httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Serge Dubrouski" <serge...@gmail.com>
Subject Re: [users@httpd] Client Certificate authentication not working
Date Sat, 20 Jan 2007 00:06:08 GMT
What version of Apache do you use? There is a well known problem for
this in Apache 2.0.XX (there is an unofficial patch for it but I
didn't try it) and the only way to fix it is to upgrade to Apache
2.2.XX.

On 1/19/07, DEVAL SHAH <devals9@hotmail.com> wrote:
> Hello,
> Please help me I have been trying to get this working for 2 weeks now. Here
> is the error:
> [debug] ssl_engine_kernel.c(426): Changed client verification type will
> force renegotiation
> [info] Requesting connection re-negotiation
> ......
> ...
> [debug] ssl_engine_kernel.c(1770): OpenSSL: Write: SSLv3 read client
> certificate B
> [debug] ssl_engine_kernel.c(1789): OpenSSL: Exit: error in SSLv3 read client
> certificate B
> [error] Re-negotiation handshake failed: Not accepted by client!?
>
> I created a local CA. Worked fine
> I have a trusted certificate from Thawte on Apache
> I created a client certificate using my local CA - worked well. CN = Deval
> Shah
> I imported the client certificate and CA certificate in IE. IE shows the
> certificate properly without any error.
>
> httpd-ssl.conf file
> SSLCertificateFile /usr/local/apache2/conf/ssl.crt/server.crt  -> Points to
> certificate from Thawte SSLCertificateKeyFile
> /usr/local/apache2/conf/ssl.key/server.key
> SSLCACertificateFile /usr/local/apache2/conf/ssl.crt/devalCA.crt  -> local
> CA that i created
> SSLVerifyDepth  10
> <Location /testcerts/*>
>   SSLOptions +ExportCertData +OptRenegotiate +StdEnvVars
>   SSLVerifyClient require
>   SSLRequire     %{SSL_CLIENT_S_DN_CN} in {"Deval Shah"}
> </Location>
>
> Let me know what is wrong?
>
> Thanks
> Deval
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message