On Sun, 01 Nov 1998 01:39:13 +0100, you wrote:
>
>
>Ralf S. Engelschall wrote:
>
>>
>> > As a result I never succeeded in making an SSL connection using client
>> > certificate with MSIE.
>>
>> Just to inform you that your request is not ignored: I've no clue what's going
>> wrong with MSIE and I currently cannot test it myself (the MSIE installation
>> on my NT box totally screwed up just before ApacheCon). When I find time I'll
>> reinstall MSIE and try it out myself. In the meantime I hope someone other
>> shares his experiences with MSIE and mod_ssl. Is there anything to say? Has
>> nobody success in using MSIE? Or only problems when client certs are used?
>> Please share your experience.
>> Ralf S. Engelschall
>> [EMAIL PROTECTED]
>> www.engelschall.com
>>
>
>As i mentioned some postings ago (concerning a mini CA with mod_ssl and PHP) i
>succeeded accessing my test site with MSIE 4.01 export edition and a test cert. I
>made a pkcs12 cert for IE following closely the steps outlined in Stephen Hensons
>FAQ:
>
>http://www.drh-consultancy.demon.co.uk/pkcs12faq.html
>
>
>Greetings
>
>Michael
I too followed the excellent pkcs#12 FAQ by Stephen Henson.
My results:
- When accessing my Apache-modSSL web site requiring a valid and
trusted client cert (SSLVerifyClient=2), I cannot select my
certificate, instead it says:
"An error occurred in the secure channel support".
The Apache error_log says:
[Mon Nov 2 02:05:06 1998] [error] mod_ssl: SSL_accept failed
[Mon Nov 2 02:05:06 1998] [error] SSLeay: error:140890C4:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
I included the client certs CA cert in the ca-bundle.pem file.
- When accessing my Apache-modSSL web site requiring a valid client
cert (SSLVerifyClient=3), I am not prompted to select a certificate,
but a connection is made anyhow.
The Apache ssl_misc_log says:
[02/Nov/1998:02:25:50 +0100] Cipher: EXP-RC4-MD5
i.e. no client certificate is used. (no errors)
- When accessing Ralph Engelschall's HTTPS test-page, I am not
prompted for a certificate and consequently do not see my certificate
data shown in the CGI variables. I do of course get an HTTPS
connection.
- Using Netscape Communicator 4.04 I have no problems entering the
https site, and I'm not allowed in when I don't select a certificate
to authenticate myself.
- In all cases I can send and receive signed and crypted email with
the certificate, which has nsCertType=0xa0 (smime&client auth).
I'll try some of our netscape certificate server certificates tomorrow
at work. We used to have problems getting them into IE, but maybe with
the ca-fix and pkcs12 progs ;-)
Still hope its one of those MS bugs. I really need to support both NS
and MS clients.
BTW: Just a small question:
- How do I set the (IE4) 'Certificate Properties'->'Fine
Print...'->'Policy Statement' in a certificate? Its not the same as
the nsComment field, though it probably has the same meaning/use.
Grtz, Joost.
>
>______________________________________________________________________
>Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
>Official Support Mailing List [EMAIL PROTECTED]
>Automated List Manager [EMAIL PROTECTED]
>
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
