I continue talking to myself about it. Just to let people know that I submitted a bug to openSUSE, because it took me less than 5 minutes to get a blank Debian virtual machine to work with the exact same certificates, virtual host configuration and browser.
There is definitely something weired... Le mardi 24 novembre 2009 à 17:24 +0100, Jean-Christophe Baptiste a écrit : > I am still stack with the same issue : > > [Tue Nov 24 16:56:15 2009] [debug] ssl_engine_kernel.c(1875): OpenSSL: > Handshake: start > [Tue Nov 24 16:56:15 2009] [debug] ssl_engine_kernel.c(1883): OpenSSL: > Loop: before accept initialization > [Tue Nov 24 16:56:15 2009] [debug] ssl_engine_kernel.c(1893): OpenSSL: > Write: SSLv3 read client hello A > [Tue Nov 24 16:56:15 2009] [debug] ssl_engine_kernel.c(1912): OpenSSL: > Exit: error in SSLv3 read client hello A > [Tue Nov 24 16:56:15 2009] [error] [client 194.2.193.253] Re-negotiation > handshake failed: Not accepted by client!? > [Tue Nov 24 16:56:23 2009] [debug] ssl_engine_io.c(1869): OpenSSL: I/O > error, 5 bytes expected to read on BIO#7f313d364fc0 [mem: 7f313d8641a0] > > I renewed one more time all my certificates, so I don't think there is > anything wrong with it. > My apache configuration hasn't changed : > <Directory /secured> > SSLRequireSSL > SSLVerifyClient require > SSLVerifyDepth 1 > Order allow,deny > allow from All > </Directory> > > And any browser (Firefox, Opera) fail so I don't think it is a browser > issue. > Of course, I imported the CA and the client certificate... > > And still no prompt for the client certificate... > > Really no hint ? Could it be a bug in the distro package ? > > Thanks. > > On Mon, 23 Nov 2009 01:29:30 +0100, Jean-Christophe Baptiste > <j...@phocean.net> wrote: > > Hi all, > > > > I have been using client certificate for a while (more than 2 years) > > successfuly. > > > > But now, after migrating a server, I am stuck with a problem that I have > > no idea how to handle. > > I just spent 10 hours googling around and reading the doc without > > finding any clue. > > > > On my new set-up, the web browser seems to reject the negociation : > > > > [Sun Nov 22 22:51:36 2009] [info] [client ::1] Connection to child 2 > > established (server www.***.net:443) > > [Sun Nov 22 22:51:36 2009] [info] Seeding PRNG with 656 bytes of entropy > > [Sun Nov 22 22:51:36 2009] [debug] ssl_engine_kernel.c(1875): OpenSSL: > > Handshake: start > > [Sun Nov 22 22:51:36 2009] [debug] ssl_engine_kernel.c(1883): OpenSSL: > > Loop: before/accept initialization > > [Sun Nov 22 22:51:36 2009] [debug] ssl_engine_io.c(1858): OpenSSL: read > > 11/11 bytes from BIO#7f35d1213840 [mem: 7f35d1218f00] (BIO dump follows) > > [Sun Nov 22 22:51:36 2009] [debug] ssl_engine_io.c(1791): > > > +-------------------------------------------------------------------------+ > > [Sun Nov 22 22:51:36 2009] [debug] ssl_engine_io.c(1830): | 0000: 4f 50 > > 54 49 4f 4e 53 20-2a 20 48 OPTIONS * H | > > [Sun Nov 22 22:51:36 2009] [debug] ssl_engine_io.c(1836): > > > +-------------------------------------------------------------------------+ > > [Sun Nov 22 22:51:36 2009] [debug] ssl_engine_kernel.c(1912): OpenSSL: > > Exit: error in SSLv2/v3 read client hello A > > [Sun Nov 22 22:51:36 2009] [info] [client ::1] SSL library error 1 in > > handshake (server www.***.net:443) > > [Sun Nov 22 22:51:36 2009] [info] SSL Library Error: 336027900 > > error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol > > speaking not SSL to HTTPS port!? > > [Sun Nov 22 22:51:36 2009] [info] [client ::1] Connection closed to > > child 2 with abortive shutdown (server www.***.net:443) > > > > I have tried a bund of different settings. Of course, I re-generated > > several times all the certificates, from the CA to the client. > > Both the CA and the client were imported into the web browser. > > > > The mod-ssl settings are in no point different from the previous > > machine, so am I missing ? > > > > So any help, any hint would be greatly appreciated. > > > > Thank you in advance, > > > > Regards, > > Jean-Christophe
signature.asc
Description: Ceci est une partie de message numériquement signée
