banner.gif adie's blog
主页 博客 胭脂泪,相留醉,几时重,自是人生长恨水长东
统计
日志总数: 128
评论总数: 123
日志分类
日志归档
最近日志
最近评论
订阅
rss2.gif

atom.gif

google_rss
yc.gif 【技术评论】 阅读 9966 次

搞不定了, 该死的 IE!

2011-04-01 16:50:35

Apache 配置完客户端证书后 Chrome 和 FireFox 都可以正常访问了.

只有 IE 还是不行:

提示输入证书:

 

确定之后就出现链接错误:

服务器端开 debug 级别的日志记录如下:

 

[Fri Apr 01 17:02:19 2011] [info] [client 125.70.58.151] Connection to child 12 established (server xxxx.xxxxxx.com:443)

[Fri Apr 01 17:02:19 2011] [info] Seeding PRNG with 144 bytes of entropy

[Fri Apr 01 17:02:19 2011] [debug] ssl_engine_kernel.c(1801): OpenSSL: Handshake: start

[Fri Apr 01 17:02:19 2011] [debug] ssl_engine_kernel.c(1809): OpenSSL: Loop: before/accept initialization

[Fri Apr 01 17:02:19 2011] [debug] ssl_engine_io.c(1819): OpenSSL: read 11/11 bytes from BIO#2b1a01d22c40 [mem: 2b1a01d2ffb0] (BIO dump follows)

[Fri Apr 01 17:02:19 2011] [debug] ssl_engine_io.c(1766): +-------------------------------------------------------------------------+

[Fri Apr 01 17:02:19 2011] [debug] ssl_engine_io.c(1791): | 0000: 16 03 03 00 a2 01 00 00-9e 03 03                 ...........      |

[Fri Apr 01 17:02:19 2011] [debug] ssl_engine_io.c(1797): +-------------------------------------------------------------------------+

[Fri Apr 01 17:02:19 2011] [debug] ssl_engine_io.c(1819): OpenSSL: read 156/156 bytes from BIO#2b1a01d22c40 [mem: 2b1a01d2ffbb] (BIO dump follows)

[Fri Apr 01 17:02:19 2011] [debug] ssl_engine_io.c(1766): +-------------------------------------------------------------------------+

[Fri Apr 01 17:02:19 2011] [debug] ssl_engine_io.c(1791): | 0000: 4d 95 94 c0 89 a3 72 7a-b7 ea d5 c0 8e 05 92 0b  M.....rz........ |

[Fri Apr 01 17:02:19 2011] [debug] ssl_engine_io.c(1791): | 0010: 13 49 b0 76 90 27 ec e3-72 44 32 5e fe 16 b6 df  .I.v.'..rD2^.... |

[Fri Apr 01 17:02:19 2011] [debug] ssl_engine_io.c(1791): | 0020: 00 00 2a 00 3c 00 2f 00-3d 00 35 00 05 00 0a c0  ..*.<./.=.5..... |

[Fri Apr 01 17:02:19 2011] [debug] ssl_engine_io.c(1791): | 0030: 27 c0 13 c0 14 c0 2b c0-23 c0 2c c0 24 c0 09 c0  '.....+.#.,.$... |

[Fri Apr 01 17:02:19 2011] [debug] ssl_engine_io.c(1791): | 0040: 0a 00 40 00 32 00 6a 00-38 00 13 00 04 01 00 00  ..@.2.j.8....... |

[Fri Apr 01 17:02:19 2011] [debug] ssl_engine_io.c(1791): | 0050: 4b ff 01 00 01 00 00 00-00 15 00 13 00 00 10 XX  K..............x |

[Fri Apr 01 17:02:19 2011] [debug] ssl_engine_io.c(1791): | 0060: XX XX XX XX XX XX XX 6f-72 64 65 2e 63 6f 6d 00  xxx.xxxxxx.com. |

[Fri Apr 01 17:02:19 2011] [debug] ssl_engine_io.c(1791): | 0070: 05 00 05 01 00 00 00 00-00 0a 00 06 00 04 00 17  ................ |

[Fri Apr 01 17:02:19 2011] [debug] ssl_engine_io.c(1791): | 0080: 00 18 00 0b 00 02 01 00-00 0d 00 10 00 0e 04 01  ................ |

[Fri Apr 01 17:02:19 2011] [debug] ssl_engine_io.c(1791): | 0090: 05 01 02 01 04 03 05 03-02 03 02 02              ............     |

[Fri Apr 01 17:02:19 2011] [debug] ssl_engine_io.c(1797): +-------------------------------------------------------------------------+

