Hi!
I have two servers: Server A and Server B. This is how they are configured:
Server A: Apache 1.3.12 mod_ssl 2.6.6 OpenSSL 0.9.5a
Server B: Apache 1.3.19 mod_ssl 2.8.3 OpenSSL 0.9.6a
Server A has a valid server.crt file, along with a server.key file that it
has been using for months. I want to restrict access to a certain directory
to allow acces only to clients with a valid personal certificate, so at the
end of the SSL<virtualhost _default_:443> tags I added these lines:
<Directory /my_directory/>
Options all
SSLVerifyClient require
SSLVerifyDepth 9
Allow from all
SSLRequireSSL
SSLOptions +StrictRequire +StdEnvVars +ExportCertData
</Directory>
The other lines I have within the <virtualhost _default_:443> tags are
these:
SSLVerifyClient none
SSLVerifyDepth 10
SSLEnable
DocumentRoot "/home/httpsd/html"
SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /path/to/my/cert.cert
SSLCertificateKeyFile /path/to/my/cert.key
SSLCACertificateFile /path/to/my/ca-bundle.crt
<Files ~ "\.(cgi|shtml)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/home/httpsd/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
downgrade-1.0 force-response-1.0
CustomLog /usr/local/apache/logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
Before my SSL <virtualhost _default_:443> tags I have these lines:
<IfModule mod_ssl.c>
SSLPassPhraseDialog builtin
SSLLog /usr/local/apache/logs/ssl_engine_log
SSLLogLevel warn
SSLMutex file:/usr/local/apache/ssl_mutex
SSLSessionCache dbm:/usr/local/apache/ssl_scache
SSLSessionCacheTimeout 300
</IfModule>
When I try to connect (using IE5) I am asked which personal certificate I'd
like to use, but then I get "Page cannot be displayed" with the following in
the error log:
[Thu May 31 08:58:52 2001] [error] mod_ssl: Re-negotiation handshake
failed: Not accepted by client!?
[Thu May 31 08:58:52 2001] [error] mod_ssl: SSL error on writing data
(OpenSSL library error follows)
[Thu May 31 08:58:52 2001] [error] OpenSSL: error:1409E0E5:SSL
routines:SSL3_WRITE_BYTES:ssl handshake failure
[Thu May 31 08:58:54 2001] [error] mod_ssl: Certificate Verification:
Error (7): certificate signature failure
[Thu May 31 08:58:54 2001] [error] mod_ssl: Re-negotiation handshake
failed: Not accepted by client!?
[Thu May 31 08:58:54 2001] [error] mod_ssl: SSL error on writing data
(OpenSSL library error follows)
[Thu May 31 08:58:54 2001] [error] OpenSSL: error:1408F071:SSL
routines:SSL3_GET_RECORD:bad mac decode [Hint: Browser still re
membered details of a re-created server certificate?]
So, I copy httpd.conf, cert.crt, cert.key and ca-bundle from Server A to
Server B. I make the necessary changes to the paths in Server B's httpd.conf
file, and BINGO! Using the same browser I connect to Server B and all of a
sudden it works fine! A dialog box appears telling me the server certificate
is not intended for use on this server (ok), I am prompted for which
personal certificate I wish to use (fine), and then my page appears
(excellent)!
Only problem is, I want it to work on Server A, not Server B!
Can anyone suggest what I may be missing? I really don't want to upgrade
apache and modssl unless I absolutely HAVE to, as I really don't want to
believe that that is where the problem lies.
All suggestions will be gratefully received!
Thanks,
Doug
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]