| adie's blog |
|
· VC2022 CMake 配置 GTest
· Blender · CUDA 笔记 · Windows平台编译 ffmpeg 一 (含H265 on RTMP, libsrt) · Windows平台编译 ffmpeg 二   
|
搞不定了, 该死的 IE!
2011-04-01 16:50:35
Apache 配置完客户端证书后 Chrome 和 FireFox 都可以正常访问了. 只有 IE 还是不行: 提示输入证书: 确定之后就出现链接错误:
服务器端开 debug 级别的日志记录如下:
[Fri Apr 01 17:02:19 2011] [info] [client 125.70.58.151] Connection to child 12 established (server xxxx.xxxxxx.com:443) [Fri Apr 01 17:02:19 2011] [info] Seeding PRNG with 144 bytes of entropy [Fri Apr 01 17:02:19 2011] [debug] ssl_engine_kernel.c(1801): OpenSSL: Handshake: start [Fri Apr 01 17:02:19 2011] [debug] ssl_engine_kernel.c(1809): OpenSSL: Loop: before/accept initialization [Fri Apr 01 17:02:19 2011] [debug] ssl_engine_io.c(1819): OpenSSL: read 11/11 bytes from BIO#2b1a01d22c40 [mem: 2b1a01d2ffb0] (BIO dump follows) [Fri Apr 01 17:02:19 2011] [debug] ssl_engine_io.c(1766): +-------------------------------------------------------------------------+ [Fri Apr 01 17:02:19 2011] [debug] ssl_engine_io.c(1791): | 0000: 16 03 03 00 a2 01 00 00-9e 03 03 ........... | [Fri Apr 01 17:02:19 2011] [debug] ssl_engine_io.c(1797): +-------------------------------------------------------------------------+ [Fri Apr 01 17:02:19 2011] [debug] ssl_engine_io.c(1819): OpenSSL: read 156/156 bytes from BIO#2b1a01d22c40 [mem: 2b1a01d2ffbb] (BIO dump follows) [Fri Apr 01 17:02:19 2011] [debug] ssl_engine_io.c(1766): +-------------------------------------------------------------------------+ [Fri Apr 01 17:02:19 2011] [debug] ssl_engine_io.c(1791): | 0000: 4d 95 94 c0 89 a3 72 7a-b7 ea d5 c0 8e 05 92 0b M.....rz........ | [Fri Apr 01 17:02:19 2011] [debug] ssl_engine_io.c(1791): | 0010: 13 49 b0 76 90 27 ec e3-72 44 32 5e fe 16 b6 df .I.v.'..rD2^.... | [Fri Apr 01 17:02:19 2011] [debug] ssl_engine_io.c(1791): | 0020: 00 00 2a 00 3c 00 2f 00-3d 00 35 00 05 00 0a c0 ..*.<./.=.5..... | [Fri Apr 01 17:02:19 2011] [debug] ssl_engine_io.c(1791): | 0030: 27 c0 13 c0 14 c0 2b c0-23 c0 2c c0 24 c0 09 c0 '.....+.#.,.$... | [Fri Apr 01 17:02:19 2011] [debug] ssl_engine_io.c(1791): | 0040: 0a 00 40 00 32 00 6a 00-38 00 13 00 04 01 00 00 ..@.2.j.8....... | [Fri Apr 01 17:02:19 2011] [debug] ssl_engine_io.c(1791): | 0050: 4b ff 01 00 01 00 00 00-00 15 00 13 00 00 10 XX K..............x | [Fri Apr 01 17:02:19 2011] [debug] ssl_engine_io.c(1791): | 0060: XX XX XX XX XX XX XX 6f-72 64 65 2e 63 6f 6d 00 xxx.xxxxxx.com. | [Fri Apr 01 17:02:19 2011] [debug] ssl_engine_io.c(1791): | 0070: 05 00 05 01 00 00 00 00-00 0a 00 06 00 04 00 17 ................ | [Fri Apr 01 17:02:19 2011] [debug] ssl_engine_io.c(1791): | 0080: 00 18 00 0b 00 02 01 00-00 0d 00 10 00 0e 04 01 ................ | [Fri Apr 01 17:02:19 2011] [debug] ssl_engine_io.c(1791): | 0090: 05 01 02 01 04 03 05 03-02 03 02 02 ............ | [Fri Apr 01 17:02:19 2011] [debug] ssl_engine_io.c(1797): +-------------------------------------------------------------------------+ [Fri Apr 01 17:02:19 2011] [debug] ssl_engine_kernel.c(1809): OpenSSL: Loop: SSLv3 read client hello A [Fri Apr 01 17:02:19 2011] [debug] ssl_engine_kernel.c(1809): OpenSSL: Loop: SSLv3 write server hello A [Fri Apr 01 17:02:19 2011] [debug] ssl_engine_kernel.c(1809): OpenSSL: Loop: SSLv3 write certificate A [Fri Apr 01 17:02:19 2011] [debug] ssl_engine_kernel.c(1809): OpenSSL: Loop: SSLv3 write certificate request A [Fri Apr 01 17:02:19 2011] [debug] ssl_engine_kernel.c(1809): OpenSSL: Loop: SSLv3 flush data [Fri Apr 01 17:02:19 2011] [debug] ssl_engine_io.c(1830): OpenSSL: I/O error, 5 bytes expected to read on BIO#2b1a01d22c40 [mem: 2b1a01d2ffb0] [Fri Apr 01 17:02:19 2011] [debug] ssl_engine_kernel.c(1838): OpenSSL: Exit: error in SSLv3 read client certificate A [Fri Apr 01 17:02:19 2011] [debug] ssl_engine_kernel.c(1838): OpenSSL: Exit: error in SSLv3 read client certificate A [Fri Apr 01 17:02:19 2011] [info] [client 125.70.58.151] (70014)End of file found: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!] [Fri Apr 01 17:02:19 2011] [info] [client 125.70.58.151] Connection closed to child 12 with abortive shutdown (server xxxx.xxxxxx.com:443) [Fri Apr 01 17:02:21 2011] [info] [client 125.70.58.151] Connection to child 9 established (server xxxx.xxxxxx.com:443) [Fri Apr 01 17:02:21 2011] [info] Seeding PRNG with 144 bytes of entropy [Fri Apr 01 17:02:21 2011] [debug] ssl_engine_kernel.c(1801): OpenSSL: Handshake: start [Fri Apr 01 17:02:21 2011] [debug] ssl_engine_kernel.c(1809): OpenSSL: Loop: before/accept initialization [Fri Apr 01 17:02:21 2011] [debug] ssl_engine_io.c(1830): OpenSSL: I/O error, 11 bytes expected to read on BIO#2b1a01b90570 [mem: 2b1a01d32d10] [Fri Apr 01 17:02:21 2011] [debug] ssl_engine_kernel.c(1838): OpenSSL: Exit: error in SSLv2/v3 read client hello A [Fri Apr 01 17:02:21 2011] [info] [client 125.70.58.151] (70014)End of file found: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!] [Fri Apr 01 17:02:21 2011] [info] [client 125.70.58.151] Connection closed to child 9 with abortive shutdown (server xxxx.xxxxx.com:443) 根据 http://lamp.linux.gov.cn/Apache/ApacheMenu/ssl/ssl_faq.html 中的描述来看, MSIE 真是 BUG 多多, 但是试过其中的 1.SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 2.SSLProtocol all -SSLv3 3.SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP 三种方法仍然不行.
根据 https://bugzilla.redhat.com/show_bug.cgi?id=610095 的描述,用 SSLInsecureRenegotiation on 尝试仍然不行.
服务器 CentOS release 5.5 (Final) Linux 2.6.18-194.el5 x86_64 + Apache (httpd.x86_64 2.2.3-43.el5.centos.3) + mod_ssl.x86_64 (1:2.2.3-43.el5.centos.3) + openssl.x86_64 (0.9.8e-12.el5_5.7)
相关配置: Listen 488 <VirtualHost _default_:488> ... SSLEngine on SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0
SSLProtocol all -SSLv2 SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP SSLCertificateFile /srv/cert/server.crt SSLCertificateKeyFile /srv/cert/server_nopass.key SSLVerifyClient require SSLVerifyDepth 1 SSLCACertificateFile /srv/cert/ca.crt </VirtualHost> 问题客户端 IE 8.0.7600.16385
暂时放弃中...
▲评论 |
