> > looks GREAT! I just installed it, and it works! FINE, Thanks, Ralf!!
> > Next days I'll make some more tests, but it looks really good so far!
>
> Great, thanks a lot for testing. Then I should start the next feature round.
> A lot of stuff is still waiting in my queue...
:( Yes, but this was a little bit to fast mailed...
ok: this works well if the base64 CRL is in the Cert-Bundle. For the tests
I included it of course. Anything fine so far.
Then I tried to use a hash-symlinked CRL. It *looked* as it were working,
but I had removed the wrong CRL (I'm not good in reading Base64 ;) )from
the bundle file, and so I *thought* that the hash-linked file had been
used.
The CRL is not checked (or check in wrong way or so), if not in the
ca-bundle. I couldn't get it working.
Any Ideas?
A second point is the logging - I don't understand it correctly I think:
[Fri Apr 9 18:32:13 1999] [error] mod_ssl: Certificate with serial number
2 (0x2) revoked per CRL (Issuer: /C=DE)
(quite clear - first line VERY nice :) )
then follows (side effect?) that well-known error block:
[Fri Apr 9 18:32:13 1999] [error] mod_ssl: Re-negotiation handshake
failed: Not accepted by client!?
[Fri Apr 9 18:32:13 1999] [error] mod_ssl: SSL error on writing data
(OpenSSL library error follows)
[Fri Apr 9 18:32:13 1999] [error] OpenSSL: error:1409E0E5:SSL
routines:SSL3_WRITE_BYTES:ssl handshake failure
[Fri Apr 9 18:32:13 1999] [error] mod_ssl: SSL error on reading data
(OpenSSL library error follows)
[Fri Apr 9 18:32:13 1999] [error] OpenSSL: error:1408F071:SSL
routines:SSL3_GET_RECORD:bad mac decode
(looks like "signed by unknow CA")
Is netscape stopping the handshake, if there's no other user-cert, or what
caused that (especially SSL error on reading data) ?
and again an other point:
Now I have files like:
x509: myTest8-cacert.pem.crt ... ef7c569b.0
crl: myTest8-ca.crl ... ef7c569b.1
but the x509 CA certs seems to be read only if xxxx.0, and not if xxxx.1 !
when I swap (in Makefile) I'll get:
crl: myTest8-ca.crl ... ef7c569b.0
x509: myTest8-cacert.pem.crt ... ef7c569b.1
And the CA is not known! What did I wrong?
the core action in Makefile is:
hash="`$$ssl_program $$type -noout -hash <$$file`";
(with $type either "x509" or "crl")
ln -s $$file $$hash.$$n;
(in this "simulated for loop", a while [ 1 ] counting up $n)
Any Ideas?
oki,
Steffen
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
