Hello.
I've recently started playing with mod_ssl
and had done well with it till I descided to switch off
the test certs (SnakeOil) and onto real certs. I successfully
created and signed my own cert as documented in the mod_ssl
users guide, but ran into trouble when trying to connect with
a browser.
I'm testing with Netscape and Mozilla. When I hit
the server (https://) I get the normal "This is a secure page
blah, blah", and then another window "No User Certificate: The
server may not let you connect without one". I click "Next"
there and get a window saying "An IO Error Occured. Try Connecting
Again". This happens over and over again each time I try. I've
tried several diffrent machines and the same result. I tried
IE on NT, and essentially the same thing happened, except that
instead of an IO error I just got a error page. (effectively
the same result) After inspecting my ssl_engine_log I find this
line, which seems to corrispond to the IO error:
[12/Mar/2001 21:08:15 09014] [info] Connection to child 2 established
(server xxx.blah.com:443, client xxx.xxx.xxx.xxx)
[12/Mar/2001 21:08:15 09014] [info] Seeding PRNG with 1160 bytes of entropy
[12/Mar/2001 21:08:19 09014] [error] SSL handshake failed (server
xxx.blah.com:443, client xxx.xxx.xxx.xxx) (OpenSSL library error follows)
[12/Mar/2001 21:08:19 09014] [error] OpenSSL: error:140890C7:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
[Hint: No CAs known to server for verification?]
(Note: I did infact block out the hostname and IP for security reasons,
it's not a misconfiged system in that regard <grin>)
So my problem, as mentioned by the log is that I don't have a CA server.
I've looked through the docs for OpenSSL and mod_ssl and can't find anything
about building/config'ing a CA Server, theres plenty on signing certs AS a
CA, but not actually serving as a CA for requests. So how do I? Or is this
in the docs and I simply missed it. Part of my confusion is in whether the
CA "Server" is a daemon or not. Do I need to launch a OpenSSL session that
stays open on a given port for requests or does Apache with mod_ssl take
care of the magic? This is really driving me nuts, and SSL is really
kool... I'm totally thrilled that there is such a good open source SSL tool
kit avalible that everyone can play with it.
Just for kicks, heres some lines from my httpd.conf, all under the default
virtual host on port 443 (ie: modified lines from the origonally placed.
I've excluded lines that I didn't think were interesting or applied):
<VirtualHost _default_:443>
DocumentRoot "/usr/local/apache/htdocs"
ServerName xxx.blah.com
SSLEngine on
SSLCipherSuite HIGH:MEDIUM:LOW:RC4+RSA:+SSLv2
SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key
SSLCertificateChainFile /usr/local/apache/conf/ssl.crt/ca.crt
SSLCACertificatePath /usr/local/apache/conf/ssl.crt
SSLCACertificateFile /usr/local/apache/conf/ssl.crt/ca-bundle.crt
SSLCARevocationPath /usr/local/apache/conf/ssl.crl
SSLVerifyClient optional_no_ca
SSLVerifyDepth 10
</VirtualHost>
The directives that I'm not 100% clear about (even after reading the docs,
which were really great) are SSLCipherSuite and SSLVerifyClient. I've tried
other varients for SSLVerifyClient, but they didn't really help. It seems
like I can only get this thing to work well when I specify that
no-encryption is an option.... which is exactly against the point.
So, ultimately the question is, do I have a config problem, a client
problem, a psychological problem, or do I simply lack a CA Server? Any help
if GREATLY appreciated. Sorry for being so wordy, but I figured I'd just be
complete the first time.
benr.
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
