SSLVerifyClient fails

Fri, 29 Jul 2005 05:49:54 -0700 

I got a big problem with SSLVerifyClient. I had a similar problem before,
but now the error(s?) is really more strange (in my point of view). I used
this tutorial: http://fra.nksteidl.de/Erinnerungen/OpenSSL.php

I hae got two sections. One with only server-side-SSL (works), and a folder
(called 'demo', with a file 'index.php') with client-side-SSL. When I call
the site my browser askes me to choose a cert i want to uns to enter the
site. I choose the right one (exportedvia pkcs), and then IE says "cannot
find server or dns ", and firebird doesn't do anything (it stays on my
startpage, but with the "lock"-symbol in Task).



So I have got a Root_CA, a Server_CA and a User_CA.

The Root_CA verifys the other 2 CAs. Server_CA verifys Server-Certificates
(no problem). User_CA verifys Client-Certificates.

I concated the Certificates from Root and User_CA "cat ..../RootCA.cert.pem
..../UserCA.cert.pem > UserCAchaincert.pem"

My integration in apache:

NameVirtualHost xxx.xxx.xxx.xxx:443
<VirtualHost xxx.xxx.xxx.xxx:443>
   ServerName test.de
   DocumentRoot /srv/www/htdocs/web3/html/test
        php_admin_value open_basedir /srv/www/htdocs/web3/html/test
  <IfModule mod_ssl.c>
    SSLEngine on
    SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
    SSLProtocol all

    AddType application/x-x509-ca-cert .crt
    AddType application/x-pkcs7-crl    .crl

    SSLOptions +StdEnvVars +ExportCertData
    ErrorLog "/var/log/apache2/test/ssl.log"
    LogLevel debug
     SSLVerifyClient none
     SSLCertificateFile /etc/ssl/ServerCA/testcert.pem
     SSLCertificateKeyFile /etc/ssl/ServerCA/testkey.pem
     SSLCACertificateFile /etc/ssl/UserCA/UserCAchaincert.pem
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

 </IfModule>
   <Location /demo>
     SSLRequireSSL
      SSLVerifyClient require
      SSLVerifyDepth 1
   </Location>                           

If you need something more, just let me know. And thank you very much in
advance for every helping idea, because i try to get this to work since
weeks.

Sven

P.S: I use Suse Linux 9.0 with mod_ssl and openssl 0.9.7b (would like to
update....)

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users@modssl.org
Automated List Manager                            [EMAIL PROTECTED]

Reply via email to