Ralf (and others),
I am still getting this problem. I don't get it. What I can't figure is why
one of the Virtual
Hosts is capable of loading it's certificate chain, but the other one isn't. They are
both loading
their CA chain from the *same* file. So I know it exists, and I know it is valid. If
it wasn't the
first one wouldn't load it.
I have tried everything again with newer versions of stuff. I am now up to
mod_ssl 2.3.10, but the
problem still persists.
I have added some debug statements as shown below to the function
ssl_init_FindCAList.
if (cpCAfile != NULL) {
sk = SSL_load_client_CA_file(cpCAfile);
if (sk==NULL)
{
ssl_log(s, SSL_LOG_TRACE,
"sk == NULL");
}
else
{
ssl_log(s, SSL_LOG_TRACE,
"sk != NULL");
}
ssl_log(s, SSL_LOG_TRACE,
"sk_X509_NAME_num(sk) = %d",sk_X509_NAME_num(sk)); /* IMPORTANT
*/
for(n = 0; sk != NULL && n < sk_X509_NAME_num(sk); n++) {
ssl_log(s, SSL_LOG_TRACE,
"CA certificate: %s",
X509_NAME_oneline(sk_X509_NAME_value(sk, n), NULL, 0));
if (sk_X509_NAME_find(skCAList, sk_X509_NAME_value(sk, n)) < 0)
sk_X509_NAME_push(skCAList, sk_X509_NAME_value(sk, n));
}
}
When I run this hacked version of the server, the value that prints out for
sk_X509_NAME_num(sk) is
0! This seems very odd to me. The file I am loading definately has data in it, and
loads
successfully for the other VHost that uses it. Why does it not load here?
Any help would be greatly appreciated.
-Jeremy
"Ralf S. Engelschall" wrote:
>
> On Mon, Jul 12, 1999, Jeremy Beker wrote:
> >
> > I am at my wits end on this one. I have been running Apache+mod_ssl
> > now for quite a while with no problems. The version I have been running
> > is Apache 1.3.6 with mod_ssl 2.2.6 as well as PHP. It has been running
> > flawlessly with my configuration of several IP based VHosts most of
> > which are running SSL alongside standard HTTP. Two of them are doing
> > SSL3 (client auth).
> > Now I recently decided to upgrade to the latest mod_ssl (2.3.5). The
> > compile went fine and I installed the new binary. But when I start my
> > server up, *ONE* (not both) of the SSL3 sites has the following error in
> > the log file:
> >
> > [warn] Init: Ops, you want to request client authentication, but no CAs
> > are known for verification!? [Hint: SSLCACertificate*]
> >
> > ????
> >
> > What is going on here!?!? The VirtualHost section for this server does
> > have a SSLCACertficateFile entry. And it worked perfectly fine for
> > months with mod_ssl version 2.2.6 (and still does when I put the old
> > binary back in). I didn't change the httpd.conf one bit.
> > I have tried everything I can think of. The two SSL3 VirtualHosts have
> > exactely the same configs (except for key files, ServerName, etc), yet
> > one of them doesn't work. I have swapped their position in the
> > httpd.conf file so order does not appear to matter.
> > I want to upgrade the server, but I can't do so unless all of the
> > VHosts work. I will be in debt to anyone who can help on this one.
>
> This is a new consistency check. When it fails, it means that mod_ssl has not
> CA certificates found. Why, that's the other question. But at least when this
> check wouldn't stop your stuff might not work. Actually the check looks at the
> CA list stack which was build by ssl_init_FindCAList(). So it seems this
> function doesn't find anything for you. It would be fine when you can trace
> down this function and find out why it doesn't why any CA certs for you.
>
> Ralf S. Engelschall
> [EMAIL PROTECTED]
> www.engelschall.com
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
S/MIME Cryptographic Signature
