client certificate problems

2005-01-11 Thread john mcnicholas

In short I'm working on duplicating a web site locally for testing and 
I am unable to get Client certificates to work here in my lab.  

The main/public site is using apache 1.3.33 on OS X and is properly 
configured for client certs, but I can't get this test configuration 
to work. I am using Apache 2.0.52 so that could be a factor.  
(if necessary, I will try to reconfigure with 1.3.33)

The client browser is IE 6.x and what is odd is when I navigate to the
main/public site I am prompted to select a certificate, but when
I  navigate to the test site IE 6.x just times out.  For that reason
I am suspicious of the apache configuration but I can't be certain.

I tried with FireFox (1.0) and it also timed out. Firefox is 
configured to ask every time for client cert. selection and
like IE, I am not prompted.

(I'm also suspicious as to why I can't select the client certificate 
from the IE dialog for the test site - only the certificate for the 
public site is listed.)

The virtual host configuration is listed below (ssl.conf was 
unchanged for 2.0.52) and the error in the ssl.log is also listed 
below.  If anyone could offer any trouble shooting tips that would 
be greatly appreciated.

Thanks for your time and assistance.

John

//-

Additional information:

Version: Apache/2.0.52
OS:  Mac OS X 10.3.7

//-

// here is the log of the error:

[info] Initial (No.1) HTTPS request received for child 5 (server 
www.apollo.home:443)
[debug] ssl_engine_kernel.c(422): Changed client verification type will 
force renegotiation
[info] Requesting connection re-negotiation
[debug] ssl_engine_kernel.c(650): Performing full renegotiation: 
complete handshake protocol
[info] Awaiting re-negotiation handshake
[debug] ssl_engine_kernel.c(1756): OpenSSL: Handshake: start
[debug] ssl_engine_kernel.c(1764): OpenSSL: Loop: before accept 
initialization
[debug] ssl_engine_io.c(1517): OpenSSL: I/O error, 5 bytes expected to 
read on BIO#1280be0 [mem: 7f7000]
[debug] ssl_engine_kernel.c(1793): OpenSSL: Exit: error in SSLv2 read 
client hello B
[error] Re-negotiation handshake failed: Not accepted by client!?


//-

// here is the virtual host info:

VirtualHost www.apollo.home:443
 DocumentRoot /some_directory/ssl_site
 ServerAdmin [EMAIL PROTECTED]
 ServerName www.apollo.home
 LogLevel warn
 # LogLevel debug

 SetEnvIf User-Agent .*MSIE.* \
  nokeepalive ssl-unclean-shutdown \
  downgrade-1.0 force-response-1.0

 #   Per-Server Logging:

 CustomLog  logs/apollo/443.access.log %t %h %{SSL_PROTOCOL}x 
%{SSL_CIPHER}x \%r\ %b

 ErrorLog   logs/apollo/443.error.log
 DirectoryIndex index.html
 IfModule mod_ssl.c
 #
 #  ssl stuff
 #
 SSLEngine On
 SSLProtocol all -SSLv3
 SSLCipherSuite 
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

 #
 #
 LogLevel debug
 ErrorLog logs/apollo/ssl.log
 SSLOptions +StdEnvVars +ExportCertData

 #
 #
 # path to certificates and private key
 #
 SSLCertificateFile  
/some_directory/openssl/servers/www.apollo.home.cert.pem
 SSLCertificateKeyFile   
/some_directory/openssl/servers/www.apollo.home.key.unencrypted

 SSLCACertificateFile
/some_directory/openssl/private/CA-1.cert.pem
 /IfModule

 Location /secure_dir
 SSLVerifyClient require
 SSLVerifyDepth  3
 /Location

/VirtualHost




__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]


More certificate problems

2004-06-17 Thread richard skeggs
I am having problems signing the certificate

I can successfully generate the RSA private key using the command
openssl genrsa -des3 -out server.key 1024

I can a CSR file using
openssl req -new -key server.key -out server.csr

I can even generate the RSA frivate key for the CA
openssl genrsa -des3 -out ca.key 1024

I have even created the self sign certificate using
openssl req -new -x509 -days 365 -key ca.key -out ca.crt

