In short I'm working on duplicating a web site locally for testing and I am unable to get Client certificates to work here in my lab.
The "main/public" site is using apache 1.3.33 on OS X and is properly configured for client certs, but I can't get this test configuration to work. I am using "Apache 2.0.52" so that could be a factor. (if necessary, I will try to reconfigure with 1.3.33) The client browser is IE 6.x and what is odd is when I navigate to the "main/public" site I am prompted to select a certificate, but when I navigate to the "test" site IE 6.x just times out. For that reason I am suspicious of the apache configuration but I can't be certain. I tried with FireFox (1.0) and it also timed out. Firefox is configured to "ask every time" for client cert. selection and like IE, I am not prompted. (I'm also suspicious as to why I can't select the client certificate from the IE dialog for the test site - only the certificate for the public site is listed.) The virtual host configuration is listed below ("ssl.conf" was unchanged for 2.0.52) and the error in the ssl.log is also listed below. If anyone could offer any trouble shooting tips that would be greatly appreciated. Thanks for your time and assistance. John //------------------------------------------------- Additional information: Version: Apache/2.0.52 OS: Mac OS X 10.3.7 //------------------------------------------------- // here is the log of the error: [info] Initial (No.1) HTTPS request received for child 5 (server www.apollo.home:443) [debug] ssl_engine_kernel.c(422): Changed client verification type will force renegotiation [info] Requesting connection re-negotiation [debug] ssl_engine_kernel.c(650): Performing full renegotiation: complete handshake protocol [info] Awaiting re-negotiation handshake [debug] ssl_engine_kernel.c(1756): OpenSSL: Handshake: start [debug] ssl_engine_kernel.c(1764): OpenSSL: Loop: before accept initialization [debug] ssl_engine_io.c(1517): OpenSSL: I/O error, 5 bytes expected to read on BIO#1280be0 [mem: 7f7000] [debug] ssl_engine_kernel.c(1793): OpenSSL: Exit: error in SSLv2 read client hello B [error] Re-negotiation handshake failed: Not accepted by client!? //------------------------------------------------- // here is the virtual host info: <VirtualHost www.apollo.home:443> DocumentRoot "/some_directory/ssl_site" ServerAdmin [EMAIL PROTECTED] ServerName www.apollo.home LogLevel warn # LogLevel debug SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 # Per-Server Logging: CustomLog logs/apollo/443.access.log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" ErrorLog logs/apollo/443.error.log DirectoryIndex "index.html" <IfModule mod_ssl.c> # # ssl stuff # SSLEngine On SSLProtocol all -SSLv3 SSLCipherSuite "ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL" # # LogLevel debug ErrorLog "logs/apollo/ssl.log" SSLOptions +StdEnvVars +ExportCertData #---------------------------------------- # # path to certificates and private key # SSLCertificateFile "/some_directory/openssl/servers/www.apollo.home.cert.pem" SSLCertificateKeyFile "/some_directory/openssl/servers/www.apollo.home.key.unencrypted" SSLCACertificateFile "/some_directory/openssl/private/CA-1.cert.pem" </IfModule> <Location /secure_dir> SSLVerifyClient require SSLVerifyDepth 3 </Location> </VirtualHost> ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager [EMAIL PROTECTED]