Hello Ralf,
> From the mod_ssl User Manual under SSLVerifyDepth:
>
> | The depth actually is the maximum number of intermediate
> | certificate issuers, i.e. the number of CA certificates
> | which are max allowed to be followed while verifying the
> | client certificate. A depth of 0 means that self-signed client
> | certificates are accepted only, the default depth of 1 means
> | the client certificate can be self-signed or has to be signed
> | by a CA which is directly known to the server (i.e. the CA's
> | certificate is under SSLCACertificatePath), etc.
>
> In your case there are 3 issuers (= CA certs) in the chain, so as
> the error message indicates you need at least "SSLVerifyDepth 3", of
> course. The only incorrect thing seems to be that the error reads
> "chain has 3 certificates" while it actually should be "chain has
> 3 CA certificates". I'll change this for mod_ssl 2.2.4.
Understood... but... The mod_ssl manual says 'the default depth of 1
means the client certificate can be self-signed or has to be signed
by a CA which is directly known to the server' and it's this last part
which I'm interesting in...
The chain I'm sending is:
client->operational root->primary root->top (selfsigned) root
(Chainlength 3 to the top (selfsigned) root)
But I've put the 'primary root' in SSLCACertificatePath, so not
the top (selfsigned) root is known, but one level below is already
'KNOWN' to the server... So a chainlength of 2 until a certificate
known to the server (although this known certificate isn't the last
one in the chain sent by the client).
In fact, when I changed the SSLVerifyDepth to 3 and keeping the
primary root in the SSLCACertificatePath instead of the top
(selfsigned) root gave me the following log:
[info] Connection to child 8 established (server 192.168.0.44:443)
[error] Certificate Verification: Error (19): self signed certificate in
certificate chain
[error] SSL handshake failed (client 192.168.0.249, server
192.168.0.44:443) (System and OpenSSL library errors follow)
[error] System: Invalid argument (errno: 22)
[error] OpenSSL: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no
certificate returned
[info] Connection to child 8 closed (server 192.168.0.44:443)
It seems that the roots in SSLCACertificatePath for mod_ssl (or OpenSSL)
should only be selfsigned ones?
Christian.
--
ir. Christian Buysschaert - Technical Manager
GlobalSign nv-sa - http://www.globalsign.net
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
