Return-Path: Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 44283 invoked by uid 500); 9 Jan 2003 23:47:25 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 44272 invoked from network); 9 Jan 2003 23:47:25 -0000 Received: from 189.red-80-37-84.pooles.rima-tde.net (HELO mailhost) (80.37.84.189) by daedalus.apache.org with SMTP; 9 Jan 2003 23:47:25 -0000 Received: from martinika (martinika [192.168.100.10]) by mailhost (Postfix) with ESMTP id D121B13A28 for ; Fri, 10 Jan 2003 00:47:24 +0100 (CET) From: Alberto Bambala Arbea To: users@httpd.apache.org Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: Ximian Evolution 1.0.8-3mdk Date: 10 Jan 2003 00:45:46 +0100 Message-Id: <1042155946.1561.0.camel@martinika> Mime-Version: 1.0 X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N Subject: [users@httpd] problem with client certificate Hello... I have configured my Apache servers to require certificates from clients. Here is my config: .... SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /etc/httpd/conf/ssl.crt/mycrt.crt SSLCertificateKeyFile /etc/httpd/conf/ssl.key/mykey.pem SSLCACertificateFile /etc/httpd/conf/ssl.crt/cacert.crt SSLVerifyClient require SSLVerifyDepth 1 .... When I try to test my environment from the client I issue something like this... openssl s_client -connect myserver:443/blabla -state -debug but I get this .... SSL_connect:SSLv3 read server certificate request A SSL_connect:SSLv3 read server done A ..... SSL_connect:SSLv3 write client key exchange A .... SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data .... SSL3 alert read:fatal:handshake failure SSL_connect:failed in SSLv3 read finished A 5015:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:985:SSL alert number 40 5015:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:226: and this is what Apache told me... ==> /var/log/httpd/c1ssltsm-error.log <== [Wed Jan 8 20:20:37 2003] [error] mod_ssl: SSL handshake failed (server (myserver:443, client 195.57.212.66) (OpenSSL library error follows) [Wed Jan 8 20:20:37 2003] [error] OpenSSL: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate [Hint: No CAs known to server for verification?] ==> /var/log/httpd/c1ssl_engine.log <== [08/Jan/2003 20:20:38 04328] [info] Connection to child 6 established (myserver:443, client 192.168.3.100) [08/Jan/2003 20:20:38 04328] [info] Seeding PRNG with 1160 bytes of entropy [08/Jan/2003 20:20:38 04328] [info] Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?] Any ideas? Thanx a lot. k. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org