[BugDB] About CRL (PR#672)

Mon, 11 Mar 2002 09:47:18 -0800 

Full_Name: Shiva murugesan
Version: 2.8.5
OS: unix
Submission from: (NULL) (213.132.36.114)


Env : Apache/1.3.22 (Unix) mod_ssl/2.8.5 OpenSSL/0.9.6c.

When IE browser (5.0,5.5, 6.0 )client presents an expired/revoked certficate the
modssl handsake fails and the IE browser does not display the correct error
message, it just displays generic error "Page can not be displayed". 
Whereas NE displays the correct error message as "The certificate has expired /
revoked".

Please help me in finding the solution to display correct error message in IE
browser as well.

Please find the error_log as follows


>>>> Certificate Verification: Error (10)
>>>> : certificate has expired
>>>> [Mon Mar 11 19:01:51 2002] [error] mod_ssl: SSL
>>>> handshake failed (server 158.234
>>>> .197.20:443, client 158.234.197.53) (OpenSSL library
>>>> error follows)
>>>> [Mon Mar 11 19:01:51 2002] [error] OpenSSL:
>>>> error:140890B2:SSL routines:SSL3_GET
>>>> _CLIENT_CERTIFICATE:no certificate returned


Also the httpd.conf file entries as follows


<VirtualHost 158.234.197.20:443>
ServerName 158.234.197.20
DocumentRoot "/usr/local/apache/htdocs"
ServerAdmin [EMAIL PROTECTED]
ErrorLog /usr/local/apache/logs/error_log
TransferLog /usr/local/apache/logs/access_log
SSLEngine on
SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key
SSLCertificateChainFile /usr/local/apache/conf/ssl.crt/server.crt
SSLCACertificateFile /usr/local/apache/conf/ssl.crt/veriandgte.pem
SSLCARevocationFile /usr/local/apache/conf/ssl.crl/verisigncacrl.pem
#SSLCARevocationFile /usr/local/apache/conf/ssl.crl/2.pem
SetEnvIf User-Agent ".*MSIE.*" ssl-unclean-shutdownan-shutdown downgrade-1.0 fo
SSLVerifyClient require:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULLSA-DES-CBC-SHA:EDH-
SSLVerifyDepth 10
<Location />
#SSLRequire (%{SSL_CLIENT_I_DN_OU} in { "shiva", "raja","Comtrust"})
SSLRequire %{SSL_CIPHER} >= 128
</Location>
CustomLog "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>


Thanks and regards
shiva


______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]

Reply via email to