| Author |
|
zhiliao
Joined: 27 Oct 2006
Posts: 6
|
 Posted: Fri 27 Oct '06 4:42 Post subject: Apache 2.2.3 with OpenSSL 0.9.9[dev] |
 |
|
Has anyone managed to build successfully Apache 2.2.3 with OpenSSL 0.9.9[dev]? I've done so as I need to use OpenSSL 0.9.9[dev] to generate ECC cert. When I tried with openssl s_server, my client (Firefox) could browse to my site running on ECC cert successfully. But when I use my client to connect to my apache web server via 443, my client is getting the error 'Firefox can't connect securely to localhost because the site uses a security protocol which isn't enabled'.
1) Anyone encountered the same problem before? If yes, y and how to solve it?
2) How do I ascertain what ciphers my web server is using other than running openssl ciphers?
Thanks in advance! |
|
| Back to top |
|
ali_fareed
Joined: 04 Jul 2006
Posts: 61
Location: Bahrain
|
| Posted: Fri 27 Oct '06 20:43 Post subject: |
|
|
| The ellipitic curve ciphers in openssl-0.9.9 are not exposed to mod_ssl I think that there is a patch that you can apply but i misplaced the link. and i'm sure that there is a nessus plugin that tells you which ciphers are running on your server. |
|
| Back to top |
|
Steffen
Moderator
Joined: 15 Oct 2005
Posts: 3058
Location: Hilversum, NL, EU
|
| Posted: Fri 27 Oct '06 21:02 Post subject: |
|
|
Ciphers supported in s_server binary can you check with:
openssl s_server -cert cert.pem -key privkey.pem -www
And call then https://localhost:4433
Steffen |
|
| Back to top |
|
ali_fareed
Joined: 04 Jul 2006
Posts: 61
Location: Bahrain
|
|
| Back to top |
|
zhiliao
Joined: 27 Oct 2006
Posts: 6
|
| Posted: Mon 06 Nov '06 4:58 Post subject: |
|
|
Thanks for the advice. I have applied the patch but the same error persist. 
Is there any possibility that Apache is refusing to handshake with the client? Under what scenarios would Apache do this other than not being able to negotiate a valid cipher with the client? |
|
| Back to top |
|
zhiliao
Joined: 27 Oct 2006
Posts: 6
|
| Posted: Mon 06 Nov '06 5:25 Post subject: |
|
|
s_server -cert secp384r1.crt -key secp384r1.key -www
Ciphers supported in s_server binary
TLSv1/SSLv3:ECDHE-RSA-AES256-SHA TLSv1/SSLv3:ECDHE-ECDSA-AES256-SHA
TLSv1/SSLv3:PSK-AES256-CBC-SHA TLSv1/SSLv3:DHE-RSA-AES256-SHA
TLSv1/SSLv3:DHE-DSS-AES256-SHA TLSv1/SSLv3:DHE-RSA-CAMELLIA256-SHA
TLSv1/SSLv3:DHE-DSS-CAMELLIA256-SHA TLSv1/SSLv3:ECDH-RSA-AES256-SHA
TLSv1/SSLv3:ECDH-ECDSA-AES256-SHA TLSv1/SSLv3:AES256-SHA
TLSv1/SSLv3:CAMELLIA256-SHA TLSv1/SSLv3:ECDHE-RSA-DES-CBC3-SHA
TLSv1/SSLv3:ECDHE-ECDSA-DES-CBC3-SHA TLSv1/SSLv3:PSK-3DES-EDE-CBC-SHA
TLSv1/SSLv3:EDH-RSA-DES-CBC3-SHA TLSv1/SSLv3:EDH-DSS-DES-CBC3-SHA
TLSv1/SSLv3:ECDH-RSA-DES-CBC3-SHA TLSv1/SSLv3:ECDH-ECDSA-DES-CBC3-SHA
TLSv1/SSLv3:DES-CBC3-SHA SSLv2 :DES-CBC3-MD5
TLSv1/SSLv3:ECDHE-RSA-AES128-SHA TLSv1/SSLv3:ECDHE-ECDSA-AES128-SHA
TLSv1/SSLv3:PSK-AES128-CBC-SHA TLSv1/SSLv3:DHE-RSA-AES128-SHA
TLSv1/SSLv3:DHE-DSS-AES128-SHA TLSv1/SSLv3:DHE-RSA-CAMELLIA128-SHA
