Closed
Bug 338421
Opened 18 years ago
Closed 18 years ago
Can no longer create SSL session to Cisco VPN concentrator by host name
Categories
(Core :: Security: PSM, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: wgianopoulos, Assigned: KaiE)
References
Details
(Keywords: fixed1.8.1, regression)
Attachments
(1 file)
|
899 bytes,
patch
|
KaiE
:
review+
nelson
:
review+
KaiE
:
approval-branch-1.8.1+
|
Details | Diff | Splinter Review |
Cisco VPN concentrators use self generatede SSL certificates for SSL management sessions. Before the code for bug 338058 (which changed the checkout tag from NSS_3_11-20060512_TAG to NSS_3_11_20060515_TAG) I can no longer make an http connection to the concnetrator using Firefox. All attempts result in a pop-up window with the error "Error establishing an encrypted connection to <hostname>. Error code: -12193." There are 2 things odd about the certificates in question. 1. They do not come from a trusted root. They are self issued, 2. The Common name of the certificate is the IP address of the interface, not the hostname. If you connect by IP address it works fine even with the new code. The old code permitted connections either by hostname or ip address. Of course if you connected by hostname it reported a name mismatch on the certificate.
|
Reporter | |
Updated•18 years ago
|
Keywords: regression
|
|
Reporter | |
Comment 1•18 years ago
|
||
(In reply to comment #0) > Cisco VPN concentrators use self generatede SSL certificates for SSL management > sessions. Before the code for bug 338058 (which changed the checkout tag from > NSS_3_11-20060512_TAG to NSS_3_11_20060515_TAG) I can no longer make an http Ooops! I meant bug 337770 (which changed the checkout tag from NSS_3_11_20060403_TAG to NSS_3_11_20060512_TAG). So this fails with NSS_3_11_20060512_TAG as well. Sorry for any confusion and bug SPAM.
|
Assignee | |
Comment 2•18 years ago
|
||
Bill, it would help if you could use ssltap to provide a log of the SSL session, or alternative give us access to ip/port of your system.
|
|
Assignee | |
Comment 3•18 years ago
|
||
SSL_ERROR_DECODE_ERROR_ALERT -12193 "Peer could not decode an SSL handshake message."
|
|
Reporter | |
Comment 4•18 years ago
|
||
ssltap output.
Looking up "bos-link02.ext.ray.com"...
Proxy socket ready and listening
Connection #1 [Thu May 18 12:35:56 2006]
Connected to bos-link02.ext.ray.com:443
--> [
(92 bytes of 87)
SSLRecord { [Thu May 18 12:35:56 2006]
0: 16 03 01 00 57 |....W
type = 22 (handshake)
version = { 3,1 }
length = 87 (0x57)
handshake {
0: 01 00 00 53 |...S
type = 1 (client_hello)
length = 83 (0x000053)
ClientHelloV3 {
client_version = {3, 1}
random = {...}
0: 00 00 3f bd 59 48 7d e6 80 7a 0d 7a 89 ac 27 ed | ..?.YH}..z.z..'.
10: 28 f3 66 20 e7 85 b9 a6 48 9c b8 a5 9b c6 62 6a | (.f ....H.....bj
session ID = {
length = 0
contents = {..}
}
cipher_suites[12] = {
(0x0039) TLS/DHE-RSA/AES256-CBC/SHA
(0x0038) TLS/DHE-DSS/AES256-CBC/SHA
(0x0035) TLS/RSA/AES256-CBC/SHA
(0x0033) TLS/DHE-RSA/AES128-CBC/SHA
(0x0032) TLS/DHE-DSS/AES128-CBC/SHA
(0x0004) SSL3/RSA/RC4-128/MD5
(0x0005) SSL3/RSA/RC4-128/SHA
(0x002f) TLS/RSA/AES128-CBC/SHA
(0x0016) SSL3/DHE-RSA/3DES192EDE-CBC/SHA
(0x0013) SSL3/DHE-DSS/DES192EDE3CBC/SHA
(0xfeff) SSL3/RSA-FIPS/3DESEDE-CBC/SHA
(0x000a) SSL3/RSA/3DES192EDE-CBC/SHA
}
compression[1] = { 00 }
extensions[18] = {
extension type server_name, length [14] = {
0: 00 0c 00 00 09 6c 6f 63 61 6c 68 6f 73 74 |.....localhost
}
}
}
}
}
]
<-- [
(7 bytes of 2)
SSLRecord { [Thu May 18 12:35:56 2006]
0: 15 03 01 00 02 |.....
