I'm running apache 1.3.6, mod_ssl 2.2.8 and openssl 0.9.2b. I have the
following entry my httpd.conf:
<Directory "/opt/htdocs/test">
SSLVerifyClient require
SSLOptions +FakeBasicAuth
SSLRequireSSL
SSLRequire %{SSL_CLIENT_S_DN_O} eq "VeriSign, Inc."
</Directory>
This works just fine for plain html files, and when I create s simple form
with method=get. My browser (Netscape 4.5) asks me which certificate to
use (I only have a Verisign test certificate), I select the certificate,
and the page comes up. The CGI which processes the form seems to have
access to all the certificate-related environment variables it's supposed to.
However, when I change the form to method=post and submit it, the browser
says "An I/O error occured during security authorization. Please try your
connection again." This happens consistently. In the Apache log, I get
the following:
>[Wed Apr 21 10:14:28 1999] [error] mod_ssl: Re-negotiation handshake
>failed: Not accepted by client!?
>[Wed Apr 21 10:14:28 1999] [error] mod_ssl: SSL error on reading data
>(OpenSSL library error follows)
>[Wed Apr 21 10:14:28 1999] [error] OpenSSL: error:140940F5:SSL
>routines:SSL3_READ_BYTES:unexpected record
>[Wed Apr 21 10:14:28 1999] [error] mod_ssl: SSL error on writing data
>OpenSSL library error follows)
>[Wed Apr 21 10:14:28 1999] [error] OpenSSL: error:140940F5:SSL
>routines:SSL3_READ_BYTES:unexpected record
I haven't tried this with Internet Explorer yet. Also, I don't know if
this matters, but I'm using --enable-rule=SSL-SDBM because I'm not sure my
HP/UX 10.20 libdbm is very current. The same error occured with HP's
libdbm, and I switched because I thought the problem might have something
to do with the SSL connection cache using a faulty libdbm. I haven't tried
gdbm yet.
I don't know if this is a related problem or a different one, but I also
see several occurences of the errors
OpenSSL: error:0D07E095:asn1 encoding
routines:d2i_ASN1_bytes:wrong tag
and
OpenSSL: error:0D082004:asn1 encoding
routines:d2i_ASN1_OCTET_STRING:nested asn1 error"
in my logs. It's not associated with the above problem as far as I can
tell -- I'm only testing client certificates, they're not required anywhere
but in my test directory. I haven't had lots of user complaints about it,
but it's somewhat troubling all the same.
Has anyone else run into this sort of thing before? Is it a known but with
Netscape? Thanks.
--
Phil Tracy
Northwestern University, Evanston, IL USA
mailto:[EMAIL PROTECTED] http://dopey.at.nwu.edu/tracy/
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
