You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Aman Raheja <ar...@techquotes.com> on 2005/06/06 21:01:22 UTC

[users@httpd] client cert auth issue

1. apache 2.0.54 on Sol 8

2. I have the following in a vhost used for client auth proxy

    SSLProxyEngine On
    SSLVerifyDepth 4
    SSLProxyVerify require
    SSLProxyCACertificateFile "/usr/local/apache/server2/ssl/CA.pem"
    SSLProxyMachineCertificateFile 
"/usr/local/apache/server2/ssl/client.pem"

3. When I run the following on command line
openssl s_client -connect >servername>:443 -cert 
/usr/local/apache/server2/ssl/client.pem -CAfile 
/usr/local/apache/server2/ssl/CA.pem

I get, in the last line
    Verify return code: 0 (ok)

which verifies my certs.


4. But through the browser I get Internal Server Error and in the error log

[Mon Jun 06 13:58:39 2005] [error] Certificate Verification: Certificate 
Chain too long (chain has 4 certificates, but maximum allowed are only 1)


5. Now, my CA has a chain of 4 certs and I have specified the 
SSLVerifyDepth in the config to be 4.
What's missing?

TIA
Aman

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] client cert auth issue

Posted by Aman Raheja <ar...@techquotes.com>.

Hello All
Though I did not get any response for my question, having already 
resolved it, I thought it will be a good idea to post it.
I was missing the following:
Should have used SSLProxyVerifyDepth 4 instead of SSLVerifyDepth 4
Now it's all good.
HTH
Aman Raheja
http://www.techquotes.com

Aman Raheja wrote:

> 1. apache 2.0.54 on Sol 8
>
> 2. I have the following in a vhost used for client auth proxy
>
>    SSLProxyEngine On
>    SSLVerifyDepth 4
>    SSLProxyVerify require
>    SSLProxyCACertificateFile "/usr/local/apache/server2/ssl/CA.pem"
>    SSLProxyMachineCertificateFile 
> "/usr/local/apache/server2/ssl/client.pem"
>
> 3. When I run the following on command line
> openssl s_client -connect >servername>:443 -cert 
> /usr/local/apache/server2/ssl/client.pem -CAfile 
> /usr/local/apache/server2/ssl/CA.pem
>
> I get, in the last line
>    Verify return code: 0 (ok)
>
> which verifies my certs.
>
>
> 4. But through the browser I get Internal Server Error and in the 
> error log
>
> [Mon Jun 06 13:58:39 2005] [error] Certificate Verification: 
> Certificate Chain too long (chain has 4 certificates, but maximum 
> allowed are only 1)
>
>
> 5. Now, my CA has a chain of 4 certs and I have specified the 
> SSLVerifyDepth in the config to be 4.
> What's missing?
>
> TIA
> Aman 



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org