Client certificate do not work / renegociate

Mon, 29 Mar 2010 11:15:14 -0700 

Hello,
In a host where client certificate is optional and in some directories
requirement. Server is SNI, and this configuration works fine before
SNI.

> <VirtualHost *:443 >
> SSLVerifyClient optional
> 
<Location "/certrequirement">
> SSLVerifyClient require
</Location>
...

I use SNI client (firefox) with client certificate that works on optional 
locations but do not in certrequirement location.


> [info] Initial (No.1) HTTPS request received for child 5 (server 
> www.1pc.es:443)
> [debug] ssl_engine_kernel.c(487): [client 192.168.1.40] Changed client 
> verification type will force renegotiation, referer: http:
> [info] [client 192.168.1.40] Requesting connection re-negotiation, referer: 
> http://www.1pc.es/
> [debug] ssl_engine_kernel.c(724): [client 192.168.1.40] Performing full 
> renegotiation: complete handshake protocol, referer: http
> [debug] ssl_engine_kernel.c(1861): OpenSSL: Handshake: start
> [debug] ssl_engine_kernel.c(1869): OpenSSL: Loop: SSL renegotiate ciphers
> [debug] ssl_engine_kernel.c(1869): OpenSSL: Loop: SSLv3 write hello request A
> [debug] ssl_engine_kernel.c(1869): OpenSSL: Loop: SSLv3 flush data
> [debug] ssl_engine_kernel.c(1869): OpenSSL: Loop: SSLv3 write hello request C
> [info] [client 192.168.1.40] Awaiting re-negotiation handshake, referer: 
> http://www.1pc.es/
> [debug] ssl_engine_kernel.c(1861): OpenSSL: Handshake: start
> [debug] ssl_engine_kernel.c(1869): OpenSSL: Loop: before accept initialization
> [debug] ssl_engine_io.c(1873): OpenSSL: read 5/5 bytes from BIO#7f4325589ef0 
> [mem: 7f4325577083] (BIO dump follows)
> [debug] ssl_engine_kernel.c(1874): OpenSSL: Read: SSLv3 read client hello B
> [debug] ssl_engine_kernel.c(1893): OpenSSL: Exit: failed in SSLv3 read client 
> hello B
> [error] [client 192.168.1.40] Re-negotiation handshake failed: Not accepted 
> by client!?, referer: http://www.1pc.es/


> openssl-1.0.0-0.13.beta4.fc12.x86_64
> httpd-2.2.14-1.fc12.x86_64
> mod_ssl-2.2.14-1.fc12.x86_64


Anyone knows where is the problem?
Why do not work in required, and do the job in optional?


-- 
http://www.1pc.es/


______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users@modssl.org
Automated List Manager                            majord...@modssl.org

Reply via email to