type = 21 (alert)
version = { 3,1 }
length = 2 (0x2)
fatal: decode_error
0: 02 32 |.2
}
]
Read EOF on Server socket. [Thu May 18 12:35:56 2006]
Read EOF on Client socket. [Thu May 18 12:35:58 2006]
Connection 1 Complete [Thu May 18 12:35:58 2006]
|
|
Reporter | |
Comment 5•18 years ago
|
||
ssltrap output from when it worked (createde using Firefox 1.5.0.3)
Looking up "bos-link02.ext.ray.com"...
Proxy socket ready and listening
Connection #1 [Thu May 18 13:07:18 2006]
Connected to bos-link02.ext.ray.com:443
--> [
alloclen = 105 bytes
(105 bytes of 105)
[Thu May 18 13:07:18 2006] [ssl2] ClientHelloV2 {
version = {0x03, 0x01}
cipher-specs-length = 78 (0x4e)
sid-length = 0 (0x00)
challenge-length = 16 (0x10)
cipher-suites = {
(0x010080) SSL2/RSA/RC4-128/MD5
(0x030080) SSL2/RSA/RC2CBC128/MD5
(0x0700c0) SSL2/RSA/3DES192EDE-CBC/MD5
(0x060040) SSL2/RSA/DES56-CBC/MD5
(0x020080) SSL2/RSA/RC4-40/MD5
(0x040080) SSL2/RSA/RC2CBC40/MD5
(0x000039) TLS/DHE-RSA/AES256-CBC/SHA
(0x000038) TLS/DHE-DSS/AES256-CBC/SHA
(0x000035) TLS/RSA/AES256-CBC/SHA
(0x000033) TLS/DHE-RSA/AES128-CBC/SHA
(0x000032) TLS/DHE-DSS/AES128-CBC/SHA
(0x000004) SSL3/RSA/RC4-128/MD5
(0x000005) SSL3/RSA/RC4-128/SHA
(0x00002f) TLS/RSA/AES128-CBC/SHA
(0x000016) SSL3/DHE-RSA/3DES192EDE-CBC/SHA
(0x000013) SSL3/DHE-DSS/DES192EDE3CBC/SHA
(0x00feff) SSL3/RSA-FIPS/3DESEDE-CBC/SHA
(0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA
(0x000015) SSL3/DHE-RSA/DES56-CBC/SHA
(0x000012) SSL3/DHE-DSS/DES56-CBC/SHA
(0x00fefe) SSL3/RSA-FIPS/DES-CBC/SHA
(0x000009) SSL3/RSA/DES56-CBC/SHA
(0x000064) TLS/RSA-EXPORT1024/RC4-56/SHA
(0x000062) TLS/RSA-EXPORT1024/DES56-CBC/SHA
(0x000003) SSL3/RSA/RC4-40/MD5
(0x000006) SSL3/RSA/RC2CBC40/MD5
}
session-id = { }
challenge = { 0x542b 0x4752 0xc2bf 0xb4f0 0xc728 0x7911 0xe0b8 0x88c4 }
}
]
<-- [
(752 bytes of 747)
SSLRecord { [Thu May 18 13:07:18 2006]
0: 16 03 01 02 eb |.....
type = 22 (handshake)
version = { 3,1 }
length = 747 (0x2eb)
handshake {
0: 02 00 00 46 |...F
type = 2 (server_hello)
length = 70 (0x000046)
ServerHello {
server_version = {3, 1}
random = {...}
0: 44 6c a9 c9 84 27 9d 5f b0 4f e9 8d 29 73 f0 dc | Dl...'._.O..)s..
10: 13 21 5c 18 08 d1 69 16 7e ec 1f a5 86 e4 23 b0 | .!\...i.~.....#.
session ID = {
length = 32
contents = {..}
0: 9f e2 2c 0c 66 59 7e 84 96 61 b6 af 14 c0 e9 7a | ..,.fY~..a.....z
10: d2 02 44 86 a4 10 25 c2 33 29 f1 63 f1 60 50 a2 | ..D...%.3).c.`P.