When I try and run the shell script sign.sh I get as far as
Sign the certificate? [y/n]
to which I answer 'y'

The reply i get back from the script is

'failed to update database'
'TT_DB error number 2'
'unable to load certificate'
'16129:error:0906D06C:PEM routines:PEM_read_bio: no start
line:pem_lib.c:632 Expecting TRUSTED CERTIFICATE'

I obviously find that the server.crt is empty. I would appreciate some
help with this problem

Thanks

Richard Skeggs




The sign.sh shell script I am using is shown below

#!/bin/sh
 ##
 ##  sign.sh -- Sign a SSL Certificate Request (CSR)
 ##  Copyright (c) 1998-1999 Ralf S. Engelschall, All Rights
Reserved.
 ##

 #   argument line handling
 CSR=$1
 if [ $# -ne 1 ]; then
 echo Usage: sign.sign whatever.csr; exit 1
 fi
 if [ ! -f $CSR ]; then
 echo CSR not found: $CSR; exit 1
 fi
 case $CSR in
 *.csr ) CERT=`echo $CSR | sed -e 's/\.csr/.crt/'` ;;
 * ) CERT=$CSR.crt ;;
 esac

 #   make sure environment exists
 if [ ! -d ca.db.certs ]; then
 mkdir ca.db.certs
 fi
 if [ ! -f ca.db.serial ]; then
 echo '01' ca.db.serial
 fi
 if [ ! -f ca.db.index ]; then
 cp /dev/null ca.db.index
 fi

 #   create an own SSLeay config
 cat ca.config EOT
 [ ca ]
 default_ca = CA_own
 [ CA_own ]
 dir= /etc/ssl
 certs  = /etc/ssl/certs
 new_certs_dir  = /etc/ssl/ca.db.certs
 database   = /etc/ssl/ca.db.index
 serial = /etc/ssl/ca.db.serial
 RANDFILE   = /etc/ssl/ca.db.rand
 certificate= /etc/ssl/certs/ca.crt
 private_key= /etc/ssl/private/ca.key
 default_days   = 365
 default_crl_days   = 30
 default_md = md5
 preserve   = no
 policy = policy_anything
 [ policy_anything ]
 countryName= optional
 stateOrProvinceName= optional
 localityName   = optional
 organizationName   = optional
 organizationalUnitName = optional
 commonName = supplied
 emailAddress   = optional
 EOT

 #  sign the certificate
 echo CA signing: $CSR - $CERT:
 openssl ca -config ca.config -out $CERT -infiles $CSR
 echo CA verifying: $CERT - CA cert
 openssl verify -CAfile /etc/ssl/certs/ca.crt $CERT

 #  cleanup after SSLeay
 rm -f ca.config
 rm -f ca.db.serial.old
 rm -f ca.db.index.old

 #  die gracefully
 exit 0


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]


Certificate Problems

2004-06-16 Thread Richard Skeggs
Title: Certificate Problems






I am trying to set up ssl on my server and I have been through what I believe are the correct settings. I can run the command line script 'openssl s_client -connect eghapp:443 -state -debug' I don't appear to get an error message. However when trying to start apache using the startssl switch the following error turns up in the ssl_error_log

[Tue Jun 15 15:11:04 2004] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Jun 15 15:11:04 2004] [warn] RSA server certificate CommonName (CN) `localhost.localdomain' does NOT match server name!?

[Tue Jun 15 15:11:07 2004] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Jun 15 15:11:07 2004] [warn] RSA server certificate CommonName (CN) `localhost.localdomain' does NOT match server name!?

[Tue Jun 15 15:26:34 2004] [error] [client 10.14.1.150] Invalid method in request 


I have also been able to successfully run the command 'curl https://eghapp'. However when I try to run 'https://eghapp' through the browser I get an error saying that the DNS server cannot be found. On checking the nothing gets written to any of the ssl log files.

Does anyone know how I can resolve this?


