proxy SSLVerifyClient require

[Krzysztof Kraska]

Hi, I have the following situation: Client <==SSL==> Proxy <==SSL==> Website Proxy httpd.conf: ... SSLCACertificateFile=cacert.pem SSLVerifyClient require SSLVerifyDepth 1 ... Website httpd.conf: ... SSLCACertificateFile=cacert.pem SSLVerifyClient require SSLVerifyDepth 1 ... Website (ssl.private.com) and Proxy (ssl.public.com) work on Apache 1.3.12/mod_ssl2.6.6/openssl0.96 under Linux Slackware7.0. Mod_ssl was compiled with --enable-rule=SSL_EXPERIMENTAL. Files cacert.pem are the same in both cases. And it doesn't work!!! The log files are shown below: Proxy SSL_LOG file: [trace] OpenSSL: Loop: SSLv3 read client certificate A [trace] OpenSSL: Loop: SSLv3 read client key exchange A [trace] OpenSSL: Loop: SSLv3 read certificate verify A ... [trace] OpenSSL: Loop: SSLv3 read finished A [trace] OpenSSL: Loop: SSLv3 write change cipher spec A [trace] OpenSSL: Loop: SSLv3 write finished A [trace] OpenSSL: Loop: SSLv3 flush data [trace] OpenSSL: Handshake: done [info]  Connection: Client IP: 192.168.0.2, Protocol: TLSv1, Cipher: RC4-MD5 (128/128 bits) ... [info]  Subsequent (No.9) HTTPS request received for child 3 (server ssl.public.com:443) [error] SSL proxy connect failed (ssl.public.com:443): peer ssl.private.com:4443: sslv3 alert  handshake failure Website SSL_LOG file: [trace] OpenSSL: Loop: SSLv3 read client hello A [trace] OpenSSL: Loop: SSLv3 write server hello A [trace] OpenSSL: Loop: SSLv3 write certificate A [trace] OpenSSL: Loop: SSLv3 write key exchange A [trace] OpenSSL: Loop: SSLv3 write certificate request A [trace] OpenSSL: Read: SSLv3 read client certificate A [trace] OpenSSL: Write: SSLv3 read client certificate B [trace] OpenSSL: Exit: error in SSLv3 read client certificate B [trace] OpenSSL: Exit: error in SSLv3 read client certificate B [error] SSL handshake failed (server ssl.private.com:4443, client ssl.public.com) (OpenSSL library error follows) [error] OpenSSL: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate  [Hint: No CAs known to server for verification?] When I enter 'SSLVerifyClient none' in Website httpd.conf it works correctly. But Website should use CA certificate authentication. Any ideas???  Krzysztof Kraska  Technical University of Szczecin  Computer Science Department  ul.Zolnierska 49  71-210 Szczecin  Poland