RE: apache with client certificates

Wed, 18 Sep 2002 06:32:45 -0700 

Actually how does Apache know about the client certificate that the
client has got?? Does it compare who signed the client certificate
with the CA it has in SSLCACertificateFile?

Thanks anyone.
Regards
Jose


-----Original Message-----
From: Jose Correia (J) 
Sent: 18 September 2002 14:52
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: RE: apache with client certificates


Hi all

I'm actually now getting in ssl_engine.log:

[18/Sep/2002 14:41:57 32739] [error] OpenSSL: error:140890C7:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
[Hint: No CAs known to server for verification?]

Any ideas? I don't understand how it can say "No CAs known to server
for verification" (although only a hint) if I am specifying:

SSLCACertificateFile /jose/CA2/demoCA/cacert.pem

in my httpd.conf...

Thanks
Jose



-----Original Message-----
From: Jose Correia (J) 
Sent: 18 September 2002 08:30
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: RE: apache with client certificates


Hi there

I set the depth to 1 and I do have my cache set to:

SSLSessionCache         dbm:/usr/local/apache/logs/ssl_scache
SSLSessionCacheTimeout  300
SSLMutex  file:/usr/local/apache/logs/ssl_mutex

Still not working...

Argghhh, this is so frustrating... any other ideas?

Did you put your CA into the local .keystore or in C:\Program
Files\JavaSoft\JRE\1.3.1\lib\security\cacerts??

On my Java side I'm using JSSE 1.0.3 together with Innovation's
HTTPClient like:

java.security.Security.addProvider(new
com.sun.net.ssl.internal.ssl.Provider());

SSLContext sc = SSLContext.getInstance("SSL");
TrustManagerFactory tmf =
TrustManagerFactory.getInstance("SunX509");

KeyManagerFactory kmf = KeyManagerFactory.getInstance( "SunX509" );

KeyStore ks = KeyStore.getInstance( "JKS") ;
char[] passphrase = "whatever".toCharArray();
ks.load(new FileInputStream("C:\\Documents and
Settings\\correij\\.keystore"), passphrase);

tmf.init(ks);
kmf.init(ks, passphrase);

sc.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);

HTTPConnection con = new HTTPConnection("https", urlString, -1);
con.setDefaultSSLSocketFactory(sc.getSocketFactory());
HTTPResponse response = con.Get("/test/servlet/ldapb2bservlet");
InputStream content = (InputStream)response.getInputStream();
....


Any other ideas, thanks...
-----Original Message-----
From: Xperex Tim [mailto:[EMAIL PROTECTED]]
Sent: 18 September 2002 01:07
To: [EMAIL PROTECTED]
Subject: Re: apache with client certificates


I am using Apache 1.3.26 with OpenSSL 0.9.6c and client authentication
works for me.  I have
SSLVerifyDepth set to 1 and specified an SSLSessionCache but otherwise
my setup is roughly the
same as yours.

--- "Jose Correia (J)" <[EMAIL PROTECTED]> wrote:
> Hi all
> 
> Is anyone aware of Apache version 1.3.20 having problems with client
> authentication??
> 
> I've created my own CA created using openssl (vs 0.9.6a). I then
> created and signed my server certificate with the CA using openssl.
> (apache is on a RH Linux 6.2 machine)
> 
> I then created a client public key using Java's keytool (from my
> Win2000 client machine). I then took this key and signed it with my
CA
> using openssl which I duly converted into DER format. I then
imported
> my CA's certificate in my JSSE keystore plus the now created client
> certificate which replaces the previous public key.
> 
> In my Apache I mention these:
> SSLCertificateFile /jose/CA2/server.crt
> SSLCertificateKeyFile /jose/CA2/server.key
> SSLCACertificateFile /jose/CA2/demoCA/cacert.pem
> SSLVerifyClient require
> SSLVerifyDepth  10
> 
> When I connect, I'm getting the following on ssl_engine.log
> 
> "[17/Sep/2002 15:20:22 28388] [error] SSL handshake failed (server
> 155.239.48.43:443, client 165.148.59.202) (OpenSSL library error
> follows)
> [17/Sep/2002 15:20:22 28388] [error] OpenSSL: error:14094416:SSL
> routines:SSL3_READ_BYTES:sslv3 alert certificate unknown"
> 
> and from my Java client I'm getting:
> 
> "main, SEND SSL v3.1 ALERT:  fatal, description =
certificate_unknown
> main, WRITE:  SSL v3.1 Alert, length = 2
> javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated"
> 
> Hence my confusion since I know my client certificate was signed by
> the CA mentioned in apache httpd.conf... :-(
> 
> Anyone got a clue? I've searched extensevily...
> 
> Thanks a lot
> Jose Correia
>
______________________________________________________________________
> OpenSSL Project
http://www.openssl.org
> User Support Mailing List
[EMAIL PROTECTED]
> Automated List Manager
[EMAIL PROTECTED]


__________________________________________________
Do you Yahoo!?
Yahoo! News - Today's headlines
http://news.yahoo.com
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to