 |
Welcome to A!Die Software Studio |
搞不定了, 该死的 IE!
2011-04-01 16:50:35
Apache 配置完客户端证书后 Chrome 和 FireFox 都可以正常访问了.
只有 IE 还是不行:
提示输入证书:
确定之后就出现链接错误:
服务器端开 debug 级别的日志记录如下:
[Fri Apr 01 17:02:19 2011] [info] [client 125.70.58.151] Connection to child 12 established (server xxxx.xxxxxx.com:443)
[Fri Apr 01 17:02:19 2011] [info] Seeding PRNG with 144 bytes of entropy
[Fri Apr 01 17:02:19 2011] [debug] ssl_engine_kernel.c(1801): OpenSSL: Handshake: start
[Fri Apr 01 17:02:19 2011] [debug] ssl_engine_kernel.c(1809): OpenSSL: Loop: before/accept initialization
[Fri Apr 01 17:02:19 2011] [debug] ssl_engine_io.c(1819): OpenSSL: read 11/11 bytes from BIO#2b1a01d22c40 [mem: 2b1a01d2ffb0] (BIO dump follows)
[Fri Apr 01 17:02:19 2011] [debug] ssl_engine_io.c(1766): +-------------------------------------------------------------------------+
[Fri Apr 01 17:02:19 2011] [debug] ssl_engine_io.c(1791): | 0000: 16 03 03 00 a2 01 00 00-9e 03 03 ........... |
[Fri Apr 01 17:02:19 2011] [debug] ssl_engine_io.c(1797): +-------------------------------------------------------------------------+
[Fri Apr 01 17:02:19 2011] [debug] ssl_engine_io.c(1819): OpenSSL: read 156/156 bytes from BIO#2b1a01d22c40 [mem: 2b1a01d2ffbb] (BIO dump follows)
[Fri Apr 01 17:02:19 2011] [debug] ssl_engine_io.c(1766): +-------------------------------------------------------------------------+
[Fri Apr 01 17:02:19 2011] [debug] ssl_engine_io.c(1791): | 0000: 4d 95 94 c0 89 a3 72 7a-b7 ea d5 c0 8e 05 92 0b M.....rz........ |
[Fri Apr 01 17:02:19 2011] [debug] ssl_engine_io.c(1791): | 0010: 13 49 b0 76 90 27 ec e3-72 44 32 5e fe 16 b6 df .I.v.'..rD2^.... |
[Fri Apr 01 17:02:19 2011] [debug] ssl_engine_io.c(1791): | 0020: 00 00 2a 00 3c 00 2f 00-3d 00 35 00 05 00 0a c0 ..*.<./.=.5..... |
[Fri Apr 01 17:02:19 2011] [debug] ssl_engine_io.c(1791): | 0030: 27 c0 13 c0 14 c0 2b c0-23 c0 2c c0 24 c0 09 c0 '.....+.#.,.$... |
[Fri Apr 01 17:02:19 2011] [debug] ssl_engine_io.c(1791): | 0040: 0a 00 40 00 32 00 6a 00-38 00 13 00 04 01 00 00 ..@.2.j.8....... |
[Fri Apr 01 17:02:19 2011] [debug] ssl_engine_io.c(1791): | 0050: 4b ff 01 00 01 00 00 00-00 15 00 13 00 00 10 XX K..............x |
[Fri Apr 01 17:02:19 2011] [debug] ssl_engine_io.c(1791): | 0060: XX XX XX XX XX XX XX 6f-72 64 65 2e 63 6f 6d 00 xxx.xxxxxx.com. |
[Fri Apr 01 17:02:19 2011] [debug] ssl_engine_io.c(1791): | 0070: 05 00 05 01 00 00 00 00-00 0a 00 06 00 04 00 17 ................ |
[Fri Apr 01 17:02:19 2011] [debug] ssl_engine_io.c(1791): | 0080: 00 18 00 0b 00 02 01 00-00 0d 00 10 00 0e 04 01 ................ |
[Fri Apr 01 17:02:19 2011] [debug] ssl_engine_io.c(1791): | 0090: 05 01 02 01 04 03 05 03-02 03 02 02 ............ |
[Fri Apr 01 17:02:19 2011] [debug] ssl_engine_io.c(1797): +-------------------------------------------------------------------------+
