i am trying to emulate something that mod_ssl does, and it used 0.9.7d. i verified that the same exact certs are working on another system. Also, the CA cert on the server has the correct CN. to load the client CA i use:
list=SSL_load_client_CA_file(<path to CA cert>); SSL_set_client_CA_list(ssl, list); and then call the rest of the functions i described in my original message. SSL_set_verify(ssl, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT ,NULL); SSL_renegotiate(ssl); SSL_do_handshake(ssl); ssl->state=SSL_ST_ACCEPT; SSL_do_handshake(ssl); could i be missing something or calling something incorrectly? thanks, -=- adam grossman On Wed, 2010-01-27 at 22:01 -0500, Brett Schoppert wrote: > Not sure if the problem I had it is the same as yours, but I meant 0.9.8k ( > not 7k ). > > I first verified my setup was working ( certs were correct, etc. ) by setting > up client-side SSL for the whole VirtualHost once that worked, I changed it > to be only for a specific location where it had to renegotiate and it failed > ( until switching to 0.9.8k ). > > I don't know what your server application does, but maybe you could do > something similar where you could verify the everything without renegotiation > ... just to narrow down that it is the renegotiation causing a problem and > not the rest of the setup ? > > > -----Original Message----- > From: owner-openssl-us...@openssl.org > [mailto:owner-openssl-us...@openssl.org] On Behalf Of Adam Grossman > Sent: Wednesday, January 27, 2010 9:37 PM > To: openssl-users@openssl.org > Subject: RE: renegotiation with client certificate > > i just tried 0.9.7m, and to no avail. i double checked my certs, i made > sure my CA cert on the server is correct, and i am still getting the > same error on the server and the browser is giving to "Peer does not > recognize and trust the CA that issued your certificate." > > thanks, > -=- adam grossman > > On Wed, 2010-01-27 at 17:53 -0500, Brett Schoppert wrote: > > I recently had the same issue that was resolved when I changed Apache to > > use 0.9.7k. > > > > -----Original Message----- > > From: owner-openssl-us...@openssl.org > > [mailto:owner-openssl-us...@openssl.org] On Behalf Of Adam Grossman > > Sent: Wednesday, January 27, 2010 5:01 PM > > To: openssl-users@openssl.org > > Subject: renegotiation with client certificate > > > > hello. > > > > I am having trouble getting my server renegotiation working with client > > certificates. Without certificates, it works fine. The one thing is > > that the server initially does not need a client cert, but it does > > during renegotiation (a requirement i have that is out of my hands). > > > > i am using 0.9.7d. > > > > The server talks to a web browser. This is what i am doing (leaving out > > the error handling): > > > > SSL_set_verify(ssl, SSL_VERIFY_PEER |SSL_VERIFY_FAIL_IF_NO_PEER_CERT , > > NULL); > > SSL_renegotiate(ssl); > > SSL_do_handshake(ssl); > > ssl->state=SSL_ST_ACCEPT; > > SSL_do_handshake(ssl); > > > > when it renegotiates, the browser says "The site requested you to > > identify yourself with a certificate". but then the 2nd handshake gives > > the error: > > > > 1780:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no > > certificate returned:s3_srvr.c:2010: > > > > i even looked at mod_ssl, and it seems to be doing the samething. what > > am i missing? > > > > thanks everyone once again, > > -=- adam grossman > > > > ______________________________________________________________________ > > OpenSSL Project http://www.openssl.org > > User Support Mailing List openssl-users@openssl.org > > Automated List Manager majord...@openssl.org > > > > ______________________________________________________________________ > > OpenSSL Project http://www.openssl.org > > User Support Mailing List openssl-users@openssl.org > > Automated List Manager majord...@openssl.org > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
