Hi,
I am trying to setup a secure proxy using ssl. Between the client and the
proxy, I do not need, client certificate verification, but between de proxy
(gateway) and the server, I need a kind of client certificate verification.
Current settings are:
Client has the Verisign Test Root CA certificate, but no client certificate.
The gateway or proxy is setup with reverse proxy and ssl.
SSLVerifyClient none
The gateway has the Verisign Test Root CA certificate, and his own key and
crt files present
The server is set for ssl but with SSLVerify require
The gateway has the Verisign Test Root CA certificate, and his own key and
crt files present
Running from the gateway:
Openssl s_client -connect serv.ecb:443 -cert file_of_server.crt -key
file_of_kerver.key -Cafile file_of_verisign_testCA -bugs -showcerts -sslv3
I get connection and I can download an http page without any problem.
Now I try via a Brower on a PC, which is setup to connect via the proxy to
the server with url https://www.serv.ecb. (www.serv.ecb is defined in the
gateway as a reverse proxy and connects to the physical server serv.ecb).
The result is a SSL handshake error on the server: peer did not return a
certificate. On the PC there is a box with no selections available for
selecting a certificate.
The same happens, when I address the server serv.ecb from the PC without
passing via the proxy
When on the server, SSLVerifyClient is also set to none, then the connection
from the PC, via the proxy to the server works OK. The direct connection
also.
This means in the prior case, the proxy passes the authentication request
transparant to the client, what we primary don't want to happen.
We would like to have the authentication between gateway and server, not
between client and server.
Is this scenario possible with appach/openssl/mod_ssl ?
Is it supported out of the box, or are the add-on's required?
If not are there alternate solutions?
Thanks for your assistance.
Herman de Taeye
Unisys Belgium.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
