Pound -current is running ... Openssl 0.9.7d-r1 (Gentoo) installed

I've placed 

ListenHTTPS 192.168.0.2,443 /etc/pound/cert.pem
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

into pound.conf. We're still having problems with IE 5.0 users not being able
to brose the SSL encrypted website. We've put tcpwatch on the job tracking the
traffic into pound and out of pound. We see the traffic hit tcpwatch coming
into pound, and then we get nothing coming out on the other end. If we're not
using ssl we can see traffic, request and response, on both sides of pound. If
we're using IE5.5 and IE6 we can see traffic on both sides of pound.

We tried disabling ssl3 on the IE 5.0 client and we were able to browse! That
makes me think that the ListenHTTPS line needs some more work. Can anyone
propose a better workaround? Ideally, I'd like to use ssl3 for everyone. That
may be impossible.

Please advise.


		
__________________________________
Do you Yahoo!?
Yahoo! Mail Address AutoComplete - You start. We finish.
http://promotions.yahoo.com/new_mail 

Everyone must be on holiday! I'll ask again in case I wasn't loud enough the
first time... :)

Pound -current is running ... Openssl 0.9.7d-r1 (Gentoo) installed

I've placed 

ListenHTTPS 192.168.0.2,443 /etc/pound/cert.pem
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

into pound.conf. We're still having problems with IE 5.0 users not being able
to browse the SSL encrypted website. We've put tcpwatch on the job tracking the
traffic into pound and out of pound. We see the traffic hit tcpwatch coming
into pound, and then we get nothing coming out on the other end. If we're not
using ssl we can see traffic, request and response, on both sides of pound. If
we're using IE5.5 and IE6 we can see traffic on both sides of pound.

We tried disabling ssl3 on the IE 5.0 client and we were able to browse! That
makes me think that the ListenHTTPS line needs some more work. Can anyone
propose a better workaround? Ideally, I'd like to use ssl3 for everyone. That
may be impossible.

Please advise.



	
		
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!
http://promotions.yahoo.com/new_mail 

On Friday 06 August 2004 14.51, Chris Gamache wrote:
> Everyone must be on holiday! I'll ask again in case I wasn't loud enough
> the first time... :)

ALL CAPS IS THE SOLUTION!!!!

> Pound -current is running ... Openssl 0.9.7d-r1 (Gentoo) installed
>
> I've placed
>
> ListenHTTPS 192.168.0.2,443 /etc/pound/cert.pem
> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

Try removing the ! from EXPORT56 as I suggested in an earlier message.

> into pound.conf. We're still having problems with IE 5.0 users not being
> able to browse the SSL encrypted website. We've put tcpwatch on the job
> tracking the traffic into pound and out of pound. We see the traffic hit
> tcpwatch coming into pound, and then we get nothing coming out on the other
> end. If we're not using ssl we can see traffic, request and response, on
> both sides of pound. If we're using IE5.5 and IE6 we can see traffic on
> both sides of pound.
>
> We tried disabling ssl3 on the IE 5.0 client and we were able to browse!
> That makes me think that the ListenHTTPS line needs some more work. Can
> anyone propose a better workaround? Ideally, I'd like to use ssl3 for
> everyone. That may be impossible.

I'd like to see the log messages for the connection attempts, or, even better, 
perhaps extra debugging from the handshake - try removing the comment around 
line 593 in http.c after the call to BIO_do_handshake().
-- 
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-1-920 4904

I THOUGHT THAT ALL CAPS WAS RUDE!!!!!!!! :)

Thank you for the quick reply.

