH-RSA-DES-CBC3-SHA
Session-ID:
Session-ID-ctx:
Master-Key:
279FCDC4C400A75AE70E85755781EAA6F39429D8FC22AE69B6F95D982020 F5DFAD6DF5B55=
2DF21FE7DB23CC7FC09EE1A
Key-Arg : None
Start Time: 1067509174
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
drop connection and then reconnect
CONNECTED(00000003)
---
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
SSL-Session:
Protocol : TLSv1
Cipher : EDH-RSA-DES-CBC3-SHA
Session-ID:
Session-ID-ctx:
Master-Key:
0F8D50DBEAE85A067D6A631609D5728CE9AA91F7052E39115481D6787478 124CC43B290C4=
D164F858FBC2F44103F8C2A
Key-Arg : None
Start Time: 1067509174
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
drop connection and then reconnect
CONNECTED(00000003)
---
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
SSL-Session:
Protocol : TLSv1
Cipher : EDH-RSA-DES-CBC3-SHA
Session-ID:
Session-ID-ctx:
Master-Key:
C04F385EFFBC7FE29AB3503C3A55F264D5EB42D33F5AD15D988E7E030E3E 2D0A61BBF9540=
CD2CDFEF139A23F23656E42
Key-Arg : None
Start Time: 1067509174
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
drop connection and then reconnect
CONNECTED(00000003)
---
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
SSL-Session:
Protocol : TLSv1
Cipher : EDH-RSA-DES-CBC3-SHA
Session-ID:
Session-ID-ctx:
Master-Key:
0FBF55C5A75525AC4DE0A508D984DAAFD046C38C251744F4546358747FFD 7527BD88A6F5B=
5B2258DD8D99BD4F04D6227
Key-Arg : None
Start Time: 1067509174
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
drop connection and then reconnect
CONNECTED(00000003)
---
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
SSL-Session:
Protocol : TLSv1
Cipher : EDH-RSA-DES-CBC3-SHA
Session-ID:
Session-ID-ctx:
Master-Key:
1FA07645E42886ED343D5C7B7BA722675B35E298AC48791D981784FFE2F6 40914D7BDBE0A=
DD184DEE104C4BDDC251494
Key-Arg : None
Start Time: 1067509174
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
drop connection and then reconnect
CONNECTED(00000003)
---
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
SSL-Session:
Protocol : TLSv1
Cipher : EDH-RSA-DES-CBC3-SHA
Session-ID:
Session-ID-ctx:
Master-Key:
72B0D603F01C3416E2B39C650E7359B1123E959F49D54EB4654A9F26CF66 6089DDB071D30=
5CF267FDB95E6B3210DD9B3
Key-Arg : None
Start Time: 1067509174
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>Bienvenue sur l'Intranet du d=E9partement STIC du
CNRS</TITLE>
<META http-equiv=3DContent-Type content=3D"text/html; charset=3Diso-8859-=
1">
<META content=3D"MSHTML 6.00.2800.1170" name=3DGENERATOR>
<link rel=3D"stylesheet" href=3D"../style/main.css" type=3D"text/css">
</HEAD>
<BODY bgColor=3D#ffffff leftMargin=3D0 topMargin=3D0 MARGINHEIGHT=3D"0"
MARGINWIDTH=3D"0">
My HTML page
</BODY></HTML>closed



Mads Toftum a =E9crit:

>On Thu, Oct 30, 2003 at 09:24:04AM +0100, xavier jeannin wrote:
>
>
>>24359:error:14094413:SSL routines:SSL3_READ_BYTES:sslv3 alert
>>unsupported certificate:s3_pkt.c:1031:SSL alert number 43
>>24359:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
>>failure:s3_pkt.c:514:
>>
>>I am sorry but I do not understand the response. I am sure that my cert=

>>is valid, my private key too, and my cafile too.
>>Do you know where I can read documentation that explain the error
>>message ? perhaps it is a bad used of openssl client.
>>
>>
>
>openssl s_client expects the certificate and key to be in PEM format -
>
>openssl x509 -in cert.crt -inform DER -out cert.pem -outform PEM
>
>vh
>
>Mads Toftum
>
>

