Hello all,
I am trying to implement on my server credit card
veryfication service provided by one of card
autorization center.
The idea is:
1. Customer fills form on my server, where is
generated unique ID,
2. Then goes to card authorization server page,
where fills card number etc.
3. Then authorization center client connects to my
server and is trying to POST some information. The
client should be verified if has proper
certificate..
The authorization center sent me their self-signed
CA cert, that I put in my HTTP server
configuration (/etc/httpd/conf/ssl.crt and make
update)
The all process fails becouse of Certificate
Verification: Error (26): unsupported certificate
purpose.
Does it mean that their client certificate is bad?
How to prove it? Or maybe openssl has a bug?
When I connect to my server from browser that has
private cert from Thawte, it works fine..
Any ideas??
Below is configuration and logs for those who are
interested in helping me..
Thanks in advance..
Michal
Environment:
-----------
RH 6.1, Apache/1.3.14 (Unix) PHP/4.0.3pl1
mod_ssl/2.7.1 OpenSSL/0.9.6
httpd.conf (SSL section):
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.c
rt (cert signed by Thawte)
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/serve
r.key
SSLCipherSuite ALL:!ADH:!
EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCACertificatePath /etc/httpd/conf/ssl.crt
SSLCACertificateFile /etc/httpd/conf/ssl.crt/ca-
bundle.crt
<Location /secure>
SSLVerifyClient require
SSLVerifyDepth 10
</Location>
Logs:
----
Notice: Becouse of privacy reason I replaced:
authorization center client IP = a.b.c.d
authorization center CA
certificate: /C=AA/ST=BB/L=CITY/O=DD/OU=EE/CN=FF
Test CA)
my CA
cetrificate: /C=MY/ST=STATE/L=MYCITY/O=MY_ORG/OU=MY
_ORG_UNIT/CN=my.server.com
my server adress: my.server.com
ssl_engine_log:
...
[14/Jan/2001 03:13:04 29186] [trace] CA
certificate: /C=US/O=VeriSign, Inc./OU=Class 4
Public Primary Certification Authority - G2/OU=(c)
1998 VeriSign, Inc. - For authorized use
only/OU=VeriSign Trust Network
[14/Jan/2001 03:13:04 29186] [trace] CA
certificate: /C=US/O=VeriSign, Inc./OU=VeriSign
Trust Network/OU=(c) 1999 VeriSign, Inc. - For
authorized use only/CN=VeriSign Class 4 Public
Primary Certification Authority - G3
[14/Jan/2001 03:13:04 29186] [trace] CA
certificate: /C=US/O=RSA Data Security,
Inc./OU=Commercial Certification Authority
[14/Jan/2001 03:13:04 29186] [trace] CA
certificate: /C=US/O=RSA Data Security,
Inc./OU=Secure Server Certification Authority
[14/Jan/2001 03:13:04 29186] [trace] CA
certificate: /C=AA/ST=BB/L=CITY/O=DD/OU=EE/CN=FF
Test CA
[14/Jan/2001 03:13:04 29186] [trace] CA
certificate: /C=MY/ST=STATE/L=MYCITY/O=MY_ORG/OU=MY
_ORG_UNIT/CN=my.server.com
[14/Jan/2001 03:13:04 29186] [trace] CA
certificate: /C=AA/ST=BB/L=CITY/O=DD/OU=EE/CN=FF
Test CA
[14/Jan/2001 03:13:04 29186] [trace] CA
certificate: /C=AA/ST=BB/L=CITY/O=DD/OU=EE/CN=FF
Test CA
[14/Jan/2001 03:13:04 29186] [trace] Init:
(my.server.com:443) Configuring RSA server
certificate
[14/Jan/2001 03:13:04 29186] [trace] Init:
(my.server.com:443) Configuring RSA server private
key
[14/Jan/2001 03:15:07 29187] [info] Connection to
