I didn't see a copy of this come back through the list, so I'm
re-sending it (probably sent it too quickly after subscribing;
the joys of rushing to overcome last-minute problems in a project).
Apologies to those who might see it twice. Grateful thanks to any
able to help.
>Help!
>
>I'm trying to set up Apache+modssl 1.3.6 using the Win32
>binary in the contrib area. Everything pretty much works,
>except for one thing.
>
>I can't get the server to ask the client for a certificate.
>
>Reading through the logs, it looks like there is probably an
>error in configuring the certifying authority. The error is:
>
>mod_ssl: SSL handshake failed (client X.X.X.X,
> server Y.Y.Y.Y:443) (OpenSSL error follows)
>
>OpenSSL: error:140890C7:SSL Routines:SSL_GET_CLIENT_CERTIFICATE:
> peer did not return a certificate [Hint: No CAs known to
> server for verification?]
>
>Now, my browser (Netscape) does have a client cert; I use it all
>the time. I have copied a CA pem file over from another Unix-based
>server I maintain, so that file should also be fine, and it is for
>the CA that generated my client cert. The only thing I can think
>of is that I'm not configuring modssl properly (previously I've
>used apache+ssl, so I'm in the midst of learning the differences
>between the two, plus whatever differences are created by installing
>on NT versus Solaris).
>
>Here is the relevant portion of httpd.conf:
>
> SSLMutex sem
> SSLRandomSeed startup builtin
> SSLSessionCache none
> SSLLog logs/SSL.log
> SSLOptions +ExportCertData
> SSLVerifyClient require
> SSLVerifyDepth 10
>
> <VirtualHost Y.Y.Y.Y:443>
> SSLEngine On
> SSLCertificateFile conf/ssl/Y.cert
> SSLCertificateKeyFile conf/ssl/Y.key
> SSLCACertificateFile conf/ssl/CA.pem
> </VirtualHost>
>
>Explanation:
> I read the modssl user manual, and it indicated that you can't
> use SSLCACertificatePath without the magic hash value symbolic
> link. Symbolic links of course mean squat on NT, and since I
> only have the one CA, I used SSLCACertificateFile instead. Was
> that the right thing to do?
>
>Hopefully someone out there will have some idea of what I'm
>missing. Unfortunately I'm stuck with trying to set up an NT
>version of this because of a Win32-only cgi-bin program I need
>to run.
>
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
