hi.
i'm using apache 1.3.17 with modssl 2.8.0-1.3.17 and openssl 0.9.6 on
linux. i'm having a problem using 2 apache servers serving 2 ssl areas
with certificates signed by the same self-made ca.
in each's config i have:
sslcertificatefile /web/corp/conf/ssl/server.crt
sslcertificatekeyfile /web/corp/conf/ssl/server.key
sslcertificatefile /web/eng/conf/ssl/server.crt
sslcertificatekeyfile /web/eng/conf/ssl/server.key
the csrs and keys for each of these sites are different, but they were
both signed by the same ca. i used the pkg.contrib/sign.sh to sign the
csrs. the procedure i used was (more or less):
generate the ca:
openssl genrsa -des3 -out ca.key 1024
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
then for each site (corp and eng), i generate the key and csr:
openssl genrsa -des3 -out server.key 1024
openssl req -new -key server.key -out server.csr
i made sure to use the site hostname as the "common name" in the csrs.
for both of those sites, i copied all relevant files (server.key,
server.csr, ca.key, ca.crt) to conf/ssl/. then i copied
pkg.contrib/sign.sh to conf/ssl/. i then ran sign.sh. it did stuff,
asked if i wanted to sign, etc etc. i then ended up with a server.crt for
each site. used those 2 config lines above (along with the rest of the
default ssl directives), and let it rip.
when i fire up my browser (netscape on linux), i can then go to either
site just fine. but after i've visitted one site, when i try to go to the
other, it fails. errors look like this:
==> /web/corp/logs/ssl_engine_log <==
[21/Feb/2001 18:07:10 29774] [info] Connection to child 1 established
(server corp.mybiz.com:9003, client 64.211.151.249)
[21/Feb/2001 18:07:10 29774] [info] Seeding PRNG with 1160 bytes of
entropy
[21/Feb/2001 18:07:10 29774] [error] SSL handshake failed (server
corp.mybiz.com:9003, client 64.211.151.249) (OpenSSL library error
follows)
[21/Feb/2001 18:07:10 29774] [error] OpenSSL: error:0407106B:rsa
routines:RSA_padding_check_PKCS1_type_2:block type is not 02
[21/Feb/2001 18:07:10 29774] [error] OpenSSL: error:04065072:rsa
routines:RSA_EAY_PRIVATE_DECRYPT:padding check failed
[21/Feb/2001 18:07:10 29774] [error] OpenSSL: error:1408B076:SSL
routines:SSL3_GET_CLIENT_KEY_EXCHANGE:bad rsa decrypt
==> /web/corp/logs/ssl_error_log <==
[Wed Feb 21 18:07:10 2001] [error] mod_ssl: SSL handshake failed (server
corp.mybiz.com:9003, client 64.211.151.249) (OpenSSL library error
follows)
[Wed Feb 21 18:07:10 2001] [error] OpenSSL: error:0407106B:rsa
routines:RSA_padding_check_PKCS1_type_2:block type is not 02
[Wed Feb 21 18:07:10 2001] [error] OpenSSL: error:04065072:rsa
routines:RSA_EAY_PRIVATE_DECRYPT:padding check failed
[Wed Feb 21 18:07:10 2001] [error] OpenSSL: error:1408B076:SSL
routines:SSL3_GET_CLIENT_KEY_EXCHANGE:bad rsa decrypt
if i visit the sites in reverse order after closing and restarting my
browser, the same errors occur for the other site (whichever i visit
second). i'm guessing this has something to do with them both being
signed by the same ca, but i just don't know enough to know how that
affects things.
any suggestions? does this have anything to do with the
SSLCertificateChainFile / SSLCACertificatePath / SSLCACertificateFile
directives?
-tcl.
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