}
cipher_suite = (0x000a) SSL3/RSA/3DES192EDE-CBC/SHA
compression method = 00
}
0: 0b 00 02 99 |....
type = 11 (certificate)
length = 665 (0x000299)
CertificateChain {
chainlength = 662 (0x0296)
Certificate {
size = 659 (0x0293)
data = { saved in file 'cert.001' }
}
}
0: 0e 00 00 00 |....
type = 14 (server_hello_done)
length = 0 (0x000000)
}
}
]
--> [
(7 bytes of 2)
SSLRecord { [Thu May 18 13:07:20 2006]
0: 15 03 01 00 02 |.....
type = 21 (alert)
version = { 3,1 }
length = 2 (0x2)
fatal: bad_certificate
0: 02 2a |.*
}
]
Read EOF on Client socket. [Thu May 18 13:07:20 2006]
Read EOF on Server socket. [Thu May 18 13:07:20 2006]
Connection 1 Complete [Thu May 18 13:07:20 2006]
|
|
Reporter | |
Comment 6•18 years ago
|
||
Better example of it working. Exact same Firefox version built with older NSS. I Also accepted all the certificate erros this time instead of canelling.
Looking up "bos-link02.ext.ray.com"...
Proxy socket ready and listening
Connection #1 [Thu May 18 13:26:15 2006]
Connected to bos-link02.ext.ray.com:443
--> [
(72 bytes of 67)
SSLRecord { [Thu May 18 13:26:15 2006]
0: 16 03 01 00 43 |....C
type = 22 (handshake)
version = { 3,1 }
length = 67 (0x43)
handshake {
0: 01 00 00 3f |...?
type = 1 (client_hello)
length = 63 (0x00003f)
ClientHelloV3 {
client_version = {3, 1}
random = {...}
0: 00 00 4b 88 9d 31 a3 3a 35 e9 f0 4b 8c 98 72 1f | ..K..1.:5..K..r.
10: 58 1b 26 8e 7b 1e 89 79 57 1e 64 35 86 57 a7 62 | X.&.{..yW.d5.W.b
session ID = {
length = 0
contents = {..}
}
cipher_suites[12] = {
(0x0039) TLS/DHE-RSA/AES256-CBC/SHA
(0x0038) TLS/DHE-DSS/AES256-CBC/SHA
(0x0035) TLS/RSA/AES256-CBC/SHA
(0x0033) TLS/DHE-RSA/AES128-CBC/SHA
(0x0032) TLS/DHE-DSS/AES128-CBC/SHA
(0x0004) SSL3/RSA/RC4-128/MD5
(0x0005) SSL3/RSA/RC4-128/SHA
(0x002f) TLS/RSA/AES128-CBC/SHA
(0x0016) SSL3/DHE-RSA/3DES192EDE-CBC/SHA
(0x0013) SSL3/DHE-DSS/DES192EDE3CBC/SHA
(0xfeff) SSL3/RSA-FIPS/3DESEDE-CBC/SHA
(0x000a) SSL3/RSA/3DES192EDE-CBC/SHA
}
compression[1] = { 00 }
}
}
}
]
<-- [
(752 bytes of 747)
SSLRecord { [Thu May 18 13:26:15 2006]
0: 16 03 01 02 eb |.....
type = 22 (handshake)
version = { 3,1 }
length = 747 (0x2eb)
handshake {
0: 02 00 00 46 |...F
type = 2 (server_hello)
length = 70 (0x000046)
ServerHello {
server_version = {3, 1}
random = {...}
0: 44 6c ae 3a 95 0b d2 dd a4 27 7d 10 2f 69 54 2c | Dl.:.....'}./iT,
10: a0 5a e9 c0 cf eb 11 ef 53 e6 29 fb 51 4e 67 99 | .Z......S.).QNg.
session ID = {
length = 32
contents = {..}
0: 15 00 06 96 b7 ac 5e 01 8e 60 39 01 e1 cf b9 20 | ......^..`9....
