[Macpartners] OpenSSL <0.9.7 + Safari?

[Mark Pearrow]

Hi All,

I've been pulling my hair out trying to figure out why the personal 
certificates we sign with our CA (CSAIL has its own CA for various 
historical reasons) don't seem to work with Safari. Strangely, they do 
work with certain web servers, but not others. Whenever the certs fail 
to work, Safari returns this error:

The error was: “bad server response” (NSURLErrorDomain:-1011)

If I look at the server error logs, I typically see an error that says 
something like:

[Mon Feb 23 15:56:57 2004] [error] mod_ssl: Re-negotiation handshake 
failed: Not accepted by client!?
[Mon Feb 23 15:56:57 2004] [error] mod_ssl: SSL error on writing data 
(OpenSSL library error follows)
[Mon Feb 23 15:56:57 2004] [error] OpenSSL: error:1409E0E5:SSL 
routines:SSL3_WRITE_BYTES:ssl handshake failure
[Mon Feb 23 15:57:02 2004] [error] mod_ssl: Re-negotiation handshake 
failed: Not accepted by client!?
[Mon Feb 23 15:57:02 2004] [error] mod_ssl: SSL error on writing data 
(OpenSSL library error follows)
[Mon Feb 23 15:57:02 2004] [error] OpenSSL: error:140890C7:SSL 
routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate 
[Hint: No CAs known to server for verification?]

Note the renegotiation phase breaking. I've seen one other post on 
usenet about this problem, but no resolution yet.

But the same browser, same certificate work with other servers. I've 
determined that there is one consistent difference between the servers 
that interoperate well with Safari, and the ones that don't: the ones 
that don't work seem to be running Apache + openssl 0.9.6x OR IIS, 
whereas the ones that work are running Apache + openssl 0.9.7.

I'm wondering if anyone has experienced this problem as well, or if 
anyone has any inside scoop.

mjp