Thanks


Richard Skeggs
Software Engineer
Mobius Management Systems
Cavendish House
5 The Avenue
Egham
Surrey
TW20 9AB
Tel: +44 (0) 1784 484700
Mobile: + 44 (0) 7971 608315
email: [EMAIL PROTECTED]
 





RE: Certificate Problems

2004-06-16 Thread Boyle Owen
Plain text please...

If you got an error in the ssl error-log then apache must be running.
The invalid method error is exactly that - the HTTP method wasn't GET,
POST etc... What request were you making when you got the error?
Cross-check the access log for details...

It looks like your certificate common name is localhost.localdomain and
this doesn't match the ServerName argument which is what the warning is
about.

The DNS error means that he browser cannot resolve eghapp to an IP
address while curl, apparently, can. No idea why - depends on OS,
browser version, config etc. (eg, if the browser goes via a proxy, the
proxy will not see a local /etc/hosts definition of eghapp). 

Tip: if you post back, cut'n'paste exact error messages - do not
paraphrase as this loses important information. Also, give OS, apache
1.3 or 2 etc.

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored. 

Diese E-mail ist eine private und persönliche Kommunikation. Sie hat
keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Gruppe. This
e-mail is of a private and personal nature. It is not related to the
exchange or business activities of the SWX Group. Le présent e-mail est
un message privé et personnel, sans rapport avec l'activité boursière du
Groupe SWX.



-Original Message-
From: Richard Skeggs [mailto:[EMAIL PROTECTED]
Sent: Mittwoch, 16. Juni 2004 11:07
To: '[EMAIL PROTECTED]'
Subject: Certificate Problems




I am trying to set up ssl on my server and I have been through what I
believe are the correct settings. I can run the command line script
'openssl s_client -connect eghapp:443 -state -debug' I don't appear to
get an error message. However when trying to start apache using the
startssl switch the following error turns up in the ssl_error_log
[Tue Jun 15 15:11:04 2004] [warn] RSA server certificate is a CA
certificate (BasicConstraints: CA == TRUE !?) 
[Tue Jun 15 15:11:04 2004] [warn] RSA server certificate CommonName (CN)
`localhost.localdomain' does NOT match server name!?
[Tue Jun 15 15:11:07 2004] [warn] RSA server certificate is a CA
certificate (BasicConstraints: CA == TRUE !?) 
[Tue Jun 15 15:11:07 2004] [warn] RSA server certificate CommonName (CN)
`localhost.localdomain' does NOT match server name!?
[Tue Jun 15 15:26:34 2004] [error] [client 10.14.1.150] Invalid method
in request 
I have also been able to successfully run the command 'curl
https://eghapp'. However when I try to run 'https://eghapp' through the
browser I get an error saying that the DNS server cannot be found. On
checking the nothing gets written to any of the ssl log files.
Does anyone know how I can resolve this? 
Thanks 
Richard Skeggs 
Software Engineer 
Mobius Management Systems 
Cavendish House 
5 The Avenue 
Egham 
Surrey 
TW20 9AB 
Tel: +44 (0) 1784 484700 
Mobile: + 44 (0) 7971 608315 
email: [EMAIL PROTECTED]

This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please notify the sender urgently
and then immediately delete the message and any copies of it from your
system. Please also immediately destroy any hardcopies of the message.
You must not, directly or indirectly, use, disclose, distribute, print,
or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail
communications through their networks. Any views expressed in this
message are those of the individual sender, except where the message
states otherwise and the sender is authorised to state them to be the
views of the sender's company. 


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]


FW: Certificate Problems

2004-06-16 Thread richard skeggs
Thanks for the response, to explain abit more the error I see in the log
file only get written when I start apache using apachactl startssl the
message written to ssl_error_log is:

[Wed Jun 16 10:59:48 2004] [warn] RSA server certificate is a CA
certificate (BasicConstraints: CA == TRUE !?) [Wed Jun 16 10:59:48 2004]
[warn] RSA server certificate CommonName (CN) `localhost.localdomain' does
NOT match server name!? [Wed Jun 16 10:59:50 2004] [warn] RSA server
certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Wed Jun
16 10:59:50 2004] [warn] RSA server certificate CommonName (CN)
`localhost.localdomain' does NOT match server name!?

