Re: cannot get Client-Certificate-Chain sended web browser to Apache+modssl

Thu, 07 Jun 2001 09:20:04 -0700 

On Thu, Jun 07, 2001 at 11:37:40PM +0900, K.Umesawa wrote:
> I'm trying to get a Client-Certificate-Chain 
> by using SSL_CLIENT_CERT_CHAIN_n in my CGI 
> which works on Apache 1.3.19 + mod_ssl2.8.3.    
> Now I can get a data of SSL_CLIENT_CERT and SSL_SERVER_CERT(and client 
> authentication is success), but I can't get any data of 
> SSL_CLIENT_CERT_CHAIN_n(with n=0,1,2,..)... 
>                               ~~~
> When I use "openssl s_server" command and connect its sample server 
> from Netscape4.7 and IE5.5, I can see Client-Certificate-Chain data 
> on Network Analizer(ethereal).  
> But I don't see the data like Client-Certificate-Chain 
> when I start up Apache+mod_ssl and 
> send Client-Certificate-Chain to Apache 
> from Netscape4.7 and IE5.5(BUT Client Authentication is SUCCESS!(Why?)).
> 
> Is there any relation between "I can't get SSL_CLIENT_CERT_CHAIN_n" and 
> "There is no data like Client-Certificate-Chain on network"?
> If there is no relation, why I can't get Client-Certificate-Chain 
> though I can get SSL_CLIENT_CERT.

I am too lazy to check out the mod_ssl source (but I am quite familiar
with the underlying OpenSSL library):
- When a session is negotiated, all certificates including the intermediate
  CA certificates must be sent. You see this with ethereal.
- When a session is re-used, no certificates are sent at all. Both peers
  take their information from their session cache.
- The OpenSSL session cache does not store intermediate (and root) CA
  certificates, only the peer's certificate, so when a session is re-used,
  this information is not available.
- If you must examine the certificate chain, you only can do it for the
  first session negotiated.

Best regards,
        Lutz
-- 
Lutz Jaenicke                             [EMAIL PROTECTED]
BTU Cottbus               http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik                  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus              Fax. +49 355 69-4153
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]

Reply via email to