modssl-users  

client certificates won't verify under Apache

Aaron Turner
Sun, 04 Sep 2005 14:08:20 -0700

I'm running CentOS 4.1 with Apache 2.0.52 and trying to setup client SSL authentication using an internal CA. I've read the docs and checked the list archives for someone having the same problem or any hints, but have come up empty so far. Anyways... 

Running:
openssl verify -CAfile ssl.crt/cacert.crt -purpose sslclient aaron_turner.crt 

Returns OK.

But configuring apache with:
SSLProtocol all
SSLCipherSuite HIGH:MEDIUM
SSLCertificateFile conf/ssl.crt/updates.musecurity.net.crt
SSLCertificateKeyFile conf/ssl.key/updates.musecurity.net
SSLCACertificatePath conf/ssl.crt
SSLVerifyClient require
SSLVerifyDepth  1
where my conf/ssl.crt directory has the cacert.crt with the approrpriate hashes, when I run:
openssl s_client -connect updates.musecurity.net:443 -CAfile cacert.pem -cert aaron_turner.pem -certform pem -showcerts -verify 1 

I get:
[error] Certificate Verification: Error (19): self signed certificate in certificate chain 

In my ssl_error_log.

openssl returns:
verify depth is 1
CONNECTED(00000003)
depth=1 /C=US/ST=California/L=Sunnyvale/O=MuSecurity, Inc./ [EMAIL PROTECTED] 
verify return:1
depth=0 /C=US/ST=California/L=Sunnyvale/O=MuSecurity, Inc./OU=Update Server/CN=updates.musecurity.net/[EMAIL PROTECTED] 
verify return:1
871:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1054:SSL alert number 48 871:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:230: 


I think somewhat related is my problem with using:
SSLCACertificateFile conf/ssl.crt/cacert.crt

which gives me an error:
SSLCACertificateFile: file '/etc/httpd/conf/ssl.crt/cacert.crt' does not exist or is empty
which is quite strange since the file does exist, contains the certificate and has the correct perms (files are 644 and directories 755). I've even tried copying over the aaron_turner.crt to the conf/ ssl.crt directory and regenerating the hashes, but that doesn't help.
I can only assume I'm missing something horribly obvious, but I've been working on this for hours with no luck... 

TIA,
Aaron

--
Aaron Turner, Sr. Security Engineer <[EMAIL PROTECTED]> 
Ph: 408.329.1956


______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users@modssl.org
Automated List Manager                            [EMAIL PROTECTED]
  • client certificates won't verify under Apache Aaron Turner