TLSv1/SSLv3:DHE-DSS-CAMELLIA128-SHA TLSv1/SSLv3:ECDH-RSA-AES128-SHA
TLSv1/SSLv3:ECDH-ECDSA-AES128-SHA TLSv1/SSLv3:AES128-SHA
TLSv1/SSLv3:CAMELLIA128-SHA TLSv1/SSLv3:IDEA-CBC-SHA
SSLv2 :IDEA-CBC-MD5 SSLv2 :RC2-CBC-MD5
TLSv1/SSLv3:ECDHE-RSA-RC4-SHA TLSv1/SSLv3:ECDHE-ECDSA-RC4-SHA
TLSv1/SSLv3:PSK-RC4-SHA TLSv1/SSLv3:ECDH-RSA-RC4-SHA
TLSv1/SSLv3:ECDH-ECDSA-RC4-SHA TLSv1/SSLv3:RC4-SHA
TLSv1/SSLv3:RC4-MD5 SSLv2 :RC4-MD5
TLSv1/SSLv3:EDH-RSA-DES-CBC-SHA TLSv1/SSLv3:EDH-DSS-DES-CBC-SHA
TLSv1/SSLv3:DES-CBC-SHA SSLv2 :DES-CBC-MD5
TLSv1/SSLv3:EXP-EDH-RSA-DES-CBC-SHA TLSv1/SSLv3:EXP-EDH-DSS-DES-CBC-SHA
TLSv1/SSLv3:EXP-DES-CBC-SHA TLSv1/SSLv3:EXP-RC2-CBC-MD5
SSLv2 :EXP-RC2-CBC-MD5 TLSv1/SSLv3:EXP-RC4-MD5
SSLv2 :EXP-RC4-MD5
---
Ciphers common between both SSL end points:
ECDHE-ECDSA-AES256-SHA ECDHE-RSA-AES256-SHA DHE-RSA-AES256-SHA
DHE-DSS-AES256-SHA ECDH-RSA-AES256-SHA ECDH-ECDSA-AES256-SHA
AES256-SHA ECDHE-ECDSA-RC4-SHA ECDHE-ECDSA-AES128-SHA
ECDHE-RSA-RC4-SHA ECDHE-RSA-AES128-SHA DHE-RSA-AES128-SHA
DHE-DSS-AES128-SHA ECDH-RSA-RC4-SHA ECDH-RSA-AES128-SHA
ECDH-ECDSA-RC4-SHA ECDH-ECDSA-AES128-SHA RC4-MD5
RC4-SHA AES128-SHA ECDHE-ECDSA-DES-CBC3-SHA
ECDHE-RSA-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA EDH-DSS-DES-CBC3-SHA
ECDH-RSA-DES-CBC3-SHA ECDH-ECDSA-DES-CBC3-SHA DES-CBC3-SHA
---
New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES256-SHA
SSL-Session:
Protocol : TLSv1
Cipher : ECDHE-ECDSA-AES256-SHA
Session-ID: 7DC349FEC0337AAE8FC5CAA7CF54D3C7BF8E6E662E937646020F7E3DBC75BC7B
Session-ID-ctx: 01000000
Master-Key: CF2A366EC52E2CD0046785AC9D0C050F6F68226189B063334DBB159FB5A21A69D52C3273CD3A6BAC078DEB94A2C1683F
Key-Arg : None
PSK identity: None
PSK identity hint: None
Start Time: 1162783300
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
1 items in the session cache
0 client connects (SSL_connect())
0 client renegotiates (SSL_connect())
0 client connects that finished
1 server accepts (SSL_accept())
0 server renegotiates (SSL_accept())
1 server accepts that finished
0 session cache hits
0 session cache misses
0 session cache timeouts
0 callback cache hits
0 cache full overflows (128 allowed)
---
no client certificate available
The above is what I received after I run the s_server command. But this only shows the ciphers OpenSSL support. It doesn't show what ciphers Apache is supporting, right? |
|
| Back to top |
|
zhiliao
Joined: 27 Oct 2006
Posts: 6
|
| Posted: Tue 07 Nov '06 4:21 Post subject: Re: Apache 2.2.3 with OpenSSL 0.9.9[dev] |
|
|
| zhiliao wrote: | Has anyone managed to build successfully Apache 2.2.3 with OpenSSL 0.9.9[dev]? I've done so as I need to use OpenSSL 0.9.9[dev] to generate ECC cert. When I tried with openssl s_server, my client (Firefox) could browse to my site running on ECC cert successfully. But when I use my client to connect to my apache web server via 443, my client is getting the error 'Firefox can't connect securely to localhost because the site uses a security protocol which isn't enabled'.