10: 26 07 f3 ab b6 80 ba 21 9a 96 0b d5 0e b9 99 e4 | &......!........
}
cipher_suite = (0x000a) SSL3/RSA/3DES192EDE-CBC/SHA
compression method = 00
}
0: 0b 00 02 99 |....
type = 11 (certificate)
length = 665 (0x000299)
CertificateChain {
chainlength = 662 (0x0296)
Certificate {
size = 659 (0x0293)
data = { saved in file 'cert.001' }
}
}
0: 0e 00 00 00 |....
type = 14 (server_hello_done)
length = 0 (0x000000)
}
}
]
--> [
(190 bytes of 134, with 51 left over)
SSLRecord { [Thu May 18 13:26:18 2006]
0: 16 03 01 00 86 |.....
type = 22 (handshake)
version = { 3,1 }
length = 134 (0x86)
handshake {
0: 10 00 00 82 |....
type = 16 (client_key_exchange)
length = 130 (0x000082)
ClientKeyExchange {
message = {...}
}
}
}
(190 bytes of 1, with 45 left over)
SSLRecord { [Thu May 18 13:26:18 2006]
0: 14 03 01 00 01 |.....
type = 20 (change_cipher_spec)
version = { 3,1 }
length = 1 (0x1)
0: 01 |.
}
(190 bytes of 40)
SSLRecord { [Thu May 18 13:26:18 2006]
0: 16 03 01 00 28 |....(
type = 22 (handshake)
version = { 3,1 }
length = 40 (0x28)
< encrypted >
}
]
<-- [
(6 bytes of 1)
SSLRecord { [Thu May 18 13:26:18 2006]
0: 14 03 01 00 01 |.....
type = 20 (change_cipher_spec)
version = { 3,1 }
length = 1 (0x1)
0: 01 |.
}
]
<-- [
(45 bytes of 40)
SSLRecord { [Thu May 18 13:26:18 2006]
0: 16 03 01 00 28 |....(
type = 22 (handshake)
version = { 3,1 }
length = 40 (0x28)
< encrypted >
}
]
--> [
(437 bytes of 432)
SSLRecord { [Thu May 18 13:26:18 2006]
0: 17 03 01 01 b0 |.....
type = 23 (application_data)
version = { 3,1 }
length = 432 (0x1b0)
< encrypted >
}
]
<-- [
(77 bytes of 72)
SSLRecord { [Thu May 18 13:26:18 2006]
0: 17 03 01 00 48 |....H
type = 23 (application_data)
version = { 3,1 }
length = 72 (0x48)
< encrypted >
}
]
Read EOF on Server socket. [Thu May 18 13:26:18 2006]
--> [
(29 bytes of 24)
SSLRecord { [Thu May 18 13:26:19 2006]
0: 15 03 01 00 18 |.....
type = 21 (alert)
version = { 3,1 }
length = 24 (0x18)
< encrypted >
}
]
Read EOF on Client socket. [Thu May 18 13:26:19 2006]
Connection 1 Complete [Thu May 18 13:26:19 2006]
Connection #2 [Thu May 18 13:26:19 2006]
Connected to bos-link02.ext.ray.com:443
--> [
(104 bytes of 99)
SSLRecord { [Thu May 18 13:26:19 2006]
0: 16 03 01 00 63 |....c
type = 22 (handshake)
version = { 3,1 }
length = 99 (0x63)
handshake {
0: 01 00 00 5f |..._
type = 1 (client_hello)
length = 95 (0x00005f)
ClientHelloV3 {
client_version = {3, 1}
random = {...}
0: 00 00 4b 8c 0a 38 65 57 f2 57 13 47 bb 3a 83 da | ..K..8eW.W.G.:..
10: 39 a6 a2 d1 ef af 99 ab 2a 11 b9 9b 3c 32 a1 e4 | 9.......*...<2..
session ID = {
length = 32
contents = {..}
0: 15 00 06 96 b7 ac 5e 01 8e 60 39 01 e1 cf b9 20 | ......^..`9....
10: 26 07 f3 ab b6 80 ba 21 9a 96 0b d5 0e b9 99 e4 | &......!........