--
____________________________________________________________ _____________=
____________________
Xavier Jeannin
UREC/CNRS Universit=E9 P. & M. Curie, Courrier : case 171, 4 place Jussie=
u 75252 PARIS CEDEX 05
T=E9l : 01 44 27 42 59 - Fax : 01 44 27 42 61 - Courriel : jeannin [at] urec.c=
nrs.fr



--------------020103090009010106090102
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1">
<title></title>
</head>
<body>
Ok Sorry I correct my mistake so now I  can connect  with SSL Client and
get my HTML Page.<br>
Thank you it is a powerful tools to debug (redirect, etc)<br>
<br>
I send to you the response I get, I am not capable to analyse the SSL sequence.<br>
Is it a normal sequence ? <br>
Seeing this can we deduce the session cache work fine ? <br>
In this example, I have only ask for one page, I have not browsed into my
site so can we deduce anything from this example ?<br>
Is  it possible to browse into a site with ssl_client (see cookie and session
pb) ?<br>
<br>
thank you<br>
--xj<br>
 <br>
CONNECTED(00000003)<br>
---<br>
Certificate chain<br>
 0 <a class="moz-txt-link-abbreviated" href="mailto:s:/C=FR/O=CNRS/OU=UPS836/CN=intranet.stic.cnrs.fr/Email=Xavier.Jeannin [at] urec.cnrs.fr"> s:/C=FR/O=CNRS/OU=UPS836/CN=intranet.stic.cnrs.fr/Email=Xavi er.Jeannin [at] urec.cnrs.fr</a><br>
   i:/C=FR/O=CNRS/CN=CNRS-Standard<br>
 1 s:/C=FR/O=CNRS/CN=CNRS-Standard<br>
   i:/C=FR/O=CNRS/CN=CNRS<br>
 2 s:/C=FR/O=CNRS/CN=CNRS<br>
   i:/C=FR/O=CNRS/CN=CNRS<br>
---<br>
Server certificate<br>
-----BEGIN CERTIFICATE-----<br>
MIIEfzCCA2egAwIBAgICAvUwDQYJKoZIhvcNAQEEBQAwNDELMAkGA1UEBhMC RlIx<br>
DTALBgNVBAoTBENOUlMxFjAUBgNVBAMTDUNOUlMtU3RhbmRhcmQwHhcNMDIw NjI0<br>
MDcwODIyWhcNMDQwNjI0MDcwODIyWjB5MQswCQYDVQQGEwJGUjENMAsGA1UE ChME<br>
-- zip --<br>
p1vfh+sI/gmyoV5Fpx3cQ1ZhS6PsFxHmhe6bnQSbyOJjVmtvR7qx7iAZuo3+ NE8o<br>
bNsDnc7NQrDxOts5mYQugiPpNwW+CS7Yj8uuXFPkF/G4pBPBRooiwoJ6o5X6 CZi5<br>
uYKp<br>
-----END CERTIFICATE-----<br>
<a class="moz-txt-link-abbreviated" href="mailto:subject=/C=FR/O=CNRS/OU=UPS836/CN=intranet.stic.cnrs.fr/Email=Xavier.Jeannin [at] urec.cnrs.fr"> subject=/C=FR/O=CNRS/OU=UPS836/CN=intranet.stic.cnrs.fr/Emai l=Xavier.Jeannin [at] urec.cnrs.fr</a><br>
issuer=/C=FR/O=CNRS/CN=CNRS-Standard<br>
---<br>
Acceptable client certificate CA names<br>
/C=FR/O=CNRS/CN=SSI<br>
/C=FR/O=CNRS/CN=CNRS<br>
/C=FR/O=CNRS/CN=Datagrid-fr<br>
/C=FR/O=CNRS/CN=CNRS-Projets<br>
/C=FR/O=CNRS/CN=CNRS-Standard<br>
/Email=ca-administrateur [at] urec.cnrs.fr/CN=CNRS-Test/OU=UREC/O =CNRS/C=FR<br>
/C=FR/O=CNRS/CN=CNRS-Plus<br>
---<br>
SSL handshake has read 3873 bytes and written 3551 bytes<br>
---<br>
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA<br>
Server public key is 1024 bit<br>
SSL-Session:<br>
    Protocol  : TLSv1<br>
    Cipher    : EDH-RSA-DES-CBC3-SHA<br>
    Session-ID: <br>
    Session-ID-ctx: <br>
    Master-Key: 279FCDC4C400A75AE70E85755781EAA6F39429D8FC22AE69B6F95D982020 F5DFAD6DF5B552DF21FE7DB23CC7FC09EE1A<br>
    Key-Arg   : None<br>
    Start Time: 1067509174<br>
    Timeout   : 300 (sec)<br>
    Verify return code: 0 (ok)<br>
---<br>
drop connection and then reconnect<br>
CONNECTED(00000003)<br>
---<br>
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA<br>
SSL-Session:<br>
    Protocol  : TLSv1<br>
