Re: Problem with SSLVerifyClient

2004-07-02 Thread Fulvio LAZ
Someone know were I can find apache2-mod_ssl 2.50 ?

Thanks
Fulvio









Yahoo! Companion - Scarica gratis la toolbar di Ricerca di Yahoo! 
http://companion.yahoo.it
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]


Re: Problem with SSLVerifyClient

2004-07-02 Thread Matt Stevenson
You dont need the hash link for the
SSLCACertificateFile just put the real filename in.

Also are you using a root and intermediate cert, then
add SSLVerifyDepth  2.

Upgrading may be a good idea but I have Apache/2.0.48
(Unix) mod_ssl/2.0.48 OpenSSL/0.9.7c running with
client cert auth. But then thats RH on i386 (custom
compile).

 SSLCACertificateFile
/etc/grid-security/certificates/33b4aee4.0
 SSLVerifyClient require
 

--- Fulvio LAZ [EMAIL PROTECTED] wrote:
 
  First of all does it work if you comment the
  SSLVerifyClient require
   directive out. Also do you get a core file and
 can
  you do a backtrace in gdb (with lib info)?
  
  Regards
  Matt
  
  
 Dear Matt, thanks for your reply 
 
 If I set SSLVerifyClient optional (or comment it)
 apache work but client CA aren't send to my
 server (I need client distinguished name)
 
 If I set LogLevel debug and SSLVerifyClient
 require I can see into error_log:
 
 [info] Server built: Mar 16 2004 15:30:28
 [debug] prefork.c(1037): AcceptMutex: pthread
 (default: pthread)
 [notice] child pid 18934 exit signal Segmentation
 fault (11)
 
 and into ssl_error_log
 [debug] ssl_engine_kernel.c(1786): OpenSSL: Loop:
 SSLv3 read client hello A
 [debug] ssl_engine_kernel.c(1786): OpenSSL: Loop:
 SSLv3 write server hello A
 [debug] ssl_engine_kernel.c(1786): OpenSSL: Loop:
 SSLv3 write certificate A
 [debug] ssl_engine_kernel.c(1170): handing out
 temporary 1024 bit DH key
 [debug] ssl_engine_kernel.c(1786): OpenSSL: Loop:
 SSLv3 write key exchange A   
 [debug] ssl_engine_kernel.c(1786): OpenSSL: Loop:
 SSLv3 write certificate request A
 [debug] ssl_engine_kernel.c(1786): OpenSSL: Loop:
 SSLv3 flush data 
 [debug] ssl_engine_io.c(1499): OpenSSL: read 5/5
 bytes from BIO#818ab68 [mem: 81921e8] (BIO dump
  follows)   
  
 [debug]
 ssl_engine_io.c(1446):
 +--+   
 
  
   [debug] ssl_engine_io.c(1471): | : 16 03 00 04
 c9 | 
 
   [debug]
 ssl_engine_io.c(1477):
 +--+
   
 
 [debug]
 ssl_engine_io.c(1499): OpenSSL: read 1225/1225 bytes
 from BIO#818ab68 [mem: 81921ed] (BI
 O dump follows)
 .
 .
 
 
 
   
 
   
   


 Yahoo! Companion - Scarica gratis la toolbar di
 Ricerca di Yahoo! 
 http://companion.yahoo.it

__
 Apache Interface to OpenSSL (mod_ssl)   
www.modssl.org
 User Support Mailing List 
 [EMAIL PROTECTED]
 Automated List Manager   
 [EMAIL PROTECTED]
 




__
Do you Yahoo!?
Read only the mail you want - Yahoo! Mail SpamGuard.
http://promotions.yahoo.com/new_mail 
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]


Re: Problem with SSLVerifyClient

2004-07-01 Thread Matt Stevenson
--- Fulvio LAZ [EMAIL PROTECTED] wrote:
 
 
 Dear Sirs
 I write to ask for a little help about a problem
 with Apache configuration.
  
