DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=42035>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=42035 Summary: mod_ssl does not grok SHA-256 client certificates (+ fix) Product: Apache httpd-2 Version: 2.0.59 Platform: All URL: http://dominique.quatravaux.org/Apache-mod_ssl-SHA256/ OS/Version: All Status: NEW Severity: normal Priority: P2 Component: mod_ssl AssignedTo: [email protected] ReportedBy: [EMAIL PROTECTED] When trying to authenticate against an Apache 2.0.59 server over HTTP/S using client certificates, things only go smoothly when using MD5- or SHA1-signed certificates. SHA256-signed certificates cause an error like so: [Tue Apr 03 15:05:09 2007] [error] Certificate Verification: Error (7): certificate signature failure yet the certificate is correct according to "openssl verify". At the bug's URL you will find a test case with appropriate cryptographic keys and certificates, a bare-bones httpd.conf, and a Makefile to start the server, query it twice using "wget" and stop it. The second request uses a SHA-256 certificate, and causes an error 500 (instead of the expected 404), and the aforementioned error message is written into the error log. Calling OpenSSL_add_all_algorithms() as part of ssl_init_SSLLibrary() in ssl_engine_init.c and recompiling Apache solves the problem. My educated guess is that mod_ssl doesn't know about SHA-256 by default, as no SSL or TLS cipher uses it. There appears to be such a call to OpenSSL_add_all_algorithms() in httpd 2.2.4's init sequence already, although I haven't confirmed that my test case works with it (I can't seem to get 2.2.4 to compile just now). -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
