You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Alberto Bambala Arbea <ka...@karkomaonline.com> on 2003/01/10 00:45:46 UTC

[users@httpd] problem with client certificate

Hello...

I have configured my Apache servers to require certificates from
clients. Here is my config:

....

SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/httpd/conf/ssl.crt/mycrt.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/mykey.pem
SSLCACertificateFile /etc/httpd/conf/ssl.crt/cacert.crt

SSLVerifyClient require
SSLVerifyDepth  1

....

When I try to test my environment from the client I issue something like
this...

openssl s_client -connect myserver:443/blabla -state -debug

but I get this

....

SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
.....
SSL_connect:SSLv3 write client key exchange A
....
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
....
SSL3 alert read:fatal:handshake failure
SSL_connect:failed in SSLv3 read finished A
5015:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
failure:s3_pkt.c:985:SSL alert number 40
5015:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:226:




and this is what Apache told me...

==> /var/log/httpd/c1ssltsm-error.log <==
[Wed Jan  8 20:20:37 2003] [error] mod_ssl: SSL handshake failed (server
(myserver:443, client 195.57.212.66) (OpenSSL library error follows)
[Wed Jan  8 20:20:37 2003] [error] OpenSSL: error:140890C7:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
[Hint: No CAs known to server for verification?]

==> /var/log/httpd/c1ssl_engine.log <==
[08/Jan/2003 20:20:38 04328] [info]  Connection to child 6 established
(myserver:443, client 192.168.3.100)
[08/Jan/2003 20:20:38 04328] [info]  Seeding PRNG with 1160 bytes of
entropy
[08/Jan/2003 20:20:38 04328] [info]  Spurious SSL handshake
interrupt[Hint: Usually just one of those OpenSSL confusions!?]


Any ideas?
Thanx a lot.

k.



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org