    Cipher    : EDH-RSA-DES-CBC3-SHA<br>
    Session-ID: <br>
    Session-ID-ctx: <br>
    Master-Key: 0F8D50DBEAE85A067D6A631609D5728CE9AA91F7052E39115481D6787478 124CC43B290C4D164F858FBC2F44103F8C2A<br>
    Key-Arg   : None<br>
    Start Time: 1067509174<br>
    Timeout   : 300 (sec)<br>
    Verify return code: 0 (ok)<br>
---<br>
drop connection and then reconnect<br>
CONNECTED(00000003)<br>
---<br>
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA<br>
SSL-Session:<br>
    Protocol  : TLSv1<br>
    Cipher    : EDH-RSA-DES-CBC3-SHA<br>
    Session-ID: <br>
    Session-ID-ctx: <br>
    Master-Key: C04F385EFFBC7FE29AB3503C3A55F264D5EB42D33F5AD15D988E7E030E3E 2D0A61BBF9540CD2CDFEF139A23F23656E42<br>
    Key-Arg   : None<br>
    Start Time: 1067509174<br>
    Timeout   : 300 (sec)<br>
    Verify return code: 0 (ok)<br>
---<br>
drop connection and then reconnect<br>
CONNECTED(00000003)<br>
---<br>
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA<br>
SSL-Session:<br>
    Protocol  : TLSv1<br>
    Cipher    : EDH-RSA-DES-CBC3-SHA<br>
    Session-ID: <br>
    Session-ID-ctx: <br>
    Master-Key: 0FBF55C5A75525AC4DE0A508D984DAAFD046C38C251744F4546358747FFD 7527BD88A6F5B5B2258DD8D99BD4F04D6227<br>
    Key-Arg   : None<br>
    Start Time: 1067509174<br>
    Timeout   : 300 (sec)<br>
    Verify return code: 0 (ok)<br>
---<br>
drop connection and then reconnect<br>
CONNECTED(00000003)<br>
---<br>
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA<br>
SSL-Session:<br>
    Protocol  : TLSv1<br>
    Cipher    : EDH-RSA-DES-CBC3-SHA<br>
    Session-ID: <br>
    Session-ID-ctx: <br>
    Master-Key: 1FA07645E42886ED343D5C7B7BA722675B35E298AC48791D981784FFE2F6 40914D7BDBE0ADD184DEE104C4BDDC251494<br>
    Key-Arg   : None<br>
    Start Time: 1067509174<br>
    Timeout   : 300 (sec)<br>
    Verify return code: 0 (ok)<br>
---<br>
drop connection and then reconnect<br>
CONNECTED(00000003)<br>
---<br>
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA<br>
SSL-Session:<br>
    Protocol  : TLSv1<br>
    Cipher    : EDH-RSA-DES-CBC3-SHA<br>
    Session-ID: <br>
    Session-ID-ctx: <br>
    Master-Key: 72B0D603F01C3416E2B39C650E7359B1123E959F49D54EB4654A9F26CF66 6089DDB071D305CF267FDB95E6B3210DD9B3<br>
    Key-Arg   : None<br>
    Start Time: 1067509174<br>
    Timeout   : 300 (sec)<br>
    Verify return code: 0 (ok)<br>
---<br>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><br>
<HTML><HEAD><TITLE>Bienvenue sur l'Intranet du département
STIC du CNRS</TITLE><br>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1"><br>
<META content="MSHTML 6.00.2800.1170" name=GENERATOR><br>
<link rel="stylesheet" href="../style/main.css" type="text/css"><br>
</HEAD><br>
<BODY bgColor=#ffffff leftMargin=0 topMargin=0 MARGINHEIGHT="0" MARGINWIDTH="0"><br>
My HTML page<br>
</BODY></HTML>closed<br>
<br>
<br>
<br>
Mads Toftum a écrit:<br>
<blockquote type="cite" cite="mid20031030084447.GA23664 [at] toftum.dk">
<pre wrap="">On Thu, Oct 30, 2003 at 09:24:04AM +0100, xavier jeannin wrote:
</pre>
<blockquote type="cite">
<pre wrap="">24359:error:14094413:SSL routines:SSL3_READ_BYTES:sslv3 alert
unsupported certificate:s3_pkt.c:1031:SSL alert number 43
24359:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
failure:s3_pkt.c:514:

