I am required to have our apache server using PKI client authentication
by the end of July.
I have set up a test server with the latest and greatest
Apache/2.2.2 (Unix)
mod_ssl/2.2.2
OpenSSL/0.9.7
I have set up a ssl.conf using
SSLVerifyClient require
SSLVerifyDepth 10
and populated a CA certification file and enabled
SSLCACertificateFile /usr/local/apache2/conf/dod_ca_bundle.crt
On start the logs (set to debug) show the dod_ca_bundle.crt file being
read in properly
-- log output begin -
ssl_engine_init.c(405): Creating new SSL context (protocols: SSLv2,
SSLv3, TLSv1)
ssl_engine_init.c(538): Configuring client authentication
ssl_engine_init.c(1113): CA certificate: /C=US/O=U.S.
Government/OU=DoD/OU=PKI/CN=DOD CLASS 3 CA-10
ssl_engine_init.c(1113): CA certificate: /C=US/O=U.S.
Government/OU=DoD/OU=PKI/CN=DoD CLASS 3 Root CA
ssl_engine_init.c(601): Configuring permitted SSL ciphers
[ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL]
-- log output end -
However, when attempting to connect with IE nothing is returned. The
pertinent log out looks like
-- log output begin -
ssl_engine_kernel.c(1752): OpenSSL: Handshake: start
ssl_engine_kernel.c(1760): OpenSSL: Loop: before/accept initialization
ssl_engine_io.c(1775): OpenSSL: read 11/11 bytes from BIO#918b100 [mem:
9192780] (BIO dump follows)
:
:
ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 read client hello A
ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 write server hello A
ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 write certificate A
ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 write certificate
request A
ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 flush data
-- log output end -
Looks like the next line indicates a problem:
-- log output begin -
ssl_engine_io.c(1786): OpenSSL: I/O error, 5 bytes expected to read on
BIO #918b100 [mem: 9192780]
ssl_engine_kernel.c(1789): OpenSSL: Exit: error in SSLv3 read client
certificate A
ssl_engine_kernel.c(1789): OpenSSL: Exit: error in SSLv3 read client
certificate A
[client 157.187.160.114] (70014)End of file found: SSL handshake
interrupted by system [Hint: Stop button pressed in browser?!]
-- log output end -
Any help with this problem would be greatly appreciated.
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]