You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by "TAYLOR, TIM (CONTRACTOR)" <TI...@DFAS.MIL> on 2007/02/21 21:17:41 UTC

RE: [users@httpd] Does apache check client certificate even if SSLVerifyClient is none?

Deval,
   this Library error is not in regard to a client certificate. In fact,
if it were, the message would have said so. What you should note in this
error

>It works fine for few people. When a client sends a certificate it does
not work. Our logs indicate this error:
>SSL Library Error: 336151570 error:14094412:SSL
>routines:SSL3_READ_BYTES:sslv3 alert bad certificate Subject CN in
certificate not server name or identical to CA!?

is "server name". The error is trying to tell you that your server
certificate has a problem. The error probably gets logged whenever you
startup Apache. The CN on your server cert should match your ServerName
directive. The other part "or identical to CA" may be telling you that
it should not be a self-signed cert either. Not sure about that.

One thing is for sure, if SSLVerifyClient is commented out, the browser
is not sending a cert. This exchange is well-defined by the TLSv1 (SSLv3
defacto) standard handshake, not subject to change by some hokey
browser.

regards,
TT
 

-----Original Message-----
From: DEVAL SHAH [mailto:devals9@hotmail.com] 
Sent: Tuesday, January 23, 2007 5:42 PM
To: users@httpd.apache.org
Subject: [users@httpd] Does apache check client certificate even if
SSLVerifyClient is none?

Hello,
I have a configuration in Apache file setup for SSL. I am not doing
client authentication as SSLVerifyClient is commented ie.
#SSLVerifyClient none

It works fine for few people. When a client sends a certificate it does
not work. Our logs indicate this error:
SSL Library Error: 336151570 error:14094412:SSL
routines:SSL3_READ_BYTES:sslv3 alert bad certificate Subject CN in
certificate not server name or identical to CA!?

Any idea what I should do to resolve this?

Thank you in advance
Deval



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org