[Fri Apr 01 17:02:19 2011] [debug] ssl_engine_kernel.c(1809): OpenSSL: Loop: SSLv3 read client hello A

[Fri Apr 01 17:02:19 2011] [debug] ssl_engine_kernel.c(1809): OpenSSL: Loop: SSLv3 write server hello A

[Fri Apr 01 17:02:19 2011] [debug] ssl_engine_kernel.c(1809): OpenSSL: Loop: SSLv3 write certificate A

[Fri Apr 01 17:02:19 2011] [debug] ssl_engine_kernel.c(1809): OpenSSL: Loop: SSLv3 write certificate request A

[Fri Apr 01 17:02:19 2011] [debug] ssl_engine_kernel.c(1809): OpenSSL: Loop: SSLv3 flush data

[Fri Apr 01 17:02:19 2011] [debug] ssl_engine_io.c(1830): OpenSSL: I/O error, 5 bytes expected to read on BIO#2b1a01d22c40 [mem: 2b1a01d2ffb0]

[Fri Apr 01 17:02:19 2011] [debug] ssl_engine_kernel.c(1838): OpenSSL: Exit: error in SSLv3 read client certificate A

[Fri Apr 01 17:02:19 2011] [debug] ssl_engine_kernel.c(1838): OpenSSL: Exit: error in SSLv3 read client certificate A

[Fri Apr 01 17:02:19 2011] [info] [client 125.70.58.151] (70014)End of file found: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]

[Fri Apr 01 17:02:19 2011] [info] [client 125.70.58.151] Connection closed to child 12 with abortive shutdown (server xxxx.xxxxxx.com:443)

[Fri Apr 01 17:02:21 2011] [info] [client 125.70.58.151] Connection to child 9 established (server xxxx.xxxxxx.com:443)

[Fri Apr 01 17:02:21 2011] [info] Seeding PRNG with 144 bytes of entropy

[Fri Apr 01 17:02:21 2011] [debug] ssl_engine_kernel.c(1801): OpenSSL: Handshake: start

[Fri Apr 01 17:02:21 2011] [debug] ssl_engine_kernel.c(1809): OpenSSL: Loop: before/accept initialization

[Fri Apr 01 17:02:21 2011] [debug] ssl_engine_io.c(1830): OpenSSL: I/O error, 11 bytes expected to read on BIO#2b1a01b90570 [mem: 2b1a01d32d10]

[Fri Apr 01 17:02:21 2011] [debug] ssl_engine_kernel.c(1838): OpenSSL: Exit: error in SSLv2/v3 read client hello A

[Fri Apr 01 17:02:21 2011] [info] [client 125.70.58.151] (70014)End of file found: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]

[Fri Apr 01 17:02:21 2011] [info] [client 125.70.58.151] Connection closed to child 9 with abortive shutdown (server xxxx.xxxxx.com:443)


根据 http://lamp.linux.gov.cn/Apache/ApacheMenu/ssl/ssl_faq.html 中的描述来看, MSIE 真是 BUG 多多, 但是试过其中的

1.SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0

2.SSLProtocol all -SSLv3

3.SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP

三种方法仍然不行.


根据 https://bugzilla.redhat.com/show_bug.cgi?id=610095 的描述,用

SSLInsecureRenegotiation on

尝试仍然不行.


服务器 CentOS release 5.5 (Final) Linux 2.6.18-194.el5 x86_64 + Apache (httpd.x86_64 2.2.3-43.el5.centos.3) mod_ssl.x86_64 (1:2.2.3-43.el5.centos.3)  + openssl.x86_64 (0.9.8e-12.el5_5.7)

 

相关配置: 

Listen 488

<VirtualHost _default_:488>

    ...

    SSLEngine on

    SetEnvIf User-Agent ".*MSIE.*" \

             nokeepalive ssl-unclean-shutdown \

             downgrade-1.0 force-response-1.0

 

    SSLProtocol all -SSLv2

    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP

    SSLCertificateFile /srv/cert/server.crt

    SSLCertificateKeyFile /srv/cert/server_nopass.key

    SSLVerifyClient require

    SSLVerifyDepth 1

    SSLCACertificateFile /srv/cert/ca.crt

</VirtualHost>


问题客户端 IE 8.0.7600.16385
暂时放弃中...

 

▲评论

X 正在回复:
姓 名: 留下更多信息
性 别:
邮 件:
主 页:
Q Q:
来 自:
职 业:
评 论:
验 证:


Valid HTML 4.01 Strict Valid CSS!
Copyleft.A!die Software Studio.ADSS
Power by webmaster@adintr.com