RE: apache with client certificates

Jose Correia (J) Wed, 18 Sep 2002 05:30:38 -0700

Hi all

I'm actually now getting in ssl_engine.log:

[18/Sep/2002 14:41:57 32739] [error] OpenSSL: error:140890C7:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
[Hint: No CAs known to server for verification?]

Any ideas? I don't understand how it can say "No CAs known to server
for verification" (although only a hint) if I am specifying:

SSLCACertificateFile /jose/CA2/demoCA/cacert.pem

in my httpd.conf...

Thanks
Jose

-----Original Message-----
From: Jose Correia (J) 
Sent: 18 September 2002 08:30
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: RE: apache with client certificates

Hi there

I set the depth to 1 and I do have my cache set to:

SSLSessionCache         dbm:/usr/local/apache/logs/ssl_scache
SSLSessionCacheTimeout  300
SSLMutex  file:/usr/local/apache/logs/ssl_mutex

Still not working...

Argghhh, this is so frustrating... any other ideas?

Did you put your CA into the local .keystore or in C:\Program
Files\JavaSoft\JRE\1.3.1\lib\security\cacerts??

On my Java side I'm using JSSE 1.0.3 together with Innovation's
HTTPClient like:

java.security.Security.addProvider(new
com.sun.net.ssl.internal.ssl.Provider());

SSLContext sc = SSLContext.getInstance("SSL");
TrustManagerFactory tmf =
TrustManagerFactory.getInstance("SunX509");

KeyManagerFactory kmf = KeyManagerFactory.getInstance( "SunX509" );

KeyStore ks = KeyStore.getInstance( "JKS") ;
char[] passphrase = "whatever".toCharArray();
ks.load(new FileInputStream("C:\\Documents and
Settings\\correij\\.keystore"), passphrase);

tmf.init(ks);
kmf.init(ks, passphrase);

sc.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);

HTTPConnection con = new HTTPConnection("https", urlString, -1);
con.setDefaultSSLSocketFactory(sc.getSocketFactory());
HTTPResponse response = con.Get("/test/servlet/ldapb2bservlet");
InputStream content = (InputStream)response.getInputStream();
....

Any other ideas, thanks...
-----Original Message-----
From: Xperex Tim [mailto:[EMAIL PROTECTED]]
Sent: 18 September 2002 01:07
To: [EMAIL PROTECTED]
Subject: Re: apache with client certificates

I am using Apache 1.3.26 with OpenSSL 0.9.6c and client authentication
works for me.  I have
SSLVerifyDepth set to 1 and specified an SSLSessionCache but otherwise
my setup is roughly the
same as yours.

--- "Jose Correia (J)" <[EMAIL PROTECTED]> wrote:
> Hi all
> 
> Is anyone aware of Apache version 1.3.20 having problems with client
> authentication??
> 
> I've created my own CA created using openssl (vs 0.9.6a). I then
> created and signed my server certificate with the CA using openssl.
> (apache is on a RH Linux 6.2 machine)
> 
> I then created a client public key using Java's keytool (from my
> Win2000 client machine). I then took this key and signed it with my
CA
> using openssl which I duly converted into DER format. I then
imported
> my CA's certificate in my JSSE keystore plus the now created client
> certificate which replaces the previous public key.
> 
> In my Apache I mention these:
> SSLCertificateFile /jose/CA2/server.crt
> SSLCertificateKeyFile /jose/CA2/server.key
> SSLCACertificateFile /jose/CA2/demoCA/cacert.pem
> SSLVerifyClient require
> SSLVerifyDepth  10
> 
> When I connect, I'm getting the following on ssl_engine.log
> 
> "[17/Sep/2002 15:20:22 28388] [error] SSL handshake failed (server
> 155.239.48.43:443, client 165.148.59.202) (OpenSSL library error
> follows)
> [17/Sep/2002 15:20:22 28388] [error] OpenSSL: error:14094416:SSL
> routines:SSL3_READ_BYTES:sslv3 alert certificate unknown"
> 
> and from my Java client I'm getting:
> 
> "main, SEND SSL v3.1 ALERT:  fatal, description =
certificate_unknown
> main, WRITE:  SSL v3.1 Alert, length = 2
> javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated"
> 
> Hence my confusion since I know my client certificate was signed by
> the CA mentioned in apache httpd.conf... :-(
> 
> Anyone got a clue? I've searched extensevily...
> 
> Thanks a lot
> Jose Correia
>
______________________________________________________________________
> OpenSSL Project
http://www.openssl.org
> User Support Mailing List
[EMAIL PROTECTED]
> Automated List Manager
[EMAIL PROTECTED]

__________________________________________________
Do you Yahoo!?
Yahoo! News - Today's headlines
http://news.yahoo.com
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

RE: apache with client certificates

Reply via email to