A question about client cert verification...
* Consider the following cert chain:
Top root, Primary root, Operational root, Client cert
(Top signs primary, primary sign operational, etc.)
* NT/Apache 1.3.4/mod_ssl 2.2.3 config:
SSLVerifyClient require
SSLVerifyDept 2
SSLCACertificateFile refers to a file containing only 'Primary root'
* using Opera 3.6 beta/TLS 1.0 with Client cert installed:
After Opera confirms that he has to give the Client cert, I get
'connection refused' with this in the mod_ssl log:
[info] Connection to child 38 established (server 192.168.0.44:443)
[error] Certificate Verification: Error (19): self signed certificate in
certificate chain
[error] Certificate Verification: Certificate Chain too long (chain has 3
certificates, but maximum allowed are only 2)
[error] SSL handshake failed (client 192.168.0.249, server
192.168.0.44:443) (System and OpenSSL library errors follow)
[error] System: Invalid argument (errno: 22)
[error] OpenSSL: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no
certificate returned
[info] Connection to child 38 closed (server 192.168.0.44:443)
Mmm... so SSLVerifyDepth seems to indicate chain length until the selfsigned
certificate and not until a certificate in SSLCACertificateFile?
Anybody can confirm this? Or did I (again ;-) ) overlooked something?
Christian.
--
ir. Christian Buysschaert - Technical Manager
GlobalSign nv-sa - http://www.globalsign.net
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
