Thanks Mads for your answer :
I should write Netscape still ask the cert at each page instead of "it does not work".
I mad the test you suggest, here is the result
[EMAIL PROTECTED] jeannin]# openssl s_client -host intranet.stic.cnrs.fr -port 443 -cert /usr/local/apache/conf/ssl.crt/intranet.stic.cns.fr.crt -key /usr/local/apache/conf/ssl.key/intranet.stic.cnrs.fr.key -CAfile /usr/local/apache/conf/ssl.crt/ca-bundle.crt -reconect -ssl3
CONNECTED(00000003)
depth=2 /C=FR/O=CNRS/CN=CNRS
verify return:1
depth=1 /C=FR/O=CNRS/CN=CNRS-Standard
verify return:1
depth=0 /C=FR/O=CNRS/OU=UPS836/CN=intranet.stic.cnrs.fr/[EMAIL PROTECTED]
verify return:1
24359:error:14094413:SSL routines:SSL3_READ_BYTES:sslv3 alert unsupported certificate:s3_pkt.c:1031:SSL alert number 43
24359:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:514:
I am sorry but I do not understand the response. I am sure that my cert is valid, my private key too, and my cafile too.
Do you know where I can read documentation that explain the error message ? perhaps it is a bad used of openssl client.
thank you
--xj
Mads Toftum a écrit:
On Wed, Oct 29, 2003 at 05:15:13PM +0100, xavier jeannin wrote:I have developped Web application, that uses X509 certificat. Netscape ask at each time (page) the certificat. As my users have several certificates they do not use the option "Select Automaticly" in netscape, I have to say to my user to use now this option and create a netscape's profile for every certificat.First, I have compile Apache with MM and use : SSLSessionCache shm:/usr/local/apache/logs/ssl_gscache(2048000) SSLSessionCacheTimeout 1800 but it does not work."but it does not work" - how should that be understood? that SSLSessionCache does not work, or that the users are still being asked for the certificate? The simplest way to test sessions away from the browser is to use openssl s_client with the -reconnect option - that should tell you wether session caching is in effect or not. Usually when sessions are enabled in apache, but the browser keeps asking for the cert, then it is a setting in the browser - I seem to recall that Netscape had an option to ask for the password on every use. vh Mads Toftum
-- _____________________________________________________________________________________________ Xavier Jeannin UREC/CNRS Université P. & M. Curie, Courrier : case 171, 4 place Jussieu 75252 PARIS CEDEX 05 Tél : 01 44 27 42 59 - Fax : 01 44 27 42 61 - Courriel : [EMAIL PROTECTED]