1) Anyone encountered the same problem before? If yes, y and how to solve it?
2) How do I ascertain what ciphers my web server is using other than running openssl ciphers?
Thanks in advance! |
This is the latest log I've got when I set the log level to debug.
[Tue Nov 07 10:18:25 2006] [info] Loading certificate & private key of SSL-aware server
[Tue Nov 07 10:18:25 2006] [debug] ssl_engine_pphrase.c(469): unencrypted ECC private key - pass phrase not required
[Tue Nov 07 10:18:27 2006] [info] Configuring server for SSL protocol
[Tue Nov 07 10:18:27 2006] [debug] ssl_engine_init.c(408): Creating new SSL context (protocols: SSLv2, SSLv3, TLSv1)
[Tue Nov 07 10:18:27 2006] [debug] ssl_engine_init.c(608): Configuring permitted SSL ciphers [ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL]
[Tue Nov 07 10:18:27 2006] [debug] ssl_engine_init.c(784): Configuring ECC server private key
[Tue Nov 07 10:18:28 2006] [info] Loading certificate & private key of SSL-aware server
[Tue Nov 07 10:18:28 2006] [debug] ssl_engine_pphrase.c(469): unencrypted ECC private key - pass phrase not required
[Tue Nov 07 10:18:29 2006] [info] Configuring server for SSL protocol
[Tue Nov 07 10:18:29 2006] [debug] ssl_engine_init.c(408): Creating new SSL context (protocols: SSLv2, SSLv3, TLSv1)
[Tue Nov 07 10:18:29 2006] [debug] ssl_engine_init.c(608): Configuring permitted SSL ciphers [ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL]
[Tue Nov 07 10:18:29 2006] [debug] ssl_engine_init.c(784): Configuring ECC server private key
[Tue Nov 07 10:18:30 2006] [info] Loading certificate & private key of SSL-aware server
[Tue Nov 07 10:18:30 2006] [debug] ssl_engine_pphrase.c(469): unencrypted ECC private key - pass phrase not required
[Tue Nov 07 10:18:30 2006] [info] Configuring server for SSL protocol
[Tue Nov 07 10:18:30 2006] [debug] ssl_engine_init.c(408): Creating new SSL context (protocols: SSLv2, SSLv3, TLSv1)
[Tue Nov 07 10:18:30 2006] [debug] ssl_engine_init.c(608): Configuring permitted SSL ciphers [ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL]
[Tue Nov 07 10:18:30 2006] [debug] ssl_engine_init.c(784): Configuring ECC server private key
[Tue Nov 07 10:18:31 2006] [info] Loading certificate & private key of SSL-aware server
[Tue Nov 07 10:18:31 2006] [debug] ssl_engine_pphrase.c(469): unencrypted ECC private key - pass phrase not required
[Tue Nov 07 10:18:33 2006] [info] Configuring server for SSL protocol
[Tue Nov 07 10:18:33 2006] [debug] ssl_engine_init.c(408): Creating new SSL context (protocols: SSLv2, SSLv3, TLSv1)
[Tue Nov 07 10:18:33 2006] [debug] ssl_engine_init.c(608): Configuring permitted SSL ciphers [ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL]
[Tue Nov 07 10:18:33 2006] [debug] ssl_engine_init.c(784): Configuring ECC server private key
