You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2011/12/07 10:01:40 UTC
DO NOT REPLY [Bug 52298] New: Can't enter website with client
certificate on an iPad
https://issues.apache.org/bugzilla/show_bug.cgi?id=52298
Bug #: 52298
Summary: Can't enter website with client certificate on an iPad
Product: Apache httpd-2
Version: 2.2.21
Platform: PC
Status: NEW
Severity: normal
Priority: P2
Component: mod_ssl
AssignedTo: bugs@httpd.apache.org
ReportedBy: stefanblanke@t-online.de
Classification: Unclassified
Configured an XAMPP installation (1.7.7) to enter a website with client
certificates. Works fine in Firefox, IE and Chrome.
But when entering the website with an iPad (tested on an iPad 2) there comes no
prompt (as expected) to select a client certificate. It just returns a 403
error.
Using an older XAMPP installation (1.7.4) with Apache 2.2.17 everything works
fine.
Snippet of my ssl config:
httpd-ssl.conf:
...
SSLVerifyClient optional
SSLVerifyDepth 10
Include conf/extra/httpd-ssl-papp.conf
...
httpd-ssl-papp.conf:
<Location /test>
SSLRequire %{SSL_CLIENT_S_DN_CN} in { "CERT NAME" }
</Location>
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 52298] Can't enter website with client certificate
on an iPad
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=52298
Stefan Blanke <st...@t-online.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEEDINFO |NEW
--- Comment #5 from Stefan Blanke <st...@t-online.de> 2011-12-08 12:34:44 UTC ---
The server trusts the CA. Otherwise it couldn't work in other browsers. We used
the same files like on the older version.
On client side: client.p12, root CA, client CA
On server side: server.crt, server.key, server-chain.crt
client CA and server CA are built from the root CA.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 52298] Can't enter website with client certificate
on an iPad
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=52298
Eric Covener <co...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |NEEDINFO
--- Comment #4 from Eric Covener <co...@gmail.com> 2011-12-08 11:30:28 UTC ---
maybe it's not signed by a CA trusted by the server.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 52298] Can't enter website with client certificate
on an iPad
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=52298
Eric Covener <co...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |NEEDINFO
--- Comment #6 from Eric Covener <co...@gmail.com> 2011-12-08 21:04:23 UTC ---
Can you show how the handshakes differ between the two versions?
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 52298] Can't enter website with client certificate
on an iPad
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=52298
--- Comment #2 from Erwann Abalea <er...@keynectis.com> 2011-12-07 11:24:41 UTC ---
Sorry, use "SSLVerifyClient require" instead.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 52298] Can't enter website with client certificate
on an iPad
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=52298
--- Comment #3 from Stefan Blanke <st...@t-online.de> 2011-12-08 09:07:49 UTC ---
After setting it to require instead of optional I get the following error
message:
"This website requires a certificate to validate your identity."
or similar to this, I just translated it.
But the p12-cert is installed correctly.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 52298] Can't enter website with client certificate
on an iPad
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=52298
Stefan Blanke <st...@t-online.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |stefanblanke@t-online.de
Platform|PC |Other
OS/Version| |other
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 52298] Can't enter website with client certificate
on an iPad
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=52298
--- Comment #1 from Erwann Abalea <er...@keynectis.com> 2011-12-07 11:23:27 UTC ---
It's not a bug in Apache, but a problem in Mobile Safari behavior.
Change the "SSLVerifyClient optional" into "SSLVerifyClient verify", and you'll
be prompted.
Mobile Safari tries to connect to a site without a client certificate, and if
it works, no renegotiation will be accepted.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org