child 0 established (server my.server.com:443,
client a.b.c.d)
[14/Jan/2001 03:15:07 29187] [info] Seeding PRNG
with 1160 bytes of entropy
[14/Jan/2001 03:15:07 29187] [trace] OpenSSL:
Handshake: start
[14/Jan/2001 03:15:07 29187] [trace] OpenSSL:
Loop: before/accept initialization
[14/Jan/2001 03:15:07 29187] [debug] OpenSSL: read
11/11 bytes from BIO#08217388 [mem: 0822B840] (BIO
dump follows)
[14/Jan/2001 03:15:07 29187] [debug] OpenSSL: read
97/97 bytes from BIO#08217388 [mem: 0822B84B] (BIO
dump follows)
[14/Jan/2001 03:15:07 29187] [trace] OpenSSL:
Loop: SSLv3 read client hello A
[14/Jan/2001 03:15:07 29187] [trace] OpenSSL:
Loop: SSLv3 write server hello A
[14/Jan/2001 03:15:07 29187] [debug] OpenSSL:
write 1024/1024 bytes to BIO#08217388 [mem:
08238C68] (BIO dump follows)
[14/Jan/2001 03:15:07 29187] [trace] OpenSSL:
Loop: SSLv3 write certificate A
[14/Jan/2001 03:15:07 29187] [debug] OpenSSL:
write 1024/1024 bytes to BIO#08217388 [mem:
08238C68] (BIO dump follows)
[14/Jan/2001 03:15:07 29187] [trace] OpenSSL:
Loop: SSLv3 write key exchange A
[14/Jan/2001 03:15:07 29187] [trace] OpenSSL:
Loop: SSLv3 write server done A
[14/Jan/2001 03:15:07 29187] [debug] OpenSSL:
write 25/25 bytes to BIO#08217388 [mem: 08238C68]
(BIO dump follows)
[14/Jan/2001 03:15:07 29187] [trace] OpenSSL:
Loop: SSLv3 flush data
[14/Jan/2001 03:15:08 29187] [debug] OpenSSL: read
5/5 bytes from BIO#08217388 [mem: 0822B840] (BIO
dump follows)
[14/Jan/2001 03:15:08 29187] [debug] OpenSSL: read
134/134 bytes from BIO#08217388 [mem: 0822B845]
(BIO dump follows)
[14/Jan/2001 03:15:08 29187] [trace] OpenSSL:
Loop: SSLv3 read client key exchange A
[14/Jan/2001 03:15:08 29187] [debug] OpenSSL: read
5/5 bytes from BIO#08217388 [mem: 0822B840] (BIO
dump follows)
[14/Jan/2001 03:15:08 29187] [debug] OpenSSL: read
1/1 bytes from BIO#08217388 [mem: 0822B845] (BIO
dump follows)
[14/Jan/2001 03:15:08 29187] [debug] OpenSSL: read
5/5 bytes from BIO#08217388 [mem: 0822B840] (BIO
dump follows)
[14/Jan/2001 03:15:08 29187] [debug] OpenSSL: read
40/40 bytes from BIO#08217388 [mem: 0822B845] (BIO
dump follows)
[14/Jan/2001 03:15:08 29187] [trace] OpenSSL:
Loop: SSLv3 read finished A
[14/Jan/2001 03:15:08 29187] [trace] OpenSSL:
Loop: SSLv3 write change cipher spec A
[14/Jan/2001 03:15:08 29187] [trace] OpenSSL:
Loop: SSLv3 write finished A
[14/Jan/2001 03:15:08 29187] [debug] OpenSSL:
write 51/51 bytes to BIO#08217388 [mem: 08238C68]
(BIO dump follows)
[14/Jan/2001 03:15:08 29187] [trace] OpenSSL:
Loop: SSLv3 flush data
[14/Jan/2001 03:15:08 29187] [trace] Inter-Process
Session Cache: request=SET status=OK
id=F0FAA76F0E47CEFF8404692AD4EFB7077C4A6A384CE1131A
E46BF95E6C22A3EE timeout=299s (session caching)
[14/Jan/2001 03:15:08 29187] [trace] OpenSSL:
Handshake: done
[14/Jan/2001 03:15:08 29187] [info] Connection:
Client IP: a.b.c.d, Protocol: TLSv1, Cipher: EDH-
RSA-DES-CBC3-SHA (168/168 bits)
[14/Jan/2001 03:15:08 29187] [debug] OpenSSL: read
237/18437 bytes from BIO#08217388 [mem: 0822B840]
(BIO dump follows)
[14/Jan/2001 03:15:08 29187] [info] Initial
(No.1) HTTPS request received for child 0 (server
my.server.com:443)
[14/Jan/2001 03:15:08 29187] [trace] Changed
