On Thu, Jun 07, 2001 at 11:37:40PM +0900, K.Umesawa wrote: > I'm trying to get a Client-Certificate-Chain > by using SSL_CLIENT_CERT_CHAIN_n in my CGI > which works on Apache 1.3.19 + mod_ssl2.8.3. > Now I can get a data of SSL_CLIENT_CERT and SSL_SERVER_CERT(and client > authentication is success), but I can't get any data of > SSL_CLIENT_CERT_CHAIN_n(with n=0,1,2,..)... > ~~~ > When I use "openssl s_server" command and connect its sample server > from Netscape4.7 and IE5.5, I can see Client-Certificate-Chain data > on Network Analizer(ethereal). > But I don't see the data like Client-Certificate-Chain > when I start up Apache+mod_ssl and > send Client-Certificate-Chain to Apache > from Netscape4.7 and IE5.5(BUT Client Authentication is SUCCESS!(Why?)). > > Is there any relation between "I can't get SSL_CLIENT_CERT_CHAIN_n" and > "There is no data like Client-Certificate-Chain on network"? > If there is no relation, why I can't get Client-Certificate-Chain > though I can get SSL_CLIENT_CERT. I am too lazy to check out the mod_ssl source (but I am quite familiar with the underlying OpenSSL library): - When a session is negotiated, all certificates including the intermediate CA certificates must be sent. You see this with ethereal. - When a session is re-used, no certificates are sent at all. Both peers take their information from their session cache. - The OpenSSL session cache does not store intermediate (and root) CA certificates, only the peer's certificate, so when a session is re-used, this information is not available. - If you must examine the certificate chain, you only can do it for the first session negotiated. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]