Made the changes you suggested:

ALL:!ADH:EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

and modified the soruce code; recompiled:

Aug  6 09:40:38 balance1 pound: starting...
Aug  6 09:40:49 balance1 pound: BIO_do_handshake with 192.168.168.21 failed:
error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher

Interesting, eh? I don't know enough about OpenSSL to /intelligently/ rewrite
that cipher line. "man ciphers" describes this line as:

* all ciphers suites except the eNULL ciphers which must be explicitly enabled.
* NO anonymous DH cipher suites.
* 56 bit export encryption algorithms.
* cipher suites using RC4. 
* cipher suites using RSA key exchange.
* "high" encryption cipher suites. This currently means those with key lengths
larger than 128 bits.
* "medium" encryption cipher suites, currently those using 128 bit encryption.
* "low" encryption cipher suites, currently those using 64 or 56 bit encryption
algorithms but excluding export cipher suites.
* SSL v2.0 cipher suites
* export encryption algorithms. Including 40 and 56 bits algorithms.
* ENABLED "NULL" ciphers (offering no encryption). 

IE5.0 insists on using SSLv3 (which would be fine if OpenSSL would be able to
converse with its botched implimentation, yes?) ... On a whim I tried half a
dozen different cipher strings, which yielded the same effect. It seems like
the cipher string is being ignored.

I'm stumped!

--- Robert Segall <roseg(at)apsis.ch> wrote:

> On Friday 06 August 2004 14.51, Chris Gamache wrote:
> > Everyone must be on holiday! I'll ask again in case I wasn't loud enough
> > the first time... :)
> 
> ALL CAPS IS THE SOLUTION!!!!
> 
> > Pound -current is running ... Openssl 0.9.7d-r1 (Gentoo) installed
> >
> > I've placed
> >
> > ListenHTTPS 192.168.0.2,443 /etc/pound/cert.pem
> > ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
> 
> Try removing the ! from EXPORT56 as I suggested in an earlier message.
> 
> > into pound.conf. We're still having problems with IE 5.0 users not being
> > able to browse the SSL encrypted website. We've put tcpwatch on the job
> > tracking the traffic into pound and out of pound. We see the traffic hit
> > tcpwatch coming into pound, and then we get nothing coming out on the other
> > end. If we're not using ssl we can see traffic, request and response, on
> > both sides of pound. If we're using IE5.5 and IE6 we can see traffic on
> > both sides of pound.
> >
> > We tried disabling ssl3 on the IE 5.0 client and we were able to browse!
> > That makes me think that the ListenHTTPS line needs some more work. Can
> > anyone propose a better workaround? Ideally, I'd like to use ssl3 for
> > everyone. That may be impossible.
> 
> I'd like to see the log messages for the connection attempts, or, even
> better, 
> perhaps extra debugging from the handshake - try removing the comment around 
> line 593 in http.c after the call to BIO_do_handshake().
> -- 
> Robert Segall
> Apsis GmbH
> Postfach, Uetikon am See, CH-8707
> Tel: +41-1-920 4904
> 



		
__________________________________
Do you Yahoo!?
Yahoo! Mail is new and improved - Check it out!
http://promotions.yahoo.com/new_mail

On Friday 06 August 2004 16.29, Chris Gamache wrote:
> Made the changes you suggested:
>
> ALL:!ADH:EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
>
> and modified the soruce code; recompiled:
>
> Aug  6 09:40:38 balance1 pound: starting...
> Aug  6 09:40:49 balance1 pound: BIO_do_handshake with 192.168.168.21
> failed: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher

OK - I got it: this is an artifact of the great memory leak hunt. As part of 
that we had temporarily eliminated the temporary RSA key generation, thus 
probably breaking IE. I'll  put it back in by Monday and put up a new 
-current.

Thanks for the heads-up.
-- 
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-1-920 4904

As promised, a new -current is available. It has (again) support for RSA 
ephemeral keys, and should solve the IE problem.

As always - please tell us all how it works.
-- 
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-1-920 4904

> As promised, a new -current is available. It has (again) support for RSA
> ephemeral keys, and should solve the IE problem.

My feedback is positive. I just tested the new current on IE 5.0 + SSL on
Win95 and it seems to work well. This has not worked with the version
before.

Thanks,
Simon