I have found a solution to this problem.
This seem to almost work. I removed certificate database password
protection in Netscape and then added SSLOptions +OptRenegotiate to
httpd.conf. Now I only get a certificate request when I first enter the
site. However, it still asks me for a password even though the client has
already enter one for the domain.
Arend van der Veen
-----Original Message-----
From: Arend van der Veen <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Date: Thursday, July 29, 1999 7:57 AM
Subject: Help - were should I turn - Netscape and Client Certificates
>I am using mod_ssl_2.3.6_1.3.6. I generated a client certificate and
>converted to PKCS#12 format. I Ioaded it into both IE5 and Netscape 4.5.
>Under IE5 everything worked perfectly. In Netscape I had to trust
>certificate first. When I access a link on the secure sever I first get
>prompted for a certificate. After a long delay I then get an error stating
>"Netscape has encountered bad data from the server". When I check the
error
>log I see an error stating SSL handshake timed out. If I try the link
>again, I get prompted for the certificate again and a user name and
password
>and then everything works for the rest of the session!!??
>
>What have I done wrong to trip up Netscape ? Following is a list of how I
>configured the certificates.
>
>Thanks in advance,
>Arend van der Veen
>
>1. Installed mod_ssl as instructed.
>2. Generated a CA certificate using CA.sh -newca with out modifying
>openssl.cnf.
>3. Extended the expiration date to 5 years
>4. Converted cacert.pem to der format and copied cacert.pem to
>/usr/local/apache_1.3.6/config and cacert.der to apache root.
>5. Edited openssl.cnf and set nsCertType = server. This was previously
>commented out.
>6. Generated and signed Server Certificate. Copied Server Certificate
>and Key to /usr/local/apache_1.3.6/config.
>7. Edited openssl.cnf and set nsCertType = client, mail. This was
>previously commented out. Commented out nsCertType = server.
>8. Updated httpd.conf
>
>SSLProtocol -all +SSLv3
>SSLCipherSuite HIGH:MEDIUM
>SSLCertificateFile /usr/local/apache_1.3.6/conf/BassAleCert.pem
>SSLCertificateKeyFile /usr/local/apache_1.3.6/conf/BassAleKey.pem
>SSLCACertificateFile /usr/local/apache_1.3.6/conf/cacert.pem
>SSLVerifyClient require
>SSLVerifyDepth 1
><Directory /home/dpserver/securehome>
>AuthType Basic
>AuthName Test
>AuthUserFile /home/dpserver/users/testusers
>AuthGroupFile /home/dpserver/users/testgroups
><Limit GET POST>
>require valid-user
></Limit>
></Directory>
><Location /servlet>
>AuthType Basic
>AuthName Test
>AuthUserFile /home/dpserver/users/testusers
>AuthGroupFile /home/dpserver/users/testgroups
><Limit GET POST>
>require valid-user
></Limit>
></Location>
>
>9. Generated a client certificate and converted to PKCS#12 format
>
>CA.sh -newreq
>CA.sh -sign
>openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -name "Test User"
\
>-certfile demoCA/cacert.pem -out newcert.p12
>
>
>______________________________________________________________________
>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>User Support Mailing List [EMAIL PROTECTED]
>Automated List Manager [EMAIL PROTECTED]
>
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