[Fri Apr 01 17:02:19 2011] [debug] ssl_engine_kernel.c(1809): OpenSSL: Loop: SSLv3 read client hello A
[Fri Apr 01 17:02:19 2011] [debug] ssl_engine_kernel.c(1809): OpenSSL: Loop: SSLv3 write server hello A
[Fri Apr 01 17:02:19 2011] [debug] ssl_engine_kernel.c(1809): OpenSSL: Loop: SSLv3 write certificate A
[Fri Apr 01 17:02:19 2011] [debug] ssl_engine_kernel.c(1809): OpenSSL: Loop: SSLv3 write certificate request A
[Fri Apr 01 17:02:19 2011] [debug] ssl_engine_kernel.c(1809): OpenSSL: Loop: SSLv3 flush data
[Fri Apr 01 17:02:19 2011] [debug] ssl_engine_io.c(1830): OpenSSL: I/O error, 5 bytes expected to read on BIO#2b1a01d22c40 [mem: 2b1a01d2ffb0]
[Fri Apr 01 17:02:19 2011] [debug] ssl_engine_kernel.c(1838): OpenSSL: Exit: error in SSLv3 read client certificate A
[Fri Apr 01 17:02:19 2011] [debug] ssl_engine_kernel.c(1838): OpenSSL: Exit: error in SSLv3 read client certificate A
[Fri Apr 01 17:02:19 2011] [info] [client 125.70.58.151] (70014)End of file found: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]
[Fri Apr 01 17:02:19 2011] [info] [client 125.70.58.151] Connection closed to child 12 with abortive shutdown (server xxxx.xxxxxx.com:443)
[Fri Apr 01 17:02:21 2011] [info] [client 125.70.58.151] Connection to child 9 established (server xxxx.xxxxxx.com:443)
[Fri Apr 01 17:02:21 2011] [info] Seeding PRNG with 144 bytes of entropy
[Fri Apr 01 17:02:21 2011] [debug] ssl_engine_kernel.c(1801): OpenSSL: Handshake: start
[Fri Apr 01 17:02:21 2011] [debug] ssl_engine_kernel.c(1809): OpenSSL: Loop: before/accept initialization
[Fri Apr 01 17:02:21 2011] [debug] ssl_engine_io.c(1830): OpenSSL: I/O error, 11 bytes expected to read on BIO#2b1a01b90570 [mem: 2b1a01d32d10]
[Fri Apr 01 17:02:21 2011] [debug] ssl_engine_kernel.c(1838): OpenSSL: Exit: error in SSLv2/v3 read client hello A
[Fri Apr 01 17:02:21 2011] [info] [client 125.70.58.151] (70014)End of file found: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]
[Fri Apr 01 17:02:21 2011] [info] [client 125.70.58.151] Connection closed to child 9 with abortive shutdown (server xxxx.xxxxx.com:443)
根据 http://lamp.linux.gov.cn/Apache/ApacheMenu/ssl/ssl_faq.html 中的描述来看, MSIE 真是 BUG 多多, 但是试过其中的
1.SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
2.SSLProtocol all -SSLv3
3.SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
三种方法仍然不行.
根据 https://bugzilla.redhat.com/show_bug.cgi?id=610095 的描述,用
SSLInsecureRenegotiation on
尝试仍然不行.
服务器 CentOS release 5.5 (Final) Linux 2.6.18-194.el5 x86_64 + Apache (httpd.x86_64 2.2.3-43.el5.centos.3) + mod_ssl.x86_64 (1:2.2.3-43.el5.centos.3) + openssl.x86_64 (0.9.8e-12.el5_5.7)
相关配置:
Listen 488
<VirtualHost _default_:488>
...
SSLEngine on
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
SSLCertificateFile /srv/cert/server.crt
SSLCertificateKeyFile /srv/cert/server_nopass.key
SSLVerifyClient require
SSLVerifyDepth 1
SSLCACertificateFile /srv/cert/ca.crt
</VirtualHost>
