Forum OpenACS Q&A: nsopenssl error EOF during ssl handshake
In the meantime i made my log trace on to check what is happening.
I found it behaved correctly for client browsers IE6 and Netscape7
But it gave error: EOF during ssl handshake and restarted aolserver abruptly for client browsers IE5 and netscape4 .
Also i noticed that during initilisation it says :
*******************************************************************************
[14/Feb/2003:03:14:22][20736.8192][-main-] Notice: nsssl: ServerCAFile = /usr/local/aolserver/servers/iunctura1/modules/nsopenssl/ca.pem
[14/Feb/2003:03:14:22][20736.8192][-main-] Notice: nsssl: ServerCADir = /usr/local/aolserver/servers/iunctura1/modules/nsopenssl/ca
[14/Feb/2003:03:14:22][20736.8192][-main-] Notice: nsssl: CA certificate directory does not exist
[14/Feb/2003:03:14:22][20736.8192][-main-] Notice: nsssl: ServerSessionCache = 0
*************************************************************************
my config file for nsopenssl as below :
ns_section ns/server/iunctura1/module/nsssl
ns_param ServerPort 443
ns_param Hostname www.anuvas.com
ns_param ServerHostname www.anuvas.com
ns_param ServerAddress 216.234.242.92
ns_param ServerCertFile /usr/local/aolserver/servers/iunctura1/modules/nsopenssl/certificate.pem
ns_param ServerKeyFile /usr/local/aolserver/servers/iunctura1/modules/nsopenssl/key.pem
ns_param ServerProtocols "SSLv2, SSLv3, TLSv1"
ns_param ServerCipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
ns_param ServerSessionCache false
ns_param ServerSessionCacheID 1
ns_param ServerSessionCacheSize 512
ns_param ServerSessionCacheTimeout 300
ns_param ServerPeerVerify true
ns_param ServerPeerVerifyDepth 3
ns_param ServerCADir ca
ns_param ServerCAFile ca.pem
ns_param ServerTrace true
ns_param SockClientCertFile /usr/local/aolserver/servers/iunctura1/modules/nsopenssl/certificate.pem
ns_param SockClientKeyFile /usr/local/aolserver/servers/iunctura1/modules/nsopenssl/key.pem
ns_param SockClientProtocols "SSLv2, SSLv3, TLSv1"
ns_param SockClientCipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
ns_param SockClientSessionCache false
ns_param SockClientSessionCacheID 3
ns_param SockClientSessionCacheSize 512
ns_param SockClientSessionCacheTimeout 300
ns_param SockClientPeerVerify true
ns_param SockServerPeerVerifyDepth 3
ns_param SockClientCADir ca
ns_param SockClientCAFile ca.pem
ns_param SockClientTrace true
ns_param ModuleDir /usr/local/aolserver/servers/iunctura1/modules/nsopenssl
ns_section ns/server/iunctura1/modules
ns_param nsperm nsperm.so
ns_param nssock nssock.so
ns_param nslog nslog.so
ns_param nssha1 nssha1.so
ns_param nscache nscache.so
ns_param verisign verisign.so
ns_param nsssl nsopenssl.so
ns_section ns/server/iunctura1/module/nssslto
ns_section ns/server/iunctural/module/nsopenssl
ns_param nsssl nsopenssl.soto
ns_param nsopenssl nsopenssl.so
I did what you have done the first time and Bart corrected me. There is a thread about it - but I think it is for the benefit of the request processor.
Maybe that will help - a start anyway.
Regards
Richard
I changed config parameters but still it didn't worked out.
I do not know why it is happening with IE5 only .
With all other browsers it works well.
Is the bug in nsopenssl lib or in my installation.
