Gianpaolo Fasoli wrote:
> I've setup an apache server with client authentication via certificates [snip] > I successfuly installed the certificate on all clients but it looks like > Mozilla and Firefox are having problems finding the right certificate to > send to the server: > > - on the client side I get the following message: > "Server has received an incorrect or unexpected message. Error code: > -12227" > which corresponds to: SSL_ERROR_HANDSHAKE_FAILURE_ALERT > (http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html)
Bravo for finding the web page that documents the error codes!
> - on the server side I get the following message: > [error] mod_ssl: SSL handshake failed (OpenSSL library error follows) > [error] OpenSSL: error:140890C7:SSL > routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate > [Hint: No CAs known to server for verification?]
There, that "hint" is the very likely the real problem. Your server is probably incorrectly configured to request client authentication.
When an SSL server requests client authentication, it sends a message to the client that says "here is a list of the names of CAs that I trust to issue client certs. If you have a client cert from one of these CAs, then send it to me". That list is NEVER supposed to be empty. But the hint above suggests that it is. If your server has not been configured with the names of CAs that it trusts to issue client certs, it's sending an empty list.
When an SSL client receives such a malformed request, with an empty list of trusted client CA names, it may either (a) choose to send back a response that means "I have no cert issued by any of the issuers you have named", or (b) send back any certificate you have and hope the misconfigured server will accept it.
If your server IS sending out a correct list of CA names, and your user cert is not issued by any of the named CAs, the browser is right in sending back a "no certificate" response.
It may also be that your client cert was issued by an intermediate CA whose cert was not downloaded to the browser along with the user's cert. In that case, it is often not possible for the browser to determine that the user's cert was issued by the root CA.
Example: You generate a user cert "U", issued by intermediate CA "I", which is in turn issued by root CA "R". You download and install the user and root CA certs in the browser, but not the intermedidate CA cert. Then the server says "if you have any cert issued by R, send them." Your browser cannot tell that U chains up to R, because that information in contained in I, which is missing. The browser can only tell that U was issued by I, and I is not R. If I was also installed, as it should have been when U was installed, then the browser can determine that U chains up to R.
It is generally best for the server to name the intermediate CA rather than the root in a case like this.
> I've seen some people with the same problem posting to different lists > on the net but I've never seen any solution. > > I'm not experiencing this problem with IE and Opera. Also, I've noticed > that both IE and Opera ask the user to choose which certificate to > present to the server which is not Mozilla's case.
> Did I miss anything in Mozilla's configuration?
Yes, mozilla has a user settable preference for asking the user to choose, or choosting automatically according to the list of issuer names from the server. The default is automatic. If the entire cert chain has been installed in the browser, and the server's request names the right CA, then automatic will suffice.
> Any suggestions? > > > Thanks in advance, > > > GP.
-- Nelson B _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
