client certificates won't verify under Apache

Sun, 04 Sep 2005 14:08:20 -0700

I'm running CentOS 4.1 with Apache 2.0.52 and trying to setup client SSL authentication using an internal CA. I've read the docs and checked the list archives for someone having the same problem or any hints, but have come up empty so far. Anyways... 

Running:
openssl verify -CAfile ssl.crt/cacert.crt -purpose sslclient aaron_turner.crt 

Returns OK.

But configuring apache with:
SSLProtocol all
SSLCipherSuite HIGH:MEDIUM
SSLCertificateFile conf/ssl.crt/updates.musecurity.net.crt
SSLCertificateKeyFile conf/ssl.key/updates.musecurity.net
SSLCACertificatePath conf/ssl.crt
SSLVerifyClient require
SSLVerifyDepth  1


where my conf/ssl.crt directory has the cacert.crt with the  
approrpriate hashes, when I run:



openssl s_client -connect updates.musecurity.net:443 -CAfile  
cacert.pem -cert aaron_turner.pem -certform pem -showcerts -verify 1


I get:

[error] Certificate Verification: Error (19): self signed certificate  
in certificate chain


In my ssl_error_log.

openssl returns:
verify depth is 1
CONNECTED(00000003)

depth=1 /C=US/ST=California/L=Sunnyvale/O=MuSecurity, Inc./ 
[EMAIL PROTECTED]

verify return:1

depth=0 /C=US/ST=California/L=Sunnyvale/O=MuSecurity, Inc./OU=Update  
Server/CN=updates.musecurity.net/[EMAIL PROTECTED]

verify return:1

871:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown  
ca:s3_pkt.c:1054:SSL alert number 48
871:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake  
failure:s23_lib.c:230:



I think somewhat related is my problem with using:
SSLCACertificateFile conf/ssl.crt/cacert.crt

which gives me an error:

SSLCACertificateFile: file '/etc/httpd/conf/ssl.crt/cacert.crt' does  
not exist or is empty



which is quite strange since the file does exist, contains the  
certificate and has the correct perms (files are 644 and directories  
755).  I've even tried copying over the aaron_turner.crt to the conf/ 
ssl.crt directory and regenerating the hashes, but that doesn't help.



I can only assume I'm missing something horribly obvious, but I've  
been working on this for hours with no luck...


TIA,
Aaron

--

Aaron Turner, Sr. Security Engineer                    
<[EMAIL PROTECTED]>

Ph: 408.329.1956


______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users@modssl.org
Automated List Manager                            [EMAIL PROTECTED]














    











					Reply via email to