SSL client auth failed

Fri, 30 Mar 2001 00:02:07 -0800 

Hello!

I have a strange problem (probably more than one) using SSL Client Auth
with Apache/1.3.19 (Unix) mod_perl/1.25 mod_ssl/2.8.1 OpenSSL/0.9.6.

There is a (perl) cgi-script which should only be executed when
accessing it with a valid SSL client certificate. The certificate is
okay, it's CA cert and CRL are in the files /etc/apache/UCA.pem and
/etc/apache/CRL.pem (see extract from httpd.conf).

Now, the following things happen:
When first accessing the script, the certificate is presented by the
(Netscape) browser and accepted, BUT the enviroment is missing any SSL
information:

SERVER_SOFTWARE: Apache/1.3.19 (Unix) mod_perl/1.25 mod_ssl/2.8.1
OpenSSL/0.9.6
GATEWAY_INTERFACE: CGI/1.1
REMOTE_ADDR: xxx.xxx.xxx.xxx
SERVER_PROTOCOL: HTTP/1.0
REQUEST_METHOD: POST
QUERY_STRING: 
PATH: /bin:/usr/bin
TZ: MET
HTTPS: on
SCRIPT_NAME: /cgi/restricted.cgi
SERVER_NAME: yyy.yyy.yyy.yyy
PATH_INFO: 
REQUEST_URI: /cgi/restricted.cgi
CONTENT_TYPE: application/x-www-form-urlencoded
CONTENT_LENGTH: 30
SERVER_ADMIN: [EMAIL PROTECTED]

Next time accessing the script (eg through "Reload"), I get the
following error:

[Thu Mar 29 12:52:52 2001] [error] mod_ssl: Cannot find peer certificate
chain

I don't get the error when "Reposting from data".
I removed +OptRenegotiate from SSLOptions which resulted in presenting
the certificate every time the script is accessed. This did not result
in the error.

I think this is unrelated to my enviroment variable problem, but I am
not sure. Is there a known problem with caching certificate data when
using +OptRenegotiate?

Since I did not get the variable "SSL_CLIENT_S_DN_Email" (although
SSLOptions +StdEnvVars is set), I tried SSLOptions +FakeBasicAuth to get
at least the variable "REMOTE_USER"... nothing. Same result as above.


What's going wrong here?

Best Regards,

        Ruediger Riediger

------------------------------------------------------------------------
extract from httpd.conf

<VirtualHost _default_:443>
        SSLEngine       on
        SSLProtocol     all -SSLv2
        SSLCipherSuite 
ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
        
        SSLCertificateFile      /etc/apache/httpd.pem
        SSLCertificateChainFile /etc/apache/SCA.pem

        SSLCACertificateFile    /etc/apache/UCA.pem
        SSLCARevocationFile     /etc/apache/CRL.pem

        <Files restricted.cgi>
                SetHandler      cgi-script
                Order           deny,allow
                Allow           from all
                SSLVerifyClient require
                SSLVerifyDepth  1
                SSLOptions      +StrictRequire +OptRenegotiate
+StdEnvVars
                SSLCipherSuite  HIGH:MEDIUM
        </Files>
</VirtualHost>
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]

Reply via email to