httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brian Rook" <Brian.R...@state.co.us>
Subject Re: [users@httpd] client cert authentication problem
Date Thu, 09 Dec 2004 22:43:46 GMT
Forgot to add my error log information in the last email:

[Thu Dec 09 10:51:04 2004] [error] Certificate Verification: Error
(18): self signed certificate
[Thu Dec 09 10:51:04 2004] [error] SSL handshake failed (server
dev.childsupport.state.co.us:443, client 165.127.154.64)
[Thu Dec 09 10:51:04 2004] [error] SSL Library Error: 336105650
error:140890B2:lib(20):func(137):reason(178)
[Thu Dec 09 10:52:19 2004] [error] Spurious SSL handshake interrupt
[Hint: Usually just one of those OpenSSL confusions!
?]
[Thu Dec 09 10:52:20 2004] [error] SSL handshake failed (server
dev.childsupport.state.co.us:443, client 165.127.158.212
)
[Thu Dec 09 10:52:20 2004] [error] SSL Library Error: 336105671
error:140890C7:lib(20):func(137):reason(199)

This is what the last entry looked like.

Looks like Apache _is_ trying to do some sort of certificate
validation.

>>> jorton@redhat.com 12/9/2004 1:20:27 PM >>>
On Thu, Dec 09, 2004 at 10:34:09AM -0700, Brian Rook wrote:
> Hello,
> 
> I added the following lines to my virtual host
> 
> <VirtualHost dev.childsupport.state.co.us:443>
>   ServerName dev.childsupport.state.co.us
>   SSLEngine on
> *>  SSLVerifyClient require
> *>  SSLVerifyDepth 10

>   SSLCertificateFile conf/ssl.crt/myserver.crt
>   SSLCertificateKeyFile conf/ssl.key/myserver.key
>   SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
downgrade-1.0 force-response-1.0
>   ProxyRemote  /*  http://myserver:8080/ 
>   ProxyPass / http://myserver:8080/ 
>   ProxyPassReverse / http://myserver:8080/ 
>  </VirtualHost>

You also have to configure the set of trusted CAs for you have issued
client certificates, using SSLCACertificateFile and ...Path - have you
done that?

http://httpd.apache.org/docs-2.0/mod/mod_ssl.html#sslcacertificatefile


What does the server error_log say?

joe

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org 
   "   from the digest: users-digest-unsubscribe@httpd.apache.org 
For additional commands, e-mail: users-help@httpd.apache.org 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message