httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Serge Dubrouski" <serge...@gmail.com>
Subject Re: [users@httpd] Apache gives SSL Library error complaining about common name - Help
Date Tue, 23 Jan 2007 02:34:10 GMT
On 1/22/07, DEVAL SHAH <devals9@hotmail.com> wrote:
> Hello,
> Thanks for the reply but this is my config:
> #SSLVerifyClient require
> SSLVerifyDepth  10
>
> so it is commented out and the default is SSLVerifyClient none.
> Also I tried using SSLVerifyClient none but that didnt work either.

Don't know what to tell then

>
> Any other idea? Can this be related to machine configuration.

It could be related ro installed verision of OpenSSL. You said that
your clients don't have problem with accessing other SSL server of
yours. Compare their configration then.

>
> Thank you.
> Deval
>
>
> >From: "Serge Dubrouski" <sergeyfd@gmail.com>
> >Reply-To: users@httpd.apache.org
> >To: users@httpd.apache.org
> >Subject: Re: [users@httpd] Apache gives SSL Library error complaining about
> >common name - Help
> >Date: Mon, 22 Jan 2007 19:01:24 -0700
> >
> >Ok. I believe that the problem in in the proxy. Client certificates
> >AREN'T proxied. As far as I remember, you have you server configured
> >with "SSLVerifyClient Required", that means that client MUST provide a
> >certificate to get access, but their proxy doesn't ask for it and
> >doesn't peresnt it tou your server. So you have that error because
> >there is no client certificate in SSL handshake. One of the solution
> >is to configure their proxy to use a certificate to connect to your
> >server (Apache mod_proxy can do that) but itr breaks a whole idea of
> >access control, because in this case all users of their proxy will be
> >authenticated with one common cert.
> >
> >Hope that was clear.
> >
> >On 1/22/07, DEVAL SHAH <devals9@hotmail.com> wrote:
> >>Hello,
> >>I have posted this question earlier but got no response. I am stating it
> >>again. Please help with some ideas.
> >>I have a certificate installed for my domain from Thawte. Now if anyone
> >>tries to access the webpage using a browser it works perfect.
> >>One of our clients has a proxy server. When they access to our website
> >>using
> >>their proxy they cannot access it. They get 500 Internal Server Error. Our
> >>logs indicates the following error:
> >>
> >>[debug] ssl_engine_kernel.c(1762): OpenSSL: Read: SSLv3 read client
> >>certificate A
> >>[debug] ssl_engine_kernel.c(1781): OpenSSL: Exit: failed in SSLv3 read
> >>client certificate A
> >>SSL library error 1 in handshake (server abc.com:443)
> >>SSL Library Error: 336151570 error:14094412:SSL
> >>routines:SSL3_READ_BYTES:sslv3 alert bad certificate Subject CN in
> >>certificate not server name or identical to CA!?
> >>Connection closed to child 1 with abortive shutdown (server abc.com:443)
> >>
> >>Now according to them they are doing everything perfect as they can access
> >>another of our SSL server perfectly well. What am I missing - I am sure
> >>our
> >>SSL certificate is valid as browser does not give any error.
> >>I am not using Client certificate authentication as I have SSLVerifyClient
> >>none
> >>
> >>Any help is appreciated.
> >>
> >>Thanks
> >>Deval
> >>
> >>
> >>
> >>---------------------------------------------------------------------
> >>The official User-To-User support forum of the Apache HTTP Server Project.
> >>See <URL:http://httpd.apache.org/userslist.html> for more info.
> >>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> >>For additional commands, e-mail: users-help@httpd.apache.org
> >>
> >>
> >
> >---------------------------------------------------------------------
> >The official User-To-User support forum of the Apache HTTP Server Project.
> >See <URL:http://httpd.apache.org/userslist.html> for more info.
> >To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> >For additional commands, e-mail: users-help@httpd.apache.org
> >
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message