Hi, You have a intermediate and RootCA, try setting SSLVerifyDepth equal to 2.
Regards Matt --- Sven Löschner <[EMAIL PROTECTED]> wrote: > I got a big problem with SSLVerifyClient. I had a > similar problem before, > but now the error(s?) is really more strange (in my > point of view). I used > this tutorial: > http://fra.nksteidl.de/Erinnerungen/OpenSSL.php > > I hae got two sections. One with only > server-side-SSL (works), and a folder > (called 'demo', with a file 'index.php') with > client-side-SSL. When I call > the site my browser askes me to choose a cert i want > to uns to enter the > site. I choose the right one (exportedvia pkcs), and > then IE says "cannot > find server or dns ", and firebird doesn't do > anything (it stays on my > startpage, but with the "lock"-symbol in Task). > > > > So I have got a Root_CA, a Server_CA and a User_CA. > > The Root_CA verifys the other 2 CAs. Server_CA > verifys Server-Certificates > (no problem). User_CA verifys Client-Certificates. > > I concated the Certificates from Root and User_CA > "cat ..../RootCA.cert.pem > ..../UserCA.cert.pem > UserCAchaincert.pem" > > My integration in apache: > > NameVirtualHost xxx.xxx.xxx.xxx:443 > <VirtualHost xxx.xxx.xxx.xxx:443> > ServerName test.de > DocumentRoot /srv/www/htdocs/web3/html/test > php_admin_value open_basedir > /srv/www/htdocs/web3/html/test > <IfModule mod_ssl.c> > SSLEngine on > SSLCipherSuite > ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL > SSLProtocol all > > AddType application/x-x509-ca-cert .crt > AddType application/x-pkcs7-crl .crl > > SSLOptions +StdEnvVars +ExportCertData > ErrorLog "/var/log/apache2/test/ssl.log" > LogLevel debug > SSLVerifyClient none > SSLCertificateFile > /etc/ssl/ServerCA/testcert.pem > SSLCertificateKeyFile > /etc/ssl/ServerCA/testkey.pem > SSLCACertificateFile > /etc/ssl/UserCA/UserCAchaincert.pem > SetEnvIf User-Agent ".*MSIE.*" nokeepalive > ssl-unclean-shutdown > > </IfModule> > <Location /demo> > SSLRequireSSL > SSLVerifyClient require > SSLVerifyDepth 1 > </Location> > > If you need something more, just let me know. And > thank you very much in > advance for every helping idea, because i try to get > this to work since > weeks. > > Sven > > P.S: I use Suse Linux 9.0 with mod_ssl and openssl > 0.9.7b (would like to > update....) > > ______________________________________________________________________ > Apache Interface to OpenSSL (mod_ssl) > www.modssl.org > User Support Mailing List > modssl-users@modssl.org > Automated List Manager > [EMAIL PROTECTED] > ____________________________________________________ Start your day with Yahoo! - make it your home page http://www.yahoo.com/r/hs ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager [EMAIL PROTECTED]