client verification type will force renegotiation
[14/Jan/2001 03:15:08 29187] [info] Requesting
connection re-negotiation
[14/Jan/2001 03:15:08 29187] [trace] Performing
full renegotiation: complete handshake protocol
[14/Jan/2001 03:15:08 29187] [debug] OpenSSL: read
237/18437 bytes from BIO#08217388 [mem: 0822B840]
(BIO dump follows)
[14/Jan/2001 03:15:08 29187] [trace] I/O: sucked
204 bytes of input data from SSL/TLS I/O layer for
delayed injection into Apache I/O layer
[14/Jan/2001 03:15:08 29187] [trace] OpenSSL:
Handshake: start
[14/Jan/2001 03:15:08 29187] [trace] OpenSSL:
Loop: SSL renegotiate ciphers
[14/Jan/2001 03:15:08 29187] [trace] OpenSSL:
Loop: SSLv3 write hello request A
[14/Jan/2001 03:15:08 29187] [debug] OpenSSL:
write 37/37 bytes to BIO#08217388 [mem: 08253838]
(BIO dump follows)
[14/Jan/2001 03:15:08 29187] [trace] OpenSSL:
Loop: SSLv3 flush data
[14/Jan/2001 03:15:08 29187] [info] Awaiting re-
negotiation handshake
[14/Jan/2001 03:15:08 29187] [trace] OpenSSL:
Handshake: start
[14/Jan/2001 03:15:08 29187] [trace] OpenSSL:
Loop: before accept initialization
[14/Jan/2001 03:15:08 29187] [debug] OpenSSL: read
109/18437 bytes from BIO#08217388 [mem: 0822B840]
(BIO dump follows)
[14/Jan/2001 03:15:08 29187] [trace] OpenSSL:
Loop: SSLv3 read client hello A
[14/Jan/2001 03:15:08 29187] [trace] OpenSSL:
Loop: SSLv3 write server hello A
[14/Jan/2001 03:15:08 29187] [debug] OpenSSL:
write 1024/1024 bytes to BIO#08217388 [mem:
08253838] (BIO dump follows)
[14/Jan/2001 03:15:08 29187] [trace] OpenSSL:
Loop: SSLv3 write certificate A
[14/Jan/2001 03:15:08 29187] [debug] OpenSSL:
write 1024/1024 bytes to BIO#08217388 [mem:
08253838] (BIO dump follows)
[14/Jan/2001 03:15:08 29187] [trace] OpenSSL:
Loop: SSLv3 write key exchange A
[14/Jan/2001 03:15:08 29187] [debug] OpenSSL:
write 1024/1024 bytes to BIO#08217388 [mem:
08253838] (BIO dump follows)
[14/Jan/2001 03:15:08 29187] [debug] OpenSSL:
write 8396/8396 bytes to BIO#08217388 [mem:
082343F9] (BIO dump follows)
[14/Jan/2001 03:15:08 29187] [trace] OpenSSL:
Loop: SSLv3 write certificate request A
[14/Jan/2001 03:15:08 29187] [trace] OpenSSL:
Loop: SSLv3 flush data
[14/Jan/2001 03:15:09 29187] [debug] OpenSSL: read
1448/18437 bytes from BIO#08217388 [mem: 0822B840]
(BIO dump follows)
[14/Jan/2001 03:15:09 29187] [debug] OpenSSL: read
149/149 bytes from BIO#08217388 [mem: 0822BDE8]
(BIO dump follows)
[14/Jan/2001 03:15:09 29187] [trace] Certificate
Verification: depth: 0,
subject: /C=AA/ST=BB/L=CITY/O=DD/OU=something1/CN=a
.b.c.d, issuer: /C=ZA/ST=Western Cape/L=Cape
Town/O=Thawte Consulting cc/OU=Certification
Services Division/CN=Thawte Server CA/Email=server-
[EMAIL PROTECTED]
[14/Jan/2001 03:15:09 29187] [error] Certificate
Verification: Error (26): unsupported certificate
purpose
[14/Jan/2001 03:15:09 29187] [debug] OpenSSL:
write 29/29 bytes to BIO#08217388 [mem: 08253838]
(BIO dump follows)
[14/Jan/2001 03:15:09 29187] [trace] OpenSSL:
Write: SSLv3 read client certificate B
[14/Jan/2001 03:15:09 29187] [trace] OpenSSL:
Exit: error in SSLv3 read client certificate B
[14/Jan/2001 03:15:09 29187] [error] Re-
negotiation handshake failed: Not accepted by
client!?