I went through nsopenssl lib but it seems OK
Thanks
Amol
OK sorry, I missed this last time - you posted :
******************************************************************************* [14/Feb/2003:03:14:22][20736.8192][-main-] Notice: nsssl: ServerCAFile = /usr/local/aolserver/servers/iunctura1/modules/nsopenssl/ca.pem [14/Feb/2003:03:14:22][20736.8192][-main-] Notice: nsssl: ServerCADir = /usr/local/aolserver/servers/iunctura1/modules/nsopenssl/ca [14/Feb/2003:03:14:22][20736.8192][-main-] Notice: nsssl: CA certificate directory does not exist [14/Feb/2003:03:14:22][20736.8192][-main-] Notice: nsssl: ServerSessionCache = 0 *************************************************************************
This is telling you that you need the directory set up that you have specified to contain the certificating authority certificate (i.e. a ca.pem). You need a cert.pem and a key.pem in :
/usr/local/aolserver/servers/iunctura1/modules/nsopenssl
and a ca.pem file in the directory you specified here :
ServerCADir = /usr/local/aolserver/servers/iunctura1/modules/nsopenssl/ca
so create :
/usr/local/aolserver/servers/iunctura1/modules/nsopenssl/ca/
...and then put ca.pem into it. Be sure to check that they are readable nsadmin. Try that and let me know.
I have no idea why the problem is related only to IE5, that sounds like an issue on the client machines to me as the https protocol should be consistent.
Richard
also try this:
a) disable SSLv3
b) use this Cipher Suite:
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
and
c)
Set
ns_param ServerSessionCache false
to
ns_param ServerSessionCache true
as is written in some FAQ: "And finally there are versions of MSIE which seem to require that an SSL session can be reused (a totally non standard-conforming behaviour, of course). Connection with thos MSIE versions only work if a SSL session cache is used"
Validate you created the keys with "correct" bit sizes, e.g. I for myself once created a private key with a key size of 1048 bit instead of 1024, small typo... But some - not all - browsers could not connect anymore to the site 😊
Regards,
Bernd.
I made the changes as told by You.
But thing not working still.
By the way see the log below at the point of error :
[17/Feb/2003:03:24:19][31761.188422][-conn10-] Notice: nsssl: trace: nsdserver: before/accept initialization
[17/Feb/2003:03:24:19][31761.188422][-conn10-] Notice: nsssl: trace: nsdserver: before/accept initialization
[17/Feb/2003:03:24:19][31761.188422][-conn10-] Notice: nsssl: trace: nsdserver: SSLv2/v3 read client hello A
[17/Feb/2003:03:24:19][31761.188422][-conn10-] Notice: nsssl: trace: nsdserver: SSLv3 read client hello A
[17/Feb/2003:03:24:19][31761.188422][-conn10-] Notice: nsssl: trace: nsdserver: SSLv3 write server hello A
[17/Feb/2003:03:24:19][31761.188422][-conn10-] Notice: nsssl: trace: nsdserver: SSLv3 write certificate A
[17/Feb/2003:03:24:19][32384.8192][-main-] Notice: nsmain: AOLserver/3.2+ad10 starting
[17/Feb/2003:03:24:19][32384.8192][-main-] Notice: nsmain: security info: uid=509, euid
=509, gid=515, egid=515
[17/Feb/2003:03:24:19][32384.8192][-main-] Notice: nsmain: max files: FD_SETSIZE = 1024
, rl_cur = 1024, rl_max = 1024
[17/Feb/2003:03:24:19][32384.8192][-main-] Notice: conf: [ns/parameters]logexpanded = off
[17/Feb/2003:03:24:19][32384.8192][-main-] Notice: conf: [ns/parameters]dev = off
[17/Feb/2003:03:24:19][32384.8192][-main-] Notice: conf: [ns/parameters]debug = off
[17/Feb/2003:03:24:19][32384.8192][-main-] Notice: conf: [ns/parameters]maxbackup = 10
[17/Feb/2003:03:24:19][32384.8192][-main-] Notice: conf: [ns/parameters]stacksize = 500
000
[17/Feb/2003:03:24:19][32384.8192][-main-] Notice: conf: [ns/threads]stacksize = 500000
[17/Feb/2003:03:24:19][32384.8192][-main-] Notice: conf: [ns/threads]mutexmeter = off
[17/Feb/2003:03:24:19][32384.8192][-main-] Notice: conf: [ns/parameters]shutdowntimeout
= 20
[17/Feb/2003:03:24:19][32384.8192][-main-] Notice: conf: [ns/parameters]iobufsize = 160
00
[17/Feb/2003:03:24:19][32384.8192][-main-] Notice: conf: [ns/parameters]schedmaxelapsed
= 2
[17/Feb/2003:03:24:19][32384.8192][-main-] Notice: conf: [ns/parameters]listenbacklog =
32
[17/Feb/2003:03:24:19][32384.8192][-main-] Notice: conf: [ns/parameters]dnscache = on
************************************************************************************
skipping ........
