We currently have a Solaris server running apache that serves as a proxy in front of our glassfish server which we use for web services. We are replacing both the proxy and glassfish servers so are setting the new servers up in parallel. The new proxy server already had apache and openssl installed before I started moving files from the old to the new. The issue I am running into is when I run apache with SSLVerifyClient required on the new server I am receiving 'unknown ca' error. If I run with SSLVerifyClient none the xml content for our web service is displayed (confirming that glassfish is ok). The only configuration difference between the proxy server was I moved the location of the certificate directories on the new server, but adjusted all apache config files to reflect the new structure.
My question is does openssl or mod_ssl look anywhere other than the apache ssl configuration to locate the ca? Thanks in advance for any assistance, server info and log details are below: -We have a single self signed CA which is used to sign the server and client certs. -The old and new server are running apache 2.0.63, Openssl 0.9.7d Apache and openssl were present on the new server before I started bringing files over. I ran the version commands and it show apache to be the same version and compiled options. openssl is the same version but includes additional security patches. OpenSSL 0.9.7d 17 Mar 2004 (+ security fixes for: CVE-2005-2969 CVE-2006-2937 CVE-2006-2940 CVE-2006-3738 CVE-2006-4339 CVE-2006-4343 CVE-2006-7250 CVE-2007-5135 CVE-2007-3108 CVE-2008-5077 CVE-2008-7270 CVE-2009-0590 CVE-2009-2409 CVE-2009-3555 CVE-2010-4180 CVE-2011-4576 CVE-2011-4619 CVE-2012-0884 CVE-2012-1165 CVE-2012-2110 CVE-2012-2131 CVE-2012-2333) -I rebuilt all hash files and the filenames generated match those on the old server so the CN's are the same. -I compared permissions and file contents for the apache related directories. Using s_client with just -connect and -showcerts parameters returns the CA cert, server cert and my client cert. So I can see they are present on the new server. Below is an abbreviated version of the output when I use the -connect, -cert, -CApath, -showcerts, -state, and -debug parameters. This works without error on the old server (changing only the IP:port). Loading 'screen' into random state - done CONNECTED(00000100) SSL_connect:before/connect initialization write to 0x1f03cc0 [0x1f085f0] (210 bytes => 210 (0xD2)) .. SSL_connect:SSLv2/v3 write client hello A read from 0x1f03cc0 [0x1f0db50] (7 bytes => 7 (0x7)) ... SSL_connect:SSLv3 read server hello A read from 0x1f03cc0 [0x1f0db53] (5 bytes => 5 (0x5)) read from 0x1f03cc0 [0x1f0db58] (1957 bytes => 1957 (0x7A5)) depth=1 CN = ALERTIIS Cert Auth, .. details omitted here by me.... verify error:num=19:self signed certificate in certificate chain verify return:0 SSL_connect:SSLv3 read server certificate A read from 0x1f03cc0 [0x1f0db53] (5 bytes => 5 (0x5)) read from 0x1f03cc0 [0x1f0db58] (525 bytes => 525 (0x20D)) .. SSL_connect:SSLv3 read server key exchange A read from 0x1f03cc0 [0x1f0db53] (5 bytes => 5 (0x5)) read from 0x1f03cc0 [0x1f0db58] (421 bytes => 421 (0x1A5)) .. SSL_connect:SSLv3 read server certificate request A SSL_connect:SSLv3 read server done A write to 0x1f03cc0 [0x1f18570] (911 bytes => 911 (0x38F)) .. SSL_connect:SSLv3 write client certificate A write to 0x1f03cc0 [0x1f18570] (139 bytes => 139 (0x8B)) .. SSL_connect:SSLv3 write client key exchange A write to 0x1f03cc0 [0x1f18570] (267 bytes => 267 (0x10B)) .. SSL_connect:SSLv3 write certificate verify A write to 0x1f03cc0 [0x1f18570] (6 bytes => 6 (0x6)) SSL_connect:SSLv3 write change cipher spec A write to 0x1f03cc0 [0x1f18570] (53 bytes => -1 (0xFFFFFFFF)) SSL_connect:error in SSLv3 flush data SSL_connect:error in SSLv3 flush data write:errno=10053 .. At the end of the appache log I see the following error (all other tags are [debug]: [Thu Jul 18 08:07:07 2013] [error] Certificate Verification: Error (20): unable to get local issuer certificate [Thu Jul 18 08:07:07 2013] [debug] ssl_engine_kernel.c(1749): OpenSSL: Write: SSLv3 read client certificate B [Thu Jul 18 08:07:07 2013] [debug] ssl_engine_kernel.c(1768): OpenSSL: Exit: error in SSLv3 read client certificate B [Thu Jul 18 08:07:07 2013] [debug] ssl_engine_kernel.c(1768): OpenSSL: Exit: error in SSLv3 read client certificate B [Thu Jul 18 08:07:07 2013] [info] SSL library error 1 in handshake (server xxx.xxx.xxx.xxx:443, client xx.xx.xxx.xxx.xx) [Thu Jul 18 08:07:07 2013] [info] SSL Library Error: 336105650 error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned [Thu Jul 18 08:07:07 2013] [info] Connection to child 2 closed with abortive shutdown(server xxx.xxx.xxx.xxx:443, client xx.xx.xxx.xxx.xx) ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [email protected]
