httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alberto Bambala Arbea <>
Subject [users@httpd] problem with client certificate
Date Thu, 09 Jan 2003 23:45:46 GMT


I have configured my Apache servers to require certificates from
clients. Here is my config:


SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/mycrt.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/mykey.pem
SSLCACertificateFile /etc/httpd/conf/ssl.crt/cacert.crt

SSLVerifyClient require
SSLVerifyDepth  1


When I try to test my environment from the client I issue something like

openssl s_client -connect myserver:443/blabla -state -debug

but I get this


SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL3 alert read:fatal:handshake failure
SSL_connect:failed in SSLv3 read finished A
5015:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
failure:s3_pkt.c:985:SSL alert number 40
5015:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake

and this is what Apache told me...

==> /var/log/httpd/c1ssltsm-error.log <==
[Wed Jan  8 20:20:37 2003] [error] mod_ssl: SSL handshake failed (server
(myserver:443, client (OpenSSL library error follows)
[Wed Jan  8 20:20:37 2003] [error] OpenSSL: error:140890C7:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
[Hint: No CAs known to server for verification?]

==> /var/log/httpd/c1ssl_engine.log <==
[08/Jan/2003 20:20:38 04328] [info]  Connection to child 6 established
(myserver:443, client
[08/Jan/2003 20:20:38 04328] [info]  Seeding PRNG with 1160 bytes of
[08/Jan/2003 20:20:38 04328] [info]  Spurious SSL handshake
interrupt[Hint: Usually just one of those OpenSSL confusions!?]

Any ideas?
Thanx a lot.


The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message