I am sorry but I do not understand the response. I am sure that my cert
is valid, my private key too, and my cafile too.
Do you know where I can read documentation that explain the error
message ? perhaps it is a bad used of openssl client.
</pre>
</blockquote>
<pre wrap=""><!---->
openssl s_client expects the certificate and key to be in PEM format -

openssl x509 -in cert.crt -inform DER -out cert.pem -outform PEM

vh

Mads Toftum
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="$mailwrapcol">--
____________________________________________________________ _________________________________
Xavier Jeannin
UREC/CNRS Université P. & M. Curie, Courrier : case 171, 4 place Jussieu 75252 PARIS CEDEX 05
Tél : 01 44 27 42 59 - Fax : 01 44 27 42 61 - Courriel : <a class="moz-txt-link-abbreviated" href="mailto:jeannin [at] urec.cnrs.fr">jeannin [at] urec.cnrs.fr</a>
</pre>
<br>
</body>
</html>

--------------020103090009010106090102--

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users [at] modssl.org
Automated List Manager majordomo [at] modssl.org

On Thu, Oct 30, 2003 at 11:40:52AM +0100, xavier jeannin wrote:
[SNIP]

> ---
> drop connection and then reconnect
> CONNECTED(00000003)
> ---
> New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
> SSL-Session:
> Protocol : TLSv1
> Cipher : EDH-RSA-DES-CBC3-SHA
> Session-ID:
> Session-ID-ctx:
> Master-Key:
> 0F8D50DBEAE85A067D6A631609D5728CE9AA91F7052E39115481D6787478 124CC43B290C4D164F858FBC2F44103F8C2A
> Key-Arg : None
> Start Time: 1067509174
> Timeout : 300 (sec)
> Verify return code: 0 (ok)

Session caching seems to be off on the server side - when I use reconnect, I get

Protocol : TLSv1
Cipher : EDH-RSA-DES-CBC3-SHA
Session-ID: 1C7284F45FE7153AD082C737E2EBFD2176A4B0B34BCA41AE79663F9C8041 42EB
Session-ID-ctx:
Master-Key: 6D9E61B97ADE120B056E79A09B3489D23D7D2A74FE2D82E067CBEF50296B 76B5E6034ECDB32B4B062788BA9D9832DD3B


vh

Mads Toftum
--
Speaking at ApacheCon 2003 - http://ApacheCon.com/
T03, "Apache 2 mod_ssl tutorial" (3h)
WE03, "Troubleshooting Apache configurations"
WE11, "Apache mod_rewrite, the Swiss Army Knife of URL manipulation"
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users [at] modssl.org
Automated List Manager majordomo [at] modssl.org