httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dan Osterrath <Dan.Osterr...@gmx.de>
Subject Re: [users@httpd] SSLVerifyClient with IE7
Date Wed, 05 Mar 2008 15:30:45 GMT

I tried to merged the tow different CA certificate files and added
OptRenegotiate to the directories ssl options - without any success.
Here's the new httpd.conf part:

    SSLEngine on
    SSLProtocol +SSLv3
    SSLCipherSuite HIGH:MEDIUM:SSLv3
    SSLCertificateFile /etc/httpd/conf/ssl.crt/mydomain.crt
    SSLCertificateKeyFile /etc/httpd/conf/ssl.key/mydomain.key
    SSLCACertificateFile /etc/httpd/conf/ssl.crt/mydomain.ca-bundle
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
downgrade-1.0 force-response-1.0

    <Directory  "/var/www/public/htdocs/protected">
      SSLVerifyClient optional
      SSLVerifyDepth 5
      SSLOptions +FakeBasicAuth +StdEnvVars +ExportCertData +OptRenegotiate
   </Directory>

Any suggestions what's the problem with IE7?


Dan Osterrath wrote:
> 
> I've setup a https site with Apache 2.0.52, mod_ssl 2.0.52 and OpenSSL
> 0.9.7a (Red Hat Enterprise Linux ES release 4 (Nahant Update 4)). A
> special directory should be optional authenticated via client certificate.
> This works with Firefox, Netscape, IE6 but not with IE7 (Windows XP SP2
> and Windows Vista).
> 
> When trying to access the page with IE7 the browser let me choose the
> client certificate but then shows the error message "The browser can not
> connect to the site.". In the log files of the server there's only 1 new
> line:
> 
>     [error] Re-negotiation handshake failed: Not accepted by client!?
> 
> Here's the httpd.conf part for SSL:
> 
>     SSLEngine on
>     SSLProtocol +SSLv3
>     SSLCipherSuite HIGH:MEDIUM:SSLv3
>     SSLCertificateFile /etc/httpd/conf/ssl.crt/mydomain.crt
>     SSLCertificateKeyFile /etc/httpd/conf/ssl.key/mydomain.key
>     SSLCACertificateFile /etc/httpd/conf/ssl.crt/mydomain.ca-bundle
>     SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
> downgrade-1.0 force-response-1.0
> 
>     <Directory  "/var/www/public/htdocs/protected">
>       SSLVerifyClient optional
>       SSLVerifyDepth 5
>       SSLCACertificateFile /etc/httpd/conf/protected/ssl.crt
>       SSLOptions +FakeBasicAuth +StdEnvVars +ExportCertData
>    </Directory>
> 
> Any suggestions?
> 

-- 
View this message in context: http://www.nabble.com/SSLVerifyClient-with-IE7-tp15827486p15852666.html
Sent from the Apache HTTP Server - Users mailing list archive at Nabble.com.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message