As for the the request I was making it was to simply get the home page of
eghapp

Using the url http://eghapp:8000 through my browser I get to view the home
page of eghapp

However https://eghapp:8000 I get the following log message  from
error_log: [Wed Jun 16 11:08:05 2004] [error] [client 10.14.2.8] Invalid
method in request!L!!  From access_log: 10.14.2.8 - -
[16/Jun/2004:11:07:38 +0100]  L 501 1007 Nothing gets written to the ssl
message files. The browser returns

Cannot find server or DNS Error
Internet Explorer

I am trying to install ssl on the eghapp server which is a RedHat9 linux
box. An extract from the hosts file on eghapp is:

127.0.0.1   localhost loghost
10.14.1.150 eghapp

An extract from the httpd.conf file is shown below
Listen 8000
NameVirtualHost 10.14.1.150

VirtualHost 10.14.1.150
ProxyPass /esav http://eghsnap1:8081/esav
ProxyPassReverse /esav http://eghsnap1:8081/esav
ProxyPass /ddrint http://eghsnap2:8081/ddrint
ProxyPassReverse /ddrint http://eghsnap2:8081/ddrint
ProxyPass /vnc http://eghsnap1:80/vnc
ProxyPassReverse /vnc http://eghsnap1:80/vnc
ServerAdmin [EMAIL PROTECTED]
DocumentRoot /var/www/html
ServerName eghapp
ErrorLog logs/error_log
CustomLog logs/access_log common
#/VirtualHost


SSLProtocol -all +SSLv2
SSLCipherSuite SSLv2:+HIGH:+MEDIUM:+LOW:+EXP
SSLCertificateFile /etc/httpd/server.csr
SSLCertificateKeyFile /etc/httpd/server.key
/VirtualHost

For your information I am running
   Apache 2.0.4.0
   IE 6.0.2

Richard


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Boyle Owen
Sent: 16 June 2004 10:20
To: [EMAIL PROTECTED]
Subject: RE: Certificate Problems


Plain text please...

If you got an error in the ssl error-log then apache must be running. The
invalid method error is exactly that - the HTTP method wasn't GET, POST
etc... What request were you making when you got the error? Cross-check
the access log for details...

It looks like your certificate common name is localhost.localdomain and
this doesn't match the ServerName argument which is what the warning is
about.

The DNS error means that he browser cannot resolve eghapp to an IP address
while curl, apparently, can. No idea why - depends on OS, browser version,
config etc. (eg, if the browser goes via a proxy, the proxy will not see a
local /etc/hosts definition of eghapp).

Tip: if you post back, cut'n'paste exact error messages - do not
paraphrase as this loses important information. Also, give OS, apache 1.3
or 2 etc.

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored.

Diese E-mail ist eine private und persönliche Kommunikation. Sie hat
keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Gruppe. This
e-mail is of a private and personal nature. It is not related to the
exchange or business activities of the SWX Group. Le présent e-mail est un
message privé et personnel, sans rapport avec l'activité boursière du
Groupe SWX.



-Original Message-
From: Richard Skeggs [mailto:[EMAIL PROTECTED]
Sent: Mittwoch, 16. Juni 2004 11:07
To: '[EMAIL PROTECTED]'
Subject: Certificate Problems




I am trying to set up ssl on my server and I have been through what I
believe are the correct settings. I can run the command line script
'openssl s_client -connect eghapp:443 -state -debug' I don't appear to get
an error message. However when trying to start apache using the startssl
switch the following error turns up in the ssl_error_log [Tue Jun 15
15:11:04 2004] [warn] RSA server certificate is a CA certificate
(BasicConstraints: CA == TRUE !?)
[Tue Jun 15 15:11:04 2004] [warn] RSA server certificate CommonName (CN)
`localhost.localdomain' does NOT match server name!? [Tue Jun 15 15:11:07
2004] [warn] RSA server certificate is a CA certificate (BasicConstraints:
CA == TRUE !?)
[Tue Jun 15 15:11:07 2004] [warn] RSA server certificate CommonName (CN)
`localhost.localdomain' does NOT match server name!? [Tue Jun 15 15:26:34
2004] [error] [client 10.14.1.150] Invalid method in request
I have also been able to successfully run the command 'curl
https://eghapp'. However when I try to run 'https://eghapp' through the
browser I get an error saying that the DNS server cannot be found. On
checking the nothing gets written to any