[17/Feb/2003:03:24:19][32384.8192][-main-] Notice: modload: loading '/usr/local/aol32/bin/nscache.so'
[17/Feb/2003:03:24:19][32384.8192][-main-] Notice: nscache module version @VER@
[17/Feb/2003:03:24:19][32384.8192][-main-] Notice: modload: loading '/usr/local/aol32/bin/verisign.so'
[17/Feb/2003:03:24:19][32384.8192][-main-] Notice: modload: loading '/usr/local/aol32/bin/nsopenssl.so'
[17/Feb/2003:03:24:19][32384.8192][-main-] Notice: Module directory set by ModuleDir to
/usr/local/aolserver/servers/iunctura1/modules/nsopenssl
[17/Feb/2003:03:24:19][32384.8192][-main-] Notice: nsssl: ServerPeerVerify = 0
[17/Feb/2003:03:24:19][32384.8192][-main-] Notice: nsssl: ServerTrace = 1
[17/Feb/2003:03:24:19][32384.8192][-main-] Notice: nsssl: ServerProtocols = SSLv2, TLSv1
[17/Feb/2003:03:24:19][32384.8192][-main-] Notice: nsssl: Using SSLv2 protocol
[17/Feb/2003:03:24:19][32384.8192][-main-] Notice: nsssl: Using TLSv1 protocol
[17/Feb/2003:03:24:19][32384.8192][-main-] Notice: nsssl: ServerCipherSuite = ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
[17/Feb/2003:03:24:19][32384.8192][-main-] Notice: nsssl: ServerCertFile = /usr/local/a
olserver/servers/iunctura1/modules/nsopenssl/certificate.pem
[17/Feb/2003:03:24:19][32384.8192][-main-] Notice: nsssl: ServerKeyFile = /usr/local/ao
lserver/servers/iunctura1/modules/nsopenssl/key.pem
[17/Feb/2003:03:24:19][32384.8192][-main-] Notice: nsssl: ServerCAFile = /usr/local/aol
server/servers/iunctura1/modules/nsopenssl/ca.pem
[17/Feb/2003:03:24:19][32384.8192][-main-] Notice: nsssl: ServerCADir = /usr/local/aols
erver/servers/iunctura1/modules/nsopenssl/ca
[17/Feb/2003:03:24:19][32384.8192][-main-] Notice: nsssl: ServerSessionCache = 1
[17/Feb/2003:03:24:19][32384.8192][-main-] Notice: nsssl: ServerSessionCacheId = 1
[17/Feb/2003:03:24:19][32384.8192][-main-] Notice: nsssl: ServerSessionTimeout = 300
[17/Feb/2003:03:24:19][32384.8192][-main-] Notice: nsssl: ServerSessionCacheSize = 512
[17/Feb/2003:03:24:19][32384.8192][-main-] Notice: nsssl: SockServerPeerVerify = 0
[17/Feb/2003:03:24:19][32384.8192][-main-] Notice: nsssl: SockServerTrace = 1
[17/Feb/2003:03:24:19][32384.8192][-main-] Notice: nsssl: SockServerProtocols = SSLv2,
TLSv1
[17/Feb/2003:03:24:19][32384.8192][-main-] Notice: nsssl: Using SSLv2 protocol
[17/Feb/2003:03:24:19][32384.8192][-main-] Notice: nsssl: Using TLSv1 protocol
[17/Feb/2003:03:24:19][32384.8192][-main-] Notice: nsssl: SockServerCipherSuite = ALL:!
ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
[17/Feb/2003:03:24:19][32384.8192][-main-] Notice: nsssl: SockServerCertFile = /usr/loc
al/aolserver/servers/iunctura1/modules/nsopenssl/certificate.pem
[17/Feb/2003:03:24:19][32384.8192][-main-] Notice: nsssl: SockServerKeyFile = /usr/loca
l/aolserver/servers/iunctura1/modules/nsopenssl/key.pem
[17/Feb/2003:03:24:19][32384.8192][-main-] Notice: nsssl: SockServerCAFile = /usr/local
/aolserver/servers/iunctura1/modules/nsopenssl/ca.pem
[17/Feb/2003:03:24:19][32384.8192][-main-] Notice: nsssl: SockServerCADir = /usr/local/
aolserver/servers/iunctura1/modules/nsopenssl/ca
[17/Feb/2003:03:24:19][32384.8192][-main-] Notice: nsssl: SockServerSessionCache = 1
[17/Feb/2003:03:24:19][32384.8192][-main-] Notice: nsssl: SockServerSessionCacheId = 2
[17/Feb/2003:03:24:19][32384.8192][-main-] Notice: nsssl: SockServerSessionTimeout = 30
0
[17/Feb/2003:03:24:19][32384.8192][-main-] Notice: nsssl: SockServerSessionCacheSize =
128
[17/Feb/2003:03:24:19][32384.8192][-main-] Notice: nsssl: SockClientPeerVerify = 1
[17/Feb/2003:03:24:19][32384.8192][-main-] Notice: nsssl: SockClientPeerVerifyDepth = 1
0
[17/Feb/2003:03:24:19][32384.8192][-main-] Notice: nsssl: SockClientTrace = 1
[17/Feb/2003:03:24:19][32384.8192][-main-] Notice: nsssl: SockClientProtocols = SSLv2,
TLSv1
[17/Feb/2003:03:24:19][32384.8192][-main-] Notice: nsssl: Using SSLv2 protocol
[17/Feb/2003:03:24:19][32384.8192][-main-] Notice: nsssl: Using TLSv1 protocol
[17/Feb/2003:03:24:19][32384.8192][-main-] Notice: nsssl: SockClientCipherSuite = ALL:!
ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
[17/Feb/2003:03:24:19][32384.8192][-main-] Notice: nsssl: SockClientCertFile = /usr/loc
al/aolserver/servers/iunctura1/modules/nsopenssl/certificate.pem
[17/Feb/2003:03:24:19][32384.8192][-main-] Notice: nsssl: SockClientKeyFile = /usr/loca
l/aolserver/servers/iunctura1/modules/nsopenssl/key.pem
[17/Feb/2003:03:24:19][32384.8192][-main-] Notice: nsssl: SockClientCAFile = /usr/local
/aolserver/servers/iunctura1/modules/nsopenssl/ca.pem
[17/Feb/2003:03:24:19][32384.8192][-main-] Notice: nsssl: SockClientCADir = /usr/local/
aolserver/servers/iunctura1/modules/nsopenssl/ca
[17/Feb/2003:03:24:19][32384.8192][-main-] Notice: nsssl: SockClientSessionCache = 1
[17/Feb/2003:03:24:19][32384.8192][-main-] Notice: nsssl: SockClientSessionCacheId = 3
[17/Feb/2003:03:24:19][32384.8192][-main-] Notice: nsssl: SockClientSessionTimeout = 30
0
[17/Feb/2003:03:24:19][32384.8192][-main-] Notice: nsssl: SockClientSessionCacheSize =
512
[17/Feb/2003:03:24:19][32384.8192][-main-] Notice: nsssl: ServerAddress = 216.234.242.9
2
[17/Feb/2003:03:24:19][32384.8192][-main-] Notice: nsssl: ServerHostname = www.anuvas.c
om
[17/Feb/2003:03:24:19][32384.8192][-main-] Notice: nsssl: ServerPort = 443
[17/Feb/2003:03:24:19][32384.8192][-main-] Notice: nsssl: ServerLocation = (null)