[Tue Nov 07 10:18:38 2006] [info] [client 127.0.0.1] Connection to child 249 established (server www.example.com:443)
[Tue Nov 07 10:18:38 2006] [info] Seeding PRNG with 144 bytes of entropy
[Tue Nov 07 10:18:38 2006] [debug] ssl_engine_kernel.c(1780): OpenSSL: Handshake: start
[Tue Nov 07 10:18:38 2006] [debug] ssl_engine_kernel.c(1788): OpenSSL: Loop: before/accept initialization
[Tue Nov 07 10:18:38 2006] [debug] ssl_engine_io.c(1775): OpenSSL: read 11/11 bytes from BIO#53c8f8 [mem: 5d0010] (BIO dump follows)
[Tue Nov 07 10:18:38 2006] [debug] ssl_engine_io.c(1722): +-------------------------------------------------------------------------+
[Tue Nov 07 10:18:38 2006] [debug] ssl_engine_io.c(1747): | 0000: 80 6d 01 03 00 00 54 00-00 00 10 .m....T.... |
[Tue Nov 07 10:18:38 2006] [debug] ssl_engine_io.c(1753): +-------------------------------------------------------------------------+
[Tue Nov 07 10:18:38 2006] [debug] ssl_engine_io.c(1775): OpenSSL: read 100/100 bytes from BIO#53c8f8 [mem: 5d001b] (BIO dump follows)
[Tue Nov 07 10:18:38 2006] [debug] ssl_engine_io.c(1722): +-------------------------------------------------------------------------+
[Tue Nov 07 10:18:38 2006] [debug] ssl_engine_io.c(1747): | 0000: 00 c0 0a 00 c0 14 00 00-39 00 00 38 00 c0 0f 00 ........9..8.... |
[Tue Nov 07 10:18:38 2006] [debug] ssl_engine_io.c(1747): | 0010: c0 05 00 00 35 00 c0 07-00 c0 09 00 c0 11 00 c0 ....5........... |
[Tue Nov 07 10:18:38 2006] [debug] ssl_engine_io.c(1747): | 0020: 13 00 00 33 00 00 32 00-c0 0c 00 c0 0e 00 c0 02 ...3..2......... |
[Tue Nov 07 10:18:38 2006] [debug] ssl_engine_io.c(1747): | 0030: 00 c0 04 00 00 04 00 00-05 00 00 2f 00 c0 08 00 .........../.... |
[Tue Nov 07 10:18:38 2006] [debug] ssl_engine_io.c(1747): | 0040: c0 12 00 00 16 00 00 13-00 c0 0d 00 c0 03 00 fe ................ |
[Tue Nov 07 10:18:38 2006] [debug] ssl_engine_io.c(1747): | 0050: ff 00 00 0a 5b 50 b2 e9-25 9a 13 c4 60 5f 86 5e ....[P..%...`_.^ |
[Tue Nov 07 10:18:38 2006] [debug] ssl_engine_io.c(1747): | 0060: 9e 50 2c d8 .P,. |
[Tue Nov 07 10:18:38 2006] [debug] ssl_engine_io.c(1753): +-------------------------------------------------------------------------+
[Tue Nov 07 10:18:38 2006] [debug] ssl_engine_kernel.c(1798): OpenSSL: Write: SSLv3 read client hello B
[Tue Nov 07 10:18:38 2006] [debug] ssl_engine_kernel.c(1817): OpenSSL: Exit: error in SSLv3 read client hello B
[Tue Nov 07 10:18:38 2006] [debug] ssl_engine_kernel.c(1817): OpenSSL: Exit: error in SSLv3 read client hello B
[Tue Nov 07 10:18:38 2006] [info] [client 127.0.0.1] SSL library error 1 in handshake (server www.example.com:443)
[Tue Nov 07 10:18:38 2006] [info] SSL Library Error: 336109761 error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher Too restrictive SSLCipherSuite or using DSA server certificate?
