Hello everyone,
I am replying to my own question just so that if anyone else was running into
the same problem,
they know the ultimate solution. Basically the problem appeared to be not in the
mod_ssl package,
but in some strangeness in the OpenSSL 0.9.3a version. I just tried all my stuff
again with the
recently released 0.9.4 version of OpenSSL and it worked properly. So just a heads up
for everyone.
-Jeremy
Jeremy Beker wrote:
>
> Ralf (and others),
>
> I am still getting this problem. I don't get it. What I can't figure is
>why one of the Virtual
> Hosts is capable of loading it's certificate chain, but the other one isn't. They
>are both loading
> their CA chain from the *same* file. So I know it exists, and I know it is valid.
>If it wasn't the
> first one wouldn't load it.
> I have tried everything again with newer versions of stuff. I am now up to
>mod_ssl 2.3.10, but the
> problem still persists.
> I have added some debug statements as shown below to the function
>ssl_init_FindCAList.
>
> if (cpCAfile != NULL) {
> sk = SSL_load_client_CA_file(cpCAfile);
> if (sk==NULL)
> {
> ssl_log(s, SSL_LOG_TRACE,
> "sk == NULL");
> }
> else
> {
> ssl_log(s, SSL_LOG_TRACE,
> "sk != NULL");
> }
> ssl_log(s, SSL_LOG_TRACE,
> "sk_X509_NAME_num(sk) = %d",sk_X509_NAME_num(sk)); /*
>IMPORTANT */
>
> for(n = 0; sk != NULL && n < sk_X509_NAME_num(sk); n++) {
> ssl_log(s, SSL_LOG_TRACE,
> "CA certificate: %s",
> X509_NAME_oneline(sk_X509_NAME_value(sk, n), NULL, 0));
> if (sk_X509_NAME_find(skCAList, sk_X509_NAME_value(sk, n)) < 0)
> sk_X509_NAME_push(skCAList, sk_X509_NAME_value(sk, n));
> }
> }
>
> When I run this hacked version of the server, the value that prints out for
>sk_X509_NAME_num(sk) is
> 0! This seems very odd to me. The file I am loading definately has data in it, and
>loads
> successfully for the other VHost that uses it. Why does it not load here?
> Any help would be greatly appreciated.
>
> -Jeremy
>
> "Ralf S. Engelschall" wrote:
> >
> > On Mon, Jul 12, 1999, Jeremy Beker wrote:
> > >
> > > I am at my wits end on this one. I have been running Apache+mod_ssl
> > > now for quite a while with no problems. The version I have been running
> > > is Apache 1.3.6 with mod_ssl 2.2.6 as well as PHP. It has been running
> > > flawlessly with my configuration of several IP based VHosts most of
> > > which are running SSL alongside standard HTTP. Two of them are doing
> > > SSL3 (client auth).
> > > Now I recently decided to upgrade to the latest mod_ssl (2.3.5). The
> > > compile went fine and I installed the new binary. But when I start my
> > > server up, *ONE* (not both) of the SSL3 sites has the following error in
> > > the log file:
> > >
> > > [warn] Init: Ops, you want to request client authentication, but no CAs
> > > are known for verification!? [Hint: SSLCACertificate*]
> > >
> > > ????
> > >
> > > What is going on here!?!? The VirtualHost section for this server does
> > > have a SSLCACertficateFile entry. And it worked perfectly fine for
> > > months with mod_ssl version 2.2.6 (and still does when I put the old
> > > binary back in). I didn't change the httpd.conf one bit.
> > > I have tried everything I can think of. The two SSL3 VirtualHosts have
> > > exactely the same configs (except for key files, ServerName, etc), yet
> > > one of them doesn't work. I have swapped their position in the
> > > httpd.conf file so order does not appear to matter.
> > > I want to upgrade the server, but I can't do so unless all of the
> > > VHosts work. I will be in debt to anyone who can help on this one.
> >
> > This is a new consistency check. When it fails, it means that mod_ssl has not
> > CA certificates found. Why, that's the other question. But at least when this
> > check wouldn't stop your stuff might not work. Actually the check looks at the
> > CA list stack which was build by ssl_init_FindCAList(). So it seems this
> > function doesn't find anything for you. It would be fine when you can trace
> > down this function and find out why it doesn't why any CA certs for you.
> >
> > Ralf S. Engelschall
> > [EMAIL PROTECTED]
> > www.engelschall.com
> > ______________________________________________________________________
> > Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> > User Support Mailing List [EMAIL PROTECTED]
> > Automated List Manager [EMAIL PROTECTED]
S/MIME Cryptographic Signature
