httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Serge Dubrouski" <serge...@gmail.com>
Subject Re: [users@httpd] Apache gives SSL Library error complaining about common name - Help
Date Tue, 23 Jan 2007 02:01:24 GMT
Ok. I believe that the problem in in the proxy. Client certificates
AREN'T proxied. As far as I remember, you have you server configured
with "SSLVerifyClient Required", that means that client MUST provide a
certificate to get access, but their proxy doesn't ask for it and
doesn't peresnt it tou your server. So you have that error because
there is no client certificate in SSL handshake. One of the solution
is to configure their proxy to use a certificate to connect to your
server (Apache mod_proxy can do that) but itr breaks a whole idea of
access control, because in this case all users of their proxy will be
authenticated with one common cert.

Hope that was clear.

On 1/22/07, DEVAL SHAH <devals9@hotmail.com> wrote:
> Hello,
> I have posted this question earlier but got no response. I am stating it
> again. Please help with some ideas.
> I have a certificate installed for my domain from Thawte. Now if anyone
> tries to access the webpage using a browser it works perfect.
> One of our clients has a proxy server. When they access to our website using
> their proxy they cannot access it. They get 500 Internal Server Error. Our
> logs indicates the following error:
>
> [debug] ssl_engine_kernel.c(1762): OpenSSL: Read: SSLv3 read client
> certificate A
> [debug] ssl_engine_kernel.c(1781): OpenSSL: Exit: failed in SSLv3 read
> client certificate A
> SSL library error 1 in handshake (server abc.com:443)
> SSL Library Error: 336151570 error:14094412:SSL
> routines:SSL3_READ_BYTES:sslv3 alert bad certificate Subject CN in
> certificate not server name or identical to CA!?
> Connection closed to child 1 with abortive shutdown (server abc.com:443)
>
> Now according to them they are doing everything perfect as they can access
> another of our SSL server perfectly well. What am I missing - I am sure our
> SSL certificate is valid as browser does not give any error.
> I am not using Client certificate authentication as I have SSLVerifyClient
> none
>
> Any help is appreciated.
>
> Thanks
> Deval
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message