[14/Jan/2001 03:15:09 29187] [trace] I/O:
injecting 204 bytes of pre-sucked data into Apache
I/O layer
[14/Jan/2001 03:15:09 29187] [debug] OpenSSL: read
404/18437 bytes from BIO#08217388 [mem: 0822B840]
(BIO dump follows)
[14/Jan/2001 03:15:09 29187] [debug] OpenSSL:
write 29/29 bytes to BIO#08217388 [mem: 08253838]
(BIO dump follows)
[14/Jan/2001 03:15:09 29187] [trace] OpenSSL:
Write: SSLv3 read client certificate B
[14/Jan/2001 03:15:09 29187] [debug] OpenSSL:
write 29/29 bytes to BIO#08217388 [mem: 08253838]
(BIO dump follows)
[14/Jan/2001 03:15:09 29187] [trace] OpenSSL:
Write: SSLv3 read client certificate B
[14/Jan/2001 03:15:09 29187] [trace] OpenSSL:
Exit: error in SSLv3 read client certificate B
[14/Jan/2001 03:15:09 29187] [error] SSL error on
writing data (OpenSSL library error follows)
[14/Jan/2001 03:15:09 29187] [error] OpenSSL:
error:140D2081:SSL routines:TLS1_ENC:block cipher
pad is wrong
[14/Jan/2001 03:15:09 29187] [info] Connection to
child 0 closed with standard shutdown (server
my.server.com:443, client a.b.c.d)
error_log:
[Sun Jan 14 03:13:04 2001] [notice] Apache/1.3.14
(Unix) PHP/4.0.3pl1 mod_ssl/2.7.1 OpenSSL/0.9.6
configured -- resuming normal operations
[Sun Jan 14 03:13:04 2001] [info] Server built:
Dec 15 2000 23:51:47
[Sun Jan 14 03:15:09 2001] [error] mod_ssl:
Certificate Verification: Error (26): unsupported
certificate purpose
[Sun Jan 14 03:15:09 2001] [error] mod_ssl: Re-
negotiation handshake failed: Not accepted by
client!?
[Sun Jan 14 03:15:09 2001] [error] mod_ssl: SSL
error on writing data (OpenSSL library error
follows)
[Sun Jan 14 03:15:09 2001] [error] OpenSSL:
error:140D2081:SSL routines:TLS1_ENC:block cipher
pad is wrong
[Sun Jan 14 03:15:09 2001] [info] [client a.b.c.d]
client stopped connection before rflush completed
ssl_request_log
[14/Jan/2001:03:15:09 +0100] a.b.c.d TLSv1 EDH-RSA-
DES-CBC3-
SHA "POST /secure/put_results_of_authorization_into
_DB.php HTTP/1.0" 324
--
BEZPŁATNE konto e-mail o adresie [EMAIL PROTECTED] i NIELIMITOWANEJ pojemności
Tylko w POLAND.COM ! www.poland.com
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