[Tue Nov 07 10:18:38 2006] [info] [client 127.0.0.1] Connection closed to child 249 with abortive shutdown (server www.example.com:443)
I'm puzzled that the loading of cert actually occurred 4 times. Is this normal? |
|
| Back to top |
|
ali_fareed
Joined: 04 Jul 2006
Posts: 61
Location: Bahrain
|
| Posted: Wed 08 Nov '06 15:14 Post subject: |
|
|
I just noticed your reply yes its normal I get that too apache for some reason loads the certificates and generates the temporary keys and parameters 4 times I just compiled apache/2.2.3 with openssl/0.9.9.9 and I applied the patch I used an ecdsa certificate with the secp521r1 curve and it worked I was able to connect using firefox 2.0 and s_client check out the logs
| Code: | | [08/Nov/2006:14:45:03 +0300] 127.0.0.1 TLSv1 ECDHE-ECDSA-AES256-SHA "GET / HTTP/1.1" - |
|
|
| Back to top |
|
zhiliao
Joined: 27 Oct 2006
Posts: 6
|
| Posted: Thu 09 Nov '06 3:23 Post subject: |
|
|
| ali_fareed wrote: | I just noticed your reply yes its normal I get that too apache for some reason loads the certificates and generates the temporary keys and parameters 4 times I just compiled apache/2.2.3 with openssl/0.9.9.9 and I applied the patch I used an ecdsa certificate with the secp521r1 curve and it worked I was able to connect using firefox 2.0 and s_client check out the logs
| Code: | | [08/Nov/2006:14:45:03 +0300] 127.0.0.1 TLSv1 ECDHE-ECDSA-AES256-SHA "GET / HTTP/1.1" - |
|
 Why is it that yours work and mine don't.
1)Hmm, are you using OpenSSL 0.9.9[dev]? I'm not aware there's 0.9.9.9?
2) Did you generate the ECDSA certificate from openssl?
3) Any possibility of sending your cert in PKCS12 for me to test?
4) Which release of firefox 2.0 did you tried with? I've tried with firefox 2 beta 1.
5) On what platform did you complied your Apache and OpenSSL on? I'm using W2K server with SP4.
6) I've not edited the default SSLCipherSuite in httpd-ssl.conf. Had you?
I'm trying to see what could be the difference between our configurations.
When running nmake -f ms\ntdll.mak, I've encoutered the error:
.\crypto\bio\b_sock.c(728) : error C2037: left of 'sin6_addr' specifies undefined struct/union 'sockaddr_in6'
.\crypto\bio\b_sock.c(728) : error C2037: left of 'sin6_addr' specifies undefined struct/union 'sockaddr_in6'
.\crypto\bio\b_sock.c(728) : error C2168: 'memset' : too few actual parameters for intrinsic function
.\crypto\bio\b_sock.c(729) : error C2037: left of 'sin6_addr' specifies undefined struct/union 'sockaddr_in6'
and I then commented out line 728 and 729.
I was thinking since I'm using W2K and won't need IPv6, thus commented them out.
I run nmake -f ms\ntdll.mak a second time and error the error:
rc /fo"tmp32dll\libeay32.res" /d CRYPTO ms\version32.rc
link /nologo /subsystem:console /opt:ref /dll /out:out32dll\libeay32.dll /def:ms/LIBEAY32.def @C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nm5DB.tmp
ms/LIBEAY32.def(7) : warning LNK4017: DESCRIPTION statement not supported for the target platform; ignored
LIBEAY32.def : error LNK2001: unresolved external symbol IMPLEMENT_ASN1_SET_OF
out32dll\libeay32.lib : fatal error LNK1120: 1 unresolved externals
I then remove IMPLEMENT_ASN1_SET_OF from ms/LIBEAY32.def
Have you encountered these 2 errors? Any impact in what I've done?
Greatly appreciate your advise. Thanks very much!!! |
|
| Back to top |
|
ali_fareed
Joined: 04 Jul 2006
Posts: 61
Location: Bahrain
|
| Posted: Thu 09 Nov '06 9:46 Post subject: |
|
|
| I'm using openssl 0.9.9.9[dev] i got it from ftp://ftp.openssl.org/snapshot/. yeah i generated it using openssl. I am away at the moment but i will email you a cert in pkcs12 as soon as i reach home. I got firefox 2.0 from here http://www.mozilla.com/en-US/firefox/. I compiled apache and openssl on a windows xp sp2 using vc 2005 .net but i didnt encounter any errors .I didnt change the ciphersuites |
|
| Back to top |
|
ali_fareed
Joined: 04 Jul 2006
Posts: 61
Location: Bahrain
|
|
| Back to top |
|
zhiliao
Joined: 27 Oct 2006
Posts: 6
|
| Posted: Fri 10 Nov '06 7:54 Post subject: |
|
|
Hi,
I've got the connection working fine now. But am not sure what trigger it to be ok. I just did a new compilation of OpenSSL and Apache (with the projects and patch).
Thanks very much for your help. Knowing someone has got it working definitely motivated me!  |
|
| Back to top |
|
