I posted this at the beginning of the month. Got no replies, so I'm
asking again. If I have to do it a third time I'll YELL IN ALL CAPS. :)
/r$
>From rsalz Mon Oct 2 15:04:41 2000
From: [EMAIL PROTECTED]
Date: Mon, 2 Oct 2000 15:00:39 -0400
To: [EMAIL PROTECTED]
Subject: optional_no_ca and verifydepth?
Reply-To: [EMAIL PROTECTED]
How can I configure the following?
The client may, or may not, have a certificate.
If the client has a certificate, I want them to send it.
I do not want mod_ssl to do any path verification, CA checking, etc.
My own code will then do something like this:
{
SSL* ssl = (SSL*) ap_ctx_get(r->connection->client->ctx, "ssl");
if (ssl == NULL)
// no SSL context; shouldn't happen, right?
X509* xs = SSL_get_peer_certificate(ssl);
if (xs == NULL)
// no client cert.
// all's well ...
}
To figure out what was going on, I had to patch the "new connection hook"
so that it also logged the detailed error code:
/*
* Check for failed client authentication
*/
if ( SSL_get_verify_result(ssl) != X509_V_OK
|| ap_ctx_get(fb->ctx, "ssl::verify::error") != NULL) {
cp = (char *)ap_ctx_get(fb->ctx, "ssl::verify::error");
ssl_log(srvr, SSL_LOG_ERROR|SSL_ADD_SSLERR,
! "SSL client authentication failed: %s (error code 0x%x)",
cp != NULL ? cp : "unknown reason",
+ SSL_get_verify_result(ssl));
I have "SSLLogLevel debug" in httpd.conf Was there something else I
needed to set in order to get the detailed error message? Printing it
out and then grep'ping for "-i 1b" and "27" in include/openssl/*.h wasn't
quite what I was expecting to have to do...
I thought
SSLVerifyClient optional_no_ca
SSLVerifyDepth 0
Would do what I wanted, but I get "untrusted cert" back. :(
Replies to me will be summarized for the list. Thanks.
/r$
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
