SSLVerifyClient
This is a discussion on SSLVerifyClient within the Modssl Users forums, part of the Web Server and Related Forums category; Please please help me get this stuff working. I want client authentication. Currently, I am trying to get authentication work ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
06-28-2005
|
|||
|
|||
SSLVerifyClient
Please please help me get this stuff working.
I want client authentication. Currently, I am trying to get authentication work with my own CA, but that is foobar. I have an intranet where the people already have certificates. I want to use the CA that signed those as well. When s_client does work, it shows that the server is requesting certificates signed by the allowed CAs, so I am content with that. It seems as if the browser is not sending the certificates to Apache. I'm running Mac OS X Tiger, I've tried importing my own certificates into Keychain, but that makes no difference, and besides, I already have a certificate for my intranet in there that should work. Moreover, my own signed certificates don't have purposes like "client authentication," which is perhaps the cause of some of the trouble. Any advice will be appreciated. When I have SSLVerifyClient none I can log into the SSL enabled server just fine. When it is SSLVerifyClient optional s_client without a certificate works s_client with a certificate produces: CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A depth=1 /C=US/ST=<State>/L=<City>/O=<Organization>/OU=<Unit>/CN=<CN>/ Email=<email> verify return:1 depth=0 /C=US/ST=<State>/L=<City>/O=<Organization>/OU=Server/ CN=<host>/Email=<email> verify return:1 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server key exchange A SSL_connect:SSLv3 read server certificate request A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client certificate A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write certificate verify A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL3 alert read:fatal:unknown CA SSL_connect:failed in SSLv3 read finished A 5100:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1046:SSL alert number 48 5100:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:226: and a browser causes: [28/Jun/2005 07:20:28 05071] [info] Connection to child 0 established (server <host>:443, client 127.0.0.1) [28/Jun/2005 07:20:28 05071] [info] Seeding PRNG with 0 bytes of entropy [28/Jun/2005 07:20:28 05071] [error] Certificate Verification: Error (20): unable to get local issuer certificate [28/Jun/2005 07:20:28 05071] [error] SSL handshake failed (server <host>:443, client 127.0.0.1) (OpenSSL library error follows) [28/Jun/2005 07:20:28 05071] [error] OpenSSL: error:140890B2:lib (20):func(137):reason(178) When it is SSLVerifyClient require s_client without certificate: same as with cert above s_client with certificate: CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A depth=1 /C=US/ST=<State>/L=<City>/O=<Organization>/OU=<Unit>/CN=<CN>/ Email=<email> verify return:1 depth=0 /C=US/ST=<State>/L=<City>/O=<Organization>/OU=<Unit>/CN=<CN>/ Email=<email> verify return:1 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server key exchange A SSL_connect:SSLv3 read server certificate request A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client certificate A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write certificate verify A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL3 alert read:fatal:unknown CA SSL_connect:failed in SSLv3 read finished A 5111:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1046:SSL alert number 48 5111:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:226: browser produces errors: [28/Jun/2005 07:20:28 05071] [info] Connection to child 0 established (server <host>:443, client 127.0.0.1) [28/Jun/2005 07:20:28 05071] [info] Seeding PRNG with 0 bytes of entropy [28/Jun/2005 07:20:28 05071] [error] Certificate Verification: Error (20): unable to get local issuer certificate [28/Jun/2005 07:20:28 05071] [error] SSL handshake failed (server <host>:443, client 127.0.0.1) (OpenSSL library error follows) [28/Jun/2005 07:20:28 05071] [error] OpenSSL: error:140890B2:lib (20):func(137):reason(178) Running s_server always works, and the client certificate from the browser is loaded up. __________________________________________________ ____________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager majordomo@modssl.org 
|
Linear Mode
