httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Howard Wong" <Howard.W...@thespigroup.com>
Subject [users@httpd] Apache w/ mod_ssl: Trouble authenticating Verisign Class 1 Individual Subscriber client certificates
Date Wed, 17 Oct 2007 20:39:47 GMT
Hi,

Situation:
We received 2 certificates from a client communicating trying to communicat with our server:
1) the client certificate - Issued by VeriSign Class 1 individual Subscriber CA - G2
2) the VeriSign Class 1 CA Certificate - Issued by Class 1 Public Primary Certification Authority

I generated hashed symlinks for both these certificates in the folder specified by SSLCACertificatePath.
I restarted my Apache server and my server fails to authenticate my client.  

What bothers me is that I have never encountered this issue whenever I've had to import in
Class 3 VeriSign client certificates into Apache.  Am I missing something in my Apache/mod_ssl
configuration?

Below are the details of our server setup as well as the error_log file of what is failing
in mod_ssl.
  
Machine Setup:
Apache/1.3.37 (Linux) mod_jk/1.2.20 mod_ssl/2.8.28 OpenSSL/0.9.8d

Our server performs client authentication with the following settings in our httpd.conf file:

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+TLSv1:+SSLv2:+EXP:+eNULL

<Location />        
SSLOptions +StdEnvVars +ExportCertData        
SSLVerifyClient require        
SSLVerifyDepth 4
</Location>

SSLCACertificatePath -> path to a folder containing hashed symlinks of our client CA certs
SSLCARevocationPath -> path to a folder containing hashed symlinks of our client CA CRLs


Apache error_log:

[Fri Oct 12 17:42:04 2007] [error] mod_ssl: Certificate Verification: Error (20): unable to
get local issuer certificate
[Fri Oct 12 17:42:04 2007] [error] mod_ssl: Re-negotiation handshake failed: Not accepted
by client!?
[Fri Oct 12 17:42:04 2007] [error] mod_ssl: Certificate Verification: Error (20): unable to
get local issuer certificate
[Fri Oct 12 17:42:04 2007] [error] mod_ssl: SSL error on writing data (OpenSSL library error
follows)
[Fri Oct 12 17:42:04 2007] [error] OpenSSL: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no
certificate returned


Thanks in advance for any help that can be provided.

Howard Wong
Intermediate Software Developer
The SPi Group Inc.
Enabling Energy Markets
howard.wong@thespigroup.com
Tel: 416.408.1395 ext. 264 Fax: 416.408.1396
154 University Avenue, Suite 300, Toronto, ON, Canada, M5H 3Y9
www.thespigroup.com
___________________________________________________________
This e-mail message is intended only for the person(s) named above 
and may contain confidential or privileged information. If you are not the
person named or have received this message in error, please notify the
sender immediately and delete this e-mail and any attachments without
reading, saving, or forwarding. 
___________________________________________________________


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message