[17/Feb/2003:03:24:19][32384.8192][-main-] Notice: nsssl: location https://www.anuvas.c
om
[17/Feb/2003:03:24:19][32384.8192][-main-] Notice: nsssl: ServerSockTimeout = 30
[17/Feb/2003:03:24:19][32384.8192][-main-] Notice: nsssl: ServerBufferSize = 16384
[17/Feb/2003:03:24:19][32384.8192][-main-] Notice: tclinit: sourcing '/usr/local/aol32/
modules/tcl/init.tcl'
[17/Feb/2003:03:24:19][32384.8192][-main-] Notice: tclinit: sourcing '/usr/local/aol32/
modules/tcl/charsets.tcl'
[17/Feb/2003:03:24:19][32384.8192][-main-] Notice: tclinit: sourcing '/usr/local/aol32/
modules/tcl/debug.tcl'
[17/Feb/2003:03:24:19][32384.8192][-main-] Notice: tclinit: sourcing '/usr/local/aol32/
modules/tcl/fastpath.tcl'
please let me know if you find anything wrong
Regards
Amol
Finally problem solved...
I restricted ssl only to sslv2
Thank You very much Richard and Bernd..
Finlly my config file looks like as below:....
ns_section ns/server/iunctura1/module/nsssl
ns_param ServerPort 443
ns_param Hostname www.xyz.com
ns_param ServerHostname www.xyz.com
ns_param ServerAddress 216.234.242.92
ns_param ServerCertFile /usr/local/aolserver/servers/virserver/modules/ns
openssl/certificate.pem
ns_param ServerKeyFile /usr/local/aolserver/servers/virserver/modules/ns
openssl/key.pem
ns_param ServerProtocols "SSLv2"
ns_param ServerCipherSuite "SSLv2:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+L
OW:+SSLv2:+EXP"
ns_param ServerSessionCache true
ns_param ServerSessionCacheID 1
ns_param ServerSessionCacheSize 512
ns_param SockServerPeerVerify false
ns_param SockServerTrace true
ns_param SockServerProtocols "SSLv2"
ns_param SockServerCipherSuite "SSLv2:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+L
OW:+SSLv2:+EXP"
ns_param ServerSessionCacheTimeout 300
ns_param ServerPeerVerify false
ns_param ServerPeerVerifyDepth 3
ns_param ServerCADir ca
ns_param ServerCAFile ca.pem
ns_param ServerTrace true
ns_param SockClientCertFile /usr/local/aolserver/servers/virserver/modules/ns
openssl/certificate.pem
ns_param SockClientKeyFile /usr/local/aolserver/servers/virserver/modules/nsopenssl/key.pem
ns_param SockClientProtocols "SSLv2"
ns_param SockClientCipherSuite "SSLv2:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
ns_param SockClientSessionCache true
ns_param SockClientSessionCacheID 3
ns_param SockClientSessionCacheSize 512
ns_param SockClientSessionCacheTimeout 300
ns_param SockClientPeerVerify false
ns_param SockServerPeerVerifyDepth 3
ns_param SockClientCADir ca
ns_param SockClientCAFile ca.pem
ns_param SockClientTrace true
ns_param ModuleDir /usr/local/aolserver/servers/virserver/modules/nsopenssl
ns_section ns/server/virserver/modules
ns_param nsperm nsperm.so
ns_param nssock nssock.so
ns_param nslog nslog.so
ns_param nssha1 nssha1.so
ns_param nscache nscache.so
ns_param verisign verisign.so
ns_param nsssl nsopenssl.so
/Amol