}
cipher_suites[12] = {
(0x0039) TLS/DHE-RSA/AES256-CBC/SHA
(0x0038) TLS/DHE-DSS/AES256-CBC/SHA
(0x0035) TLS/RSA/AES256-CBC/SHA
(0x0033) TLS/DHE-RSA/AES128-CBC/SHA
(0x0032) TLS/DHE-DSS/AES128-CBC/SHA
(0x0004) SSL3/RSA/RC4-128/MD5
(0x0005) SSL3/RSA/RC4-128/SHA
(0x002f) TLS/RSA/AES128-CBC/SHA
(0x0016) SSL3/DHE-RSA/3DES192EDE-CBC/SHA
(0x0013) SSL3/DHE-DSS/DES192EDE3CBC/SHA
(0xfeff) SSL3/RSA-FIPS/3DESEDE-CBC/SHA
(0x000a) SSL3/RSA/3DES192EDE-CBC/SHA
}
compression[1] = { 00 }
}
}
}
]
<-- [
(85 bytes of 74, with 6 left over)
SSLRecord { [Thu May 18 13:26:19 2006]
0: 16 03 01 00 4a |....J
type = 22 (handshake)
version = { 3,1 }
length = 74 (0x4a)
handshake {
0: 02 00 00 46 |...F
type = 2 (server_hello)
length = 70 (0x000046)
ServerHello {
server_version = {3, 1}
random = {...}
0: 44 6c ae 3e 0e e3 ab 24 fe 55 df 90 1d d5 59 7e | Dl.>...$.U....Y~
10: a3 0f 67 2c 20 ee 91 18 2f 9c c6 c4 c1 7e 33 b6 | ..g, .../....~3.
session ID = {
length = 32
contents = {..}
0: 15 00 06 96 b7 ac 5e 01 8e 60 39 01 e1 cf b9 20 | ......^..`9....
10: 26 07 f3 ab b6 80 ba 21 9a 96 0b d5 0e b9 99 e4 | &......!........
}
cipher_suite = (0x000a) SSL3/RSA/3DES192EDE-CBC/SHA
compression method = 00
}
}
}
(85 bytes of 1)
SSLRecord { [Thu May 18 13:26:19 2006]
0: 14 03 01 00 01 |.....
type = 20 (change_cipher_spec)
version = { 3,1 }
length = 1 (0x1)
0: 01 |.
}
]
<-- [
(45 bytes of 40)
SSLRecord { [Thu May 18 13:26:19 2006]
0: 16 03 01 00 28 |....(
type = 22 (handshake)
version = { 3,1 }
length = 40 (0x28)
< encrypted >
}
]
--> [
(416 bytes of 1, with 410 left over)
SSLRecord { [Thu May 18 13:26:19 2006]
0: 14 03 01 00 01 |.....
type = 20 (change_cipher_spec)
version = { 3,1 }
length = 1 (0x1)
0: 01 |.
}
(416 bytes of 40, with 365 left over)
SSLRecord { [Thu May 18 13:26:19 2006]
0: 16 03 01 00 28 |....(
type = 22 (handshake)
version = { 3,1 }
length = 40 (0x28)
< encrypted >
}
(416 bytes of 360)
SSLRecord { [Thu May 18 13:26:19 2006]
0: 17 03 01 01 68 |....h
type = 23 (application_data)
version = { 3,1 }
length = 360 (0x168)
< encrypted >
}
]
<-- [
(77 bytes of 72)
SSLRecord { [Thu May 18 13:26:19 2006]
0: 17 03 01 00 48 |....H
type = 23 (application_data)
version = { 3,1 }
length = 72 (0x48)
< encrypted >
}
]
Read EOF on Server socket. [Thu May 18 13:26:19 2006]
--> [
(29 bytes of 24)
SSLRecord { [Thu May 18 13:26:19 2006]
0: 15 03 01 00 18 |.....
type = 21 (alert)
version = { 3,1 }
length = 24 (0x18)
< encrypted >
}
]
Read EOF on Client socket. [Thu May 18 13:26:19 2006]
Connection 2 Complete [Thu May 18 13:26:19 2006]
|
|
Reporter | |
Comment 7•18 years ago
|
||
From the above, it would appear that if the server returns a decode-error, falling back to retrying without using the server_name extension would fix this condition. That said, I am not sure how many other SSL implementations this might effect, so I am not sure it is worth fixing if the actions of this server are in violation of the specification.