[Fwd: FW: Certificate Problems]

2004-06-16 Thread richard skeggs


Thanks for the response, to explain abit more the error I see in the log
file only get written when I start apache using apachactl startssl the
message written to ssl_error_log is:

[Wed Jun 16 10:59:48 2004] [warn] RSA server certificate is a CA
certificate (BasicConstraints: CA == TRUE !?) [Wed Jun 16 10:59:48 2004]
[warn] RSA server certificate CommonName (CN) `localhost.localdomain' does
NOT match server name!? [Wed Jun 16 10:59:50 2004] [warn] RSA server
certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Wed Jun
16 10:59:50 2004] [warn] RSA server certificate CommonName (CN)
`localhost.localdomain' does NOT match server name!?

As for the the request I was making it was to simply get the home page of
eghapp

Using the url http://eghapp:8000 through my browser I get to view the home
page of eghapp

However https://eghapp:8000 I get the following log message  from
error_log: [Wed Jun 16 11:08:05 2004] [error] [client 10.14.2.8] Invalid
method in request!L!!  From access_log: 10.14.2.8 - -
[16/Jun/2004:11:07:38 +0100]  L 501 1007 Nothing gets written to the ssl
message files. The browser returns

Cannot find server or DNS Error
Internet Explorer

I am trying to install ssl on the eghapp server which is a RedHat9 linux
box. An extract from the hosts file on eghapp is:

127.0.0.1   localhost loghost
10.14.1.150 eghapp

An extract from the httpd.conf file is shown below
Listen 8000
NameVirtualHost 10.14.1.150

VirtualHost 10.14.1.150
ProxyPass /esav http://eghsnap1:8081/esav
ProxyPassReverse /esav http://eghsnap1:8081/esav
ProxyPass /ddrint http://eghsnap2:8081/ddrint
ProxyPassReverse /ddrint http://eghsnap2:8081/ddrint
ProxyPass /vnc http://eghsnap1:80/vnc
ProxyPassReverse /vnc http://eghsnap1:80/vnc
ServerAdmin [EMAIL PROTECTED]
DocumentRoot /var/www/html
ServerName eghapp
ErrorLog logs/error_log
CustomLog logs/access_log common
#/VirtualHost


SSLProtocol -all +SSLv2
SSLCipherSuite SSLv2:+HIGH:+MEDIUM:+LOW:+EXP
SSLCertificateFile /etc/httpd/server.csr
SSLCertificateKeyFile /etc/httpd/server.key
/VirtualHost

For your information I am running
   Apache 2.0.4.0
   IE 6.0.2

Richard


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Boyle Owen
Sent: 16 June 2004 10:20
To: [EMAIL PROTECTED]
Subject: RE: Certificate Problems


Plain text please...

If you got an error in the ssl error-log then apache must be running. The
invalid method error is exactly that - the HTTP method wasn't GET, POST
etc... What request were you making when you got the error? Cross-check
the access log for details...

It looks like your certificate common name is localhost.localdomain and
this doesn't match the ServerName argument which is what the warning is
about.

The DNS error means that he browser cannot resolve eghapp to an IP address
while curl, apparently, can. No idea why - depends on OS, browser version,
config etc. (eg, if the browser goes via a proxy, the proxy will not see a
local /etc/hosts definition of eghapp).

Tip: if you post back, cut'n'paste exact error messages - do not
paraphrase as this loses important information. Also, give OS, apache 1.3
or 2 etc.

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored.

Diese E-mail ist eine private und persönliche Kommunikation. Sie hat
keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Gruppe. This
e-mail is of a private and personal nature. It is not related to the
exchange or business activities of the SWX Group. Le présent e-mail est un
message privé et personnel, sans rapport avec l'activité boursière du
Groupe SWX.