 My system is: Apache-AdvancedExtranetServer/2.0.48
 (Mandrake Linux/6mdk) mod_ssl/2.0.48
 OpenSSL/0.9.7c PHP/4.3.4
  
 I want read client distinguished name into php page
 (client using browser with pkcs12
 certificate inside),
 so I add the following lines into
 /etc/httpd/conf.d/41_mod_ssl.default-vhost.conf
  
  SSLCertificateFile
 /etc/grid-security/tomcatcert.pem
  SSLCertificateKeyFile
 /etc/grid-security/tomcatkey.pem.plain
  SSLCACertificateFile
 /etc/grid-security/certificates/33b4aee4.0
  SSLVerifyClient require
  
  
 When I try to contact http server in https mode,
 connection is refuse and in 
 ssl_error_log a see [notice] child pid 11835 exit
 signal Segmentation fault (11)
  
 Could someone help me?
  
 Thanks
 Fulvio Lazzarato
  

First of all does it work if you comment the
SSLVerifyClient require
 directive out. Also do you get a core file and can
you do a backtrace in gdb (with lib info)?

Regards
Matt



__
Do you Yahoo!?
Yahoo! Mail Address AutoComplete - You start. We finish.
http://promotions.yahoo.com/new_mail 
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]


Re: Problem with SSLVerifyClient

2004-07-01 Thread Fulvio LAZ

 First of all does it work if you comment the
 SSLVerifyClient require
  directive out. Also do you get a core file and can
 you do a backtrace in gdb (with lib info)?
 
 Regards
 Matt
 
 
Dear Matt, thanks for your reply 

If I set SSLVerifyClient optional (or comment it) apache work but client CA aren't 
send to my
server (I need client distinguished name)

If I set LogLevel debug and SSLVerifyClient require I can see into error_log:

[info] Server built: Mar 16 2004 15:30:28
[debug] prefork.c(1037): AcceptMutex: pthread (default: pthread)
[notice] child pid 18934 exit signal Segmentation fault (11)

and into ssl_error_log
[debug] ssl_engine_kernel.c(1786): OpenSSL: Loop: SSLv3 read client hello A

[debug] ssl_engine_kernel.c(1786): OpenSSL: Loop: SSLv3 write server hello A
[debug] ssl_engine_kernel.c(1786): OpenSSL: Loop: SSLv3 write certificate A

[debug] ssl_engine_kernel.c(1170): handing out temporary 1024 bit DH key
[debug] ssl_engine_kernel.c(1786): OpenSSL: Loop: SSLv3 write key exchange A   

[debug] ssl_engine_kernel.c(1786): OpenSSL: Loop: SSLv3 write certificate request A
[debug] ssl_engine_kernel.c(1786): OpenSSL: Loop: SSLv3 flush data 

[debug] ssl_engine_io.c(1499): OpenSSL: read 5/5 bytes from BIO#818ab68 [mem: 81921e8] 
(BIO dump
 follows)  
   
[debug] ssl_engine_io.c(1446): 
+--+   
   
   
  [debug] ssl_engine_io.c(1471): | : 16 03 00 04 c9 |  
   
   [debug]
ssl_engine_io.c(1477): +--+
   
 [debug]
ssl_engine_io.c(1499): OpenSSL: read 1225/1225 bytes from BIO#818ab68 [mem: 81921ed] 
(BI
O dump follows)
.
.








Yahoo! Companion - Scarica gratis la toolbar di Ricerca di Yahoo! 
http://companion.yahoo.it
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]


Re: Problem with SSLVerifyClient

2004-07-01 Thread Joe Orton
On Thu, Jul 01, 2004 at 10:50:30PM +0200, Fulvio LAZ wrote:
 If I set LogLevel debug and SSLVerifyClient require I can see into error_log:
 
 [info] Server built: Mar 16 2004 15:30:28
 [debug] prefork.c(1037): AcceptMutex: pthread (default: pthread)
 [notice] child pid 18934 exit signal Segmentation fault (11)

Is this with 2.0.49?  There's a known segfault in the 2.0.49 mod_ssl - 
upgrade to 2.0.50.

Regards,

joe
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]