|
||
Comment 8•18 years ago
|
||
SSL_ERROR_DECODE_ERROR_ALERT -12193 "Peer could not decode an SSL handshake message." That error says nothing about certificates. You have encountered a "TLS intolerant" server. PSM (the mozilla client code that interfaces with NSS) is supposed to detect this, and retry using only SSL3, with TLS disabled. That will ensure that TLS hello extensions are not used. Apparently in this case, PSM did not do that. So, I'm going to ask the PSM developer to look at this.
|
|
Reporter | |
Comment 9•18 years ago
|
||
This fixes the issue for me. It is pretty straightforward. It just adds this error code to the list of error codes the TLS intolerant servers might be expected to return.
Attachment #222571 -
Flags: review?
|
|
Reporter | |
Updated•18 years ago
|
Attachment #222571 -
Flags: review? → review?(kengert)
|
|
Assignee | |
Comment 10•18 years ago
|
||
Comment on attachment 222571 [details] [diff] [review] patch v1 Sounds good to me, thanks for the patch. r=kengert Nelson, as you made that suggestion, I assume it's ok to retry with TLS disabled whenever we encounter SSL_ERROR_DECODE_ERROR_ALERT.
Attachment #222571 -
Flags: review?(kengert) → review+
|
|
Assignee | |
Updated•18 years ago
|
Attachment #222571 -
Flags: approval-branch-1.8.1+
|
|
||
Comment 11•18 years ago
|
||
Comment on attachment 222571 [details] [diff] [review] patch v1 > Nelson, as you made that suggestion, I assume it's ok to retry with TLS > disabled whenever we encounter SSL_ERROR_DECODE_ERROR_ALERT. Yes, I believe it is.
Attachment #222571 -
Flags: review+
|
|
Reporter | |
Comment 12•18 years ago
|
||
(In reply to comment #9) > Created an attachment (id=222571) [edit] > patch v1 Here is another ssltap output showing the retry after this error condition working correctly. Looking up "bos-link02.ext.ray.com"... Proxy socket ready and listening Connection #1 [Thu May 18 22:24:16 2006] Connected to bos-link02.ext.ray.com:443 --> [ (92 bytes of 87) SSLRecord { [Thu May 18 22:24:16 2006] 0: 16 03 01 00 57 |....W type = 22 (handshake) version = { 3,1 } length = 87 (0x57) handshake { 0: 01 00 00 53 |...S type = 1 (client_hello) length = 83 (0x000053) ClientHelloV3 { client_version = {3, 1} random = {...} 0: 00 00 28 27 2c f9 50 b5 06 b1 1e ae 36 94 c7 d3 | ..(',.P.....6... 10: c1 1a 91 35 54 4a eb ad b3 25 f1 28 48 c7 67 45 | ...5TJ...%.(H.gE session ID = { length = 0 contents = {..} } cipher_suites[12] = { (0x0039) TLS/DHE-RSA/AES256-CBC/SHA (0x0038) TLS/DHE-DSS/AES256-CBC/SHA (0x0035) TLS/RSA/AES256-CBC/SHA (0x0033) TLS/DHE-RSA/AES128-CBC/SHA (0x0032) TLS/DHE-DSS/AES128-CBC/SHA (0x0004) SSL3/RSA/RC4-128/MD5 (0x0005) SSL3/RSA/RC4-128/SHA (0x002f) TLS/RSA/AES128-CBC/SHA (0x0016) SSL3/DHE-RSA/3DES192EDE-CBC/SHA (0x0013) SSL3/DHE-DSS/DES192EDE3CBC/SHA (0xfeff) SSL3/RSA-FIPS/3DESEDE-CBC/SHA (0x000a) SSL3/RSA/3DES192EDE-CBC/SHA } compression[1] = { 00 } extensions[18] = { extension type server_name, length [14] = { 0: 00 0c 00 00 09 6c 6f 63 61 6c 68 6f 73 74 |.....localhost } } } } } ] <-- [ (7 bytes of 2) SSLRecord { [Thu May 18 22:24:16 2006] 0: 15 03 01 00 02 |..... type = 21 (alert) version = { 3,1 } length = 2 (0x2) fatal: decode_error 0: 02 32 |.2 } ] Read EOF on Server socket. [Thu May 18 22:24:16 2006] Read EOF on Client socket. [Thu May 18 22:24:16 2006] Connection 1 Complete [Thu May 18 22:24:16 2006] Connection #2 [Thu May 18 22:24:16 2006] Connected to bos-link02.ext.ray.com:443 --> [ (72 bytes of 67) SSLRecord { [Thu May 18 22:24:16 2006] 0: 16 03 00 00 43 |....C type = 22 (handshake) version = { 3,0 } length = 67 (0x43) handshake { 0: 01 00 00 3f |...? type = 1 (client_hello) length = 63 (0x00003f) ClientHelloV3 { client_version = {3, 0} random = {...} 0: 00 00 28 27 9a 30 bf 0c 4d 1a 34 bf b7 3f 91 66 | ..('.0..M.4..?.f 10: d9 8d 16 46 0e f8 f8 f4 22 05 e2 81 15 20 f0 30 | ...F....".... .0 session ID = { length = 0 contents = {..} } cipher_suites[12] = { (0x0039) TLS/DHE-RSA/AES256-CBC/SHA (0x0038) TLS/DHE-DSS/AES256-CBC/SHA (0x0035) TLS/RSA/AES256-CBC/SHA (0x0033) TLS/DHE-RSA/AES128-CBC/SHA (0x0032) TLS/DHE-DSS/AES128-CBC/SHA (0x0004) SSL3/RSA/RC4-128/MD5 (0x0005) SSL3/RSA/RC4-128/SHA (0x002f) TLS/RSA/AES128-CBC/SHA (0x0016) SSL3/DHE-RSA/3DES192EDE-CBC/SHA (0x0013) SSL3/DHE-DSS/DES192EDE3CBC/SHA (0xfeff) SSL3/RSA-FIPS/3DESEDE-CBC/SHA (0x000a) SSL3/RSA/3DES192EDE-CBC/SHA } compression[1] = { 00 } } } } ] <-- [ (752 bytes of 747) SSLRecord { [Thu May 18 22:24:16 2006] 0: 16 03 00 02 eb |..... type = 22 (handshake) version = { 3,0 } length = 747 (0x2eb) handshake { 0: 02 00 00 46 |...F type = 2 (server_hello) length = 70 (0x000046) ServerHello { server_version = {3, 0} random = {...} 0: 44 6d 2c 51 62 af 4e 2d a7 85 58 da 9e 19 24 97 | Dm,Qb.N-..X...$. 10: e8 68 08 63 9f de d2 2e 62 18 ac 80 3f 02 92 04 | .h.c....b...?... session ID = { length = 32 contents = {..} 0: e8 c1 c0 ae 2f 96 01 57 76 14 89 14 35 f3 fe c1 | ..../..Wv...5... 10: 9f f1 1c d3 d1 0a b4 88 36 3b 9e 20 97 e1 4d f6 | ........6;. ..M. } cipher_suite = (0x000a) SSL3/RSA/3DES192EDE-CBC/SHA compression method = 00 } 0: 0b 00 02 99 |.... type = 11 (certificate) length = 665 (0x000299) CertificateChain { chainlength = 662 (0x0296) Certificate { size = 659 (0x0293) data = { saved in file 'cert.001' } } } 0: 0e 00 00 00 |.... type = 14 (server_hello_done) length = 0 (0x000000) } } ] --> [ (7 bytes of 2) SSLRecord { [Thu May 18 22:24:18 2006] 0: 15 03 00 00 02 |..... type = 21 (alert) version = { 3,0 } length = 2 (0x2) fatal: bad_certificate 0: 02 2a |.* } ] Read EOF on Client socket. [Thu May 18 22:24:18 2006] Read EOF on Server socket. [Thu May 18 22:24:18 2006] Connection 2 Complete [Thu May 18 22:24:18 2006]
|
|
Assignee | |
Comment 13•18 years ago
|
||
thanks, fixed on trunk
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•