Hi all, I have a problem in client authentication. Here is the context : - CA and server side : The (root) CA signed certificates for the server and the client (with sign.sh). I put all the certificates .crt (and their hash symlinks) and keys .key in ~server/ssl. - client side : I imported in Netscape my client.p12 PKCS#12 file. When I connect to https://server, I first accept server's certificate (even if Netscape warns me : "server is a site that uses encryption to protect transmitted information. However, Netscape does not recognize the authority who signed its Certificate."), then I make Netscape send back the client.p12 certificate. The connection is refused ("A network error occured while Netscape was receiving data"), and the error_log on server's side shows what follows : > [Fri Oct 22 10:00:10 1999] [notice] Apache/1.3.9 (Unix) mod_ssl/2.4.5 OpenSSL/0.9.4 configured -- resuming normal operations > [Personnal log info in s3_srvr.c : ssl3_get_client_certificate()] sk_x509_num(sk) == 1 > [Fri Oct 22 10:07:08 1999] [error] mod_ssl: Certificate Verification: Error (20): unable to get local issuer certificate > [Fri Oct 22 10:07:08 1999] [error] mod_ssl: SSL handshake failed (client X.X.X.X, server server.mydomain.com:443) (OpenSSL library error follows) > [Fri Oct 22 10:07:08 1999] [error] OpenSSL: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned I have a couple of questions, then : 1) Any idea about this "no certificate returned" ? 2) What's the difference between s3_srvr.c's error "no certificate returned" and "no certificates returned" ? 3) How to make Netscape know my CA ? (I haven't seen any "CA certificate Import" option. The only successful thing I can do is include the root cert ca.crt in my client.p12. Is it possible to simply add a root CA ?) 4) Why does Netscape just propose me to return my client.p12 to the server, provided that I have other certificates known by Netscape (VeriSigns, etc.) ? It all looks like Netscape knows that the server will just be able to admit this certificate, and not any other. How does it work ? 5) I succeed in making MSIE know my root CA certificate. But I just can't make him know my client certificate ... which PKCS12 file format to use (if this quesiton makes sense) and how to generate it ? Thanks a lot, Laurent. ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