-Original Message-
From: Richard Skeggs [mailto:[EMAIL PROTECTED]
Sent: Mittwoch, 16. Juni 2004 11:07
To: '[EMAIL PROTECTED]'
Subject: Certificate Problems




I am trying to set up ssl on my server and I have been through what I
believe are the correct settings. I can run the command line script
'openssl s_client -connect eghapp:443 -state -debug' I don't appear to get
an error message. However when trying to start apache using the startssl
switch the following error turns up in the ssl_error_log [Tue Jun 15
15:11:04 2004] [warn] RSA server certificate is a CA certificate
(BasicConstraints: CA == TRUE !?)
[Tue Jun 15 15:11:04 2004] [warn] RSA server certificate CommonName (CN)
`localhost.localdomain' does NOT match server name!? [Tue Jun 15 15:11:07
2004] [warn] RSA server certificate is a CA certificate (BasicConstraints:
CA == TRUE !?)
[Tue Jun 15 15:11:07 2004] [warn] RSA server certificate CommonName (CN)
`localhost.localdomain' does NOT match server name!? [Tue Jun 15 15:26:34
2004] [error] [client 10.14.1.150] Invalid method in request
I have also been able to successfully run the command 'curl
https://eghapp'. However when I try to run 'https://eghapp' through the
browser I get an error saying that the DNS server cannot be found. On
checking the nothing gets written to any

certificate problems

2002-11-23 Thread Erik Boles
I apologize in advacne if this is off-topic for this list.

Just installed our new Verisign cert on our apache box but are having two
problems with it:

1. The person who generated the key that was sent to verisign used the wrong
common name so the secure URL we use doesn't match the URL on the cert,
throwing up a warning screen...any way around this other than starting over
with a new cert?


2. Whenever we start httpd we are promoted for a password for ssl to start,
which doesn't work for us as httpd restarts itself ever night.  Our old cert
never did this, is this something new?


Thanks for any help...

Erik


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]



Re: certificate problems

2002-11-23 Thread Daniel Lopez

 Just installed our new Verisign cert on our apache box but are having two
 problems with it:
 
 1. The person who generated the key that was sent to verisign used the wrong
 common name so the secure URL we use doesn't match the URL on the cert,
 throwing up a warning screen...any way around this other than starting over
 with a new cert?
 
Unfortunately no, you will need to get a new one or move your secure pages to
that domain.


 2. Whenever we start httpd we are promoted for a password for ssl to start,
 which doesn't work for us as httpd restarts itself ever night.  Our old cert
 never did this, is this something new?

The key is encrypted, so in case anyone broke into your server, the attacker
would not be able to simply take your certificate and key and impersonate you.
He would also need that passphrase.

The way of doing this is to decrypt the key :

# ./usr/local/ssl/install/bin/openssl rsa -in www.example.com.key \
-out www.example.com.key.unsecure

(more info at http://www.apacheworld.org/ty24/site.chapter17.html)

mod_ssl also has a directive so you can have a script provide that phrase
automatically. It is convenient, but not really any more secure, see the
How can I get rid of the pass-phrase dialog at Apache startup time? entry at
http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html

Cheers

Daniel
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]



Client Certificate Problems

1999-05-27 Thread Chris H. Jensen
Running Linux 2.0.36 Apache 1.3.6 Openssl 0.9.3 Mod_ssl 2.3.0 My server is up and running and seems to work fine in secure mode without a clientcert. But every time I create and install a client cert. in netscape 4.06 I getrecieved bad data from server messagethe server log has the following.[Thu May 27 08:33:25 1999] [error] mod_ssl: SSL handshake failed (client 100.100.100.6, server 100.100.100.11:443) (OpenSSL library error follows)[Thu May 27 08:33:25 1999] [error] OpenSSL: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure From reading the openssl.cnf file it says that nsCertType can beleft alone except for object signing. If I am creating a self sign cert.to sign my server.crt. Should I change the openssl.cnf file to allowsigning ca.crt and then change it back before I create my server.crt And do I do the same thing while creating client cert's with CA.shAlso, if anyone has another idea I'd like to hear it.Chris Jensen[EMAIL PROTECTED]