client certificate problems

2005-01-11 Thread john mcnicholas

In short I'm working on duplicating a web site locally for testing and 
I am unable to get Client certificates to work here in my lab.  

The main/public site is using apache 1.3.33 on OS X and is properly 
configured for client certs, but I can't get this test configuration 
to work. I am using Apache 2.0.52 so that could be a factor.  
(if necessary, I will try to reconfigure with 1.3.33)

The client browser is IE 6.x and what is odd is when I navigate to the
main/public site I am prompted to select a certificate, but when
I  navigate to the test site IE 6.x just times out.  For that reason
I am suspicious of the apache configuration but I can't be certain.

I tried with FireFox (1.0) and it also timed out. Firefox is 
configured to ask every time for client cert. selection and
like IE, I am not prompted.

(I'm also suspicious as to why I can't select the client certificate 
from the IE dialog for the test site - only the certificate for the 
public site is listed.)

The virtual host configuration is listed below (ssl.conf was 
unchanged for 2.0.52) and the error in the ssl.log is also listed 
below.  If anyone could offer any trouble shooting tips that would 
be greatly appreciated.

Thanks for your time and assistance.

John

//-

Additional information:

Version: Apache/2.0.52
OS:  Mac OS X 10.3.7

//-

// here is the log of the error:

[info] Initial (No.1) HTTPS request received for child 5 (server 
www.apollo.home:443)
[debug] ssl_engine_kernel.c(422): Changed client verification type will 
force renegotiation
[info] Requesting connection re-negotiation
[debug] ssl_engine_kernel.c(650): Performing full renegotiation: 
complete handshake protocol
[info] Awaiting re-negotiation handshake
[debug] ssl_engine_kernel.c(1756): OpenSSL: Handshake: start
[debug] ssl_engine_kernel.c(1764): OpenSSL: Loop: before accept 
initialization
[debug] ssl_engine_io.c(1517): OpenSSL: I/O error, 5 bytes expected to 
read on BIO#1280be0 [mem: 7f7000]
[debug] ssl_engine_kernel.c(1793): OpenSSL: Exit: error in SSLv2 read 
client hello B
[error] Re-negotiation handshake failed: Not accepted by client!?


//-

// here is the virtual host info:

VirtualHost www.apollo.home:443
 DocumentRoot /some_directory/ssl_site
 ServerAdmin [EMAIL PROTECTED]
 ServerName www.apollo.home
 LogLevel warn
 # LogLevel debug

 SetEnvIf User-Agent .*MSIE.* \
  nokeepalive ssl-unclean-shutdown \
  downgrade-1.0 force-response-1.0

 #   Per-Server Logging:

 CustomLog  logs/apollo/443.access.log %t %h %{SSL_PROTOCOL}x 
%{SSL_CIPHER}x \%r\ %b

 ErrorLog   logs/apollo/443.error.log
 DirectoryIndex index.html
 IfModule mod_ssl.c
 #
 #  ssl stuff
 #
 SSLEngine On
 SSLProtocol all -SSLv3
 SSLCipherSuite 
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

 #
 #
 LogLevel debug
 ErrorLog logs/apollo/ssl.log
 SSLOptions +StdEnvVars +ExportCertData

 #
 #
 # path to certificates and private key
 #
 SSLCertificateFile  
/some_directory/openssl/servers/www.apollo.home.cert.pem
 SSLCertificateKeyFile   
/some_directory/openssl/servers/www.apollo.home.key.unencrypted

 SSLCACertificateFile
/some_directory/openssl/private/CA-1.cert.pem
 /IfModule

 Location /secure_dir
 SSLVerifyClient require
 SSLVerifyDepth  3
 /Location

/VirtualHost




__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]


Client Certificate Problems

1999-05-27 Thread Chris H. Jensen
Running Linux 2.0.36 Apache 1.3.6 Openssl 0.9.3 Mod_ssl 2.3.0 My server is up and running and seems to work fine in secure mode without a clientcert. But every time I create and install a client cert. in netscape 4.06 I getrecieved bad data from server messagethe server log has the following.[Thu May 27 08:33:25 1999] [error] mod_ssl: SSL handshake failed (client 100.100.100.6, server 100.100.100.11:443) (OpenSSL library error follows)[Thu May 27 08:33:25 1999] [error] OpenSSL: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure From reading the openssl.cnf file it says that nsCertType can beleft alone except for object signing. If I am creating a self sign cert.to sign my server.crt. Should I change the openssl.cnf file to allowsigning ca.crt and then change it back before I create my server.crt And do I do the same thing while creating client cert's with CA.shAlso, if anyone has another idea I'd like to hear it.Chris Jensen[EMAIL PROTECTED]