Re: TLSv1 problem - Openssl

This is a discussion on Re: TLSv1 problem - Openssl ; doki_pen wrote: > This is on Gentoo. I'm not sure if they have patched these things > * apache-2.2.9 > * openssl-0.9.8h > > I'm having a problem using TLS with firefox3 clients. The client > reports an SSL problem. ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Re: TLSv1 problem

  1. Re: TLSv1 problem

    doki_pen wrote:
    > This is on Gentoo. I'm not sure if they have patched these things
    > * apache-2.2.9
    > * openssl-0.9.8h
    >
    > I'm having a problem using TLS with firefox3 clients. The client
    > reports an SSL problem. I've done a pcap in wireshark. The client
    > sends "Client Hello" with TLS 1.0. The server responds with a TLSv1
    > alert message that is
    >
    > Level: Fatal(2)
    > Description: Access Denied(49)
    >
    > The apache logs say:
    >
    > [Mon Jun 30 12:39:47 2008] [info] Initial (No.1) HTTPS request
    > received for child 1 (server projects.optaros.com:443)
    > [Mon Jun 30 12:39:47 2008] [debug] mod_headers.c(711): headers:
    > ap_headers_output_filter()
    > [Mon Jun 30 12:39:47 2008] [debug] mod_headers.c(711): headers:
    > ap_headers_output_filter()
    > [Mon Jun 30 12:39:47 2008] [debug] mod_headers.c(711): headers:
    > ap_headers_output_filter()
    > [Mon Jun 30 12:39:48 2008] [debug] ssl_engine_io.c(1828): OpenSSL: I/O
    > error, 5 bytes expected to read on BIO#84ca028 [mem: 8963c38]
    > [Mon Jun 30 12:39:48 2008] [info] [client 64.251.112.40] (70007)The
    > timeout specified has expired: SSL input filter read failed.
    > [Mon Jun 30 12:39:48 2008] [debug] ssl_engine_kernel.c(1770): OpenSSL:
    > Write: SSL negotiation finished successfully
    > [Mon Jun 30 12:39:48 2008] [info] [client 64.251.112.40] Connection
    > closed to child 192 with standard shutdown (server
    > projects.optaros.com:443)
    > [Mon Jun 30 12:39:49 2008] [debug] ssl_engine_io.c(1817): OpenSSL:
    > read 5/5 bytes from BIO#84ca028 [mem: 8980d78] (BIO dump follows)
    >
    >
    > If I disable TLS in apache, everything works fine. Any ideas?
    > __________________________________________________ ____________________
    > OpenSSL Project http://www.openssl.org
    > User Support Mailing List openssl-users@openssl.org
    > Automated List Manager majordomo@openssl.org


    It's beginning to look like the firewall is interfering. I can't see
    apache send the access denied message when I do a tcpdump there, but the
    client gets it. damn firewall.
    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  2. Re: TLSv1 problem

    If the firewall is interfering, then the firewall is likely the
    endpoint of the proxy connection, and is applying its access rules --
    the client is not authorized to make a connection, so the server is
    shutting it down with the appropriate "access_denied" error code.

    Granted, this doesn't help people tasked with supporting the issues.

    -Kyle H

    On Wed, Jul 2, 2008 at 7:28 AM, doki_pen wrote:
    > doki_pen wrote:
    >>
    >> This is on Gentoo. I'm not sure if they have patched these things
    >> * apache-2.2.9
    >> * openssl-0.9.8h
    >>
    >> I'm having a problem using TLS with firefox3 clients. The client reports
    >> an SSL problem. I've done a pcap in wireshark. The client sends "Client
    >> Hello" with TLS 1.0. The server responds with a TLSv1 alert message that is
    >>
    >> Level: Fatal(2)
    >> Description: Access Denied(49)
    >>
    >> The apache logs say:
    >>
    >> [Mon Jun 30 12:39:47 2008] [info] Initial (No.1) HTTPS request received
    >> for child 1 (server projects.optaros.com:443)
    >> [Mon Jun 30 12:39:47 2008] [debug] mod_headers.c(711): headers:
    >> ap_headers_output_filter()
    >> [Mon Jun 30 12:39:47 2008] [debug] mod_headers.c(711): headers:
    >> ap_headers_output_filter()
    >> [Mon Jun 30 12:39:47 2008] [debug] mod_headers.c(711): headers:
    >> ap_headers_output_filter()
    >> [Mon Jun 30 12:39:48 2008] [debug] ssl_engine_io.c(1828): OpenSSL: I/O
    >> error, 5 bytes expected to read on BIO#84ca028 [mem: 8963c38]
    >> [Mon Jun 30 12:39:48 2008] [info] [client 64.251.112.40] (70007)The
    >> timeout specified has expired: SSL input filter read failed.
    >> [Mon Jun 30 12:39:48 2008] [debug] ssl_engine_kernel.c(1770): OpenSSL:
    >> Write: SSL negotiation finished successfully
    >> [Mon Jun 30 12:39:48 2008] [info] [client 64.251.112.40] Connection closed
    >> to child 192 with standard shutdown (server projects.optaros.com:443)
    >> [Mon Jun 30 12:39:49 2008] [debug] ssl_engine_io.c(1817): OpenSSL: read
    >> 5/5 bytes from BIO#84ca028 [mem: 8980d78] (BIO dump follows)
    >>
    >>
    >> If I disable TLS in apache, everything works fine. Any ideas?
    >> __________________________________________________ ____________________
    >> OpenSSL Project http://www.openssl.org
    >> User Support Mailing List openssl-users@openssl.org
    >> Automated List Manager majordomo@openssl.org

    >
    > It's beginning to look like the firewall is interfering. I can't see apache
    > send the access denied message when I do a tcpdump there, but the client
    > gets it. damn firewall.
    > __________________________________________________ ____________________
    > OpenSSL Project http://www.openssl.org
    > User Support Mailing List openssl-users@openssl.org
    > Automated List Manager majordomo@openssl.org
    >

    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  3. Re: TLSv1 problem

    Kyle Hamilton wrote:
    > If the firewall is interfering, then the firewall is likely the
    > endpoint of the proxy connection, and is applying its access rules --
    > the client is not authorized to make a connection, so the server is
    > shutting it down with the appropriate "access_denied" error code.
    >
    > Granted, this doesn't help people tasked with supporting the issues.
    >
    > -Kyle H
    >
    >
    >

    I don't know about that. If I shut of TLSv1 on either side then
    everything works. If I use a different web browser then everything
    works. I think that the firewall is flagging firefox3 as a virus. lol.

    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


+ Reply to Thread