On Friday 27 June 2008, Joe Orton wrote: > Yup. Changing the "SSLVerifyClient require" to: > SSLVerifyClient optional > SSLRequire %{SSL_CLIENT_VERIFY} eq "SUCCESS"
Thanks a lot! The workaround worked ;-). Please consider this issue solved. I have another question: Has anyone successfully established a connection to an apache/mod_ssl server with client authentication using a java client? My client (code below) generates the following log (exception at the end) upon execution: *** ServerHelloDone *** Certificate chain *** *** ClientKeyExchange, RSA PreMasterSecret, TLSv1 main, WRITE: TLSv1 Handshake, length = 157 SESSION KEYGEN: PreMaster Secret: 0000: 03 01 71 CC D3 DC AF 35 A3 A2 70 1C E5 9A 06 00 ..q....5..p..... 0010: 1F 8B 18 05 6E 55 69 4E 44 18 D2 E5 0A 57 FB D4 ....nUiND....W.. 0020: 71 62 17 14 57 2A FE 8F 4D 5A CF 7A 82 09 31 8C qb..W*..MZ.z..1. CONNECTION KEYGEN: Client Nonce: 0000: 48 64 A7 92 45 15 E8 74 E3 75 A7 BD F7 E3 B8 82 Hd..E..t.u...... 0010: 94 D4 1E 75 ED 3D D3 41 0E 5F BA 12 ED 47 E6 B1 ...u.=.A._...G.. Server Nonce: 0000: 48 64 A7 92 B5 6D 56 62 6D E3 7B 67 C7 08 78 13 Hd...mVbm..g..x. 0010: 45 47 5A 93 18 62 D4 E5 75 25 A1 65 F8 DD 85 86 EGZ..b..u%.e.... Master Secret: 0000: 0C 65 EA 1D A6 E6 FC 3C AD AA 34 04 C6 82 81 50 .e.....<..4....P 0010: 07 78 38 FC B6 04 77 3E 7E 90 BC 24 A9 D3 B1 86 .x8...w>... $.... 0020: F9 99 26 1A FD 08 9A C3 E0 32 43 D0 A1 59 21 5C ..&......2C..Y! \ Client MAC write Secret: 0000: D0 7D F1 90 58 AF 0B 43 F7 02 39 0C 0C B2 87 C3 ....X..C..9..... Server MAC write Secret: 0000: 5C AD 45 74 3D 58 96 FB 41 37 72 99 12 D5 BD 3A \.Et=X..A7r....: Client write key: 0000: 38 AE 1A 7E 63 26 C7 7F 9D E2 74 9E D2 12 55 C9 8...c&....t...U. Server write key: 0000: 7E 57 BF 54 A7 74 D8 72 72 AC 18 B8 5F 2D F6 06 .W.T.t.rr..._-.. ... no IV used for this cipher main, WRITE: TLSv1 Change Cipher Spec, length = 17 *** Finished verify_data: { 150, 113, 105, 3, 36, 96, 160, 52, 133, 8, 145, 137 } *** main, WRITE: TLSv1 Handshake, length = 32 main, waiting for close_notify or alert: state 3 main, READ: TLSv1 Alert, length = 18 main, RECV TLSv1 ALERT: fatal, handshake_failure %% Invalidated: [Session-3, SSL_RSA_WITH_RC4_128_MD5] main, called closeSocket() main, Exception while waiting for close javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure main, called close() main, called closeInternal(true) javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174) at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:136) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1657) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:932) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.waitForClose(SSLSocketImpl.java:1435) at com.sun.net.ssl.internal.ssl.HandshakeOutStream.flush(HandshakeOutStream.java:103) at com.sun.net.ssl.internal.ssl.Handshaker.sendChangeCipherSpec(Handshaker.java:612) at com.sun.net.ssl.internal.ssl.ClientHandshaker.sendChangeCipherAndFinish(ClientHandshaker.java:808) at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:734) at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:197) at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516) at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:746) at com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:75) at java.io.BufferedInputStream.fill(BufferedInputStream.java:218) at java.io.BufferedInputStream.read1 (BufferedInputStream.java:258) at java.io.BufferedInputStream.read(BufferedInputStream.java:317) at sun.net.www.http.HttpClient.parseHTTPHeader(HttpClient.java:687) at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:632) at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:652) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1000) at com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnectionOldImpl.getInputStream(HttpsURLConnectionOldImpl.java:204) at java.net.URL.openStream(URL.java:1009) at URLClient.main(URLClient.java:17) The server logs the following error: [error] Re-negotiation handshake failed: Not accepted by client!? Has someone experience with java client verification or can someone formulate an educated guess what the problem could be? I have the cacert root certificate imported at the server side (SSLCACertificateFile), as well as the client side (within the trust store). The server, as well as the client certificate are issued by cacert. The server certificate is specified using SSLCertificateFile within the VirtualHost and the client certificate is stored within the key store. I can establish an https connection to the same host without client authentication, which leads to the assumption that the server certificate ca nbe verified by the java client. I have tried to find answers to the problem using google, but none were useful for the problem at hand. Cheers, Florian -- DI Florian Hackenberger [EMAIL PROTECTED] www.hackenberger.at ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager [EMAIL PROTECTED]