Return-Path: Delivered-To: apmail-httpd-users-archive@www.apache.org Received: (qmail 40320 invoked from network); 17 Nov 2010 04:12:05 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 17 Nov 2010 04:12:05 -0000 Received: (qmail 6011 invoked by uid 500); 17 Nov 2010 04:12:31 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 5925 invoked by uid 500); 17 Nov 2010 04:12:31 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 5917 invoked by uid 99); 17 Nov 2010 04:12:30 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 17 Nov 2010 04:12:30 +0000 X-ASF-Spam-Status: No, hits=2.2 required=10.0 tests=FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,SPF_PASS,T_TO_NO_BRKTS_FREEMAIL X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of plot.lost@gmail.com designates 209.85.216.45 as permitted sender) Received: from [209.85.216.45] (HELO mail-qw0-f45.google.com) (209.85.216.45) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 17 Nov 2010 04:12:24 +0000 Received: by qwi2 with SMTP id 2so772828qwi.18 for ; Tue, 16 Nov 2010 20:12:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:date:message-id :subject:from:to:content-type; bh=Sv0wWTwlDXX9UeKkUlV/IJ9VzITWX7GyemicETIHlJE=; b=B/2nQJrZYUt20r17ku3/BhXvhmhCOXLKLJgjbrrK/+J2kTJvdxgSkoJF2sq7GOske5 82xhMS6jvZDU8lUPS+AlL2iVaYHbkJtf658kZpFqdE+doLW4NIjqUKW4HWrG58IhlbWa 2Pdmqesjhr45L+VwHGgFQOugMUbpD6BvPE/Fg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=EE7VAMfd4yM0jd7NtjZlOtllTI4TIw71d50jU7iCQT5sE0kUkOrIZJ3EITiIV/Pnln HmgW5NaX3F/hkC0TiJdJ3PBGQaJkfdkGlmMygyCp3KSyx0gAe+EHHwgTIN8ewgOBe0NH XfJuvIP62QBCd270Op9ZFIbyfAgAlDJINloTA= MIME-Version: 1.0 Received: by 10.229.222.19 with SMTP id ie19mr6969482qcb.198.1289967123286; Tue, 16 Nov 2010 20:12:03 -0800 (PST) Received: by 10.229.230.75 with HTTP; Tue, 16 Nov 2010 20:12:03 -0800 (PST) Date: Wed, 17 Nov 2010 08:12:03 +0400 Message-ID: From: Plot Lost To: users@httpd.apache.org Content-Type: multipart/alternative; boundary=0016e650a4f227ca34049537e053 Subject: [users@httpd] SSL client certificates --0016e650a4f227ca34049537e053 Content-Type: text/plain; charset=ISO-8859-1 I'm using client certificates to control access to specific sections of a site. The relevant parts of the config include: SSLVerifyClient none SSLCACertificateFile "/home/apache/certs/client_ca.crt" in the main part of the ssl config, and then SSLVerifyClient require SSLVerifyDepth 1 in the location section that covers that part of the site that certificates are needed for This appears to be working, but I am getting an unwanted entries in the error log. For example, when connecting from Chrome I get: [Wed Nov 17 03:54:17 2010] [error] [client x.x.x.x] Re-negotiation handshake failed: Not accepted by client!? When connecting from IE I get: [Wed Nov 17 03:51:57 2010] [error] [client x.x.x.x] Re-negotiation handshake failed: Not accepted by client!? [Wed Nov 17 03:52:05 2010] [error] [client x.x.x.x] insecure SSL re-negotiation required, but a pipelined request is present; keepalive disabled Is there anything I can do to stop these happening? The connections do seem to be working in that when you go to the relevant URL the browers to prompt for a certificate selection, and once that is done they are able to browser the site. If there is nothing that can stop these errors, is there something that can be done to stop them from being logged - would rather not have the error log filling up with something that does actaully seem to be working. This is using Apache 2.2.15 and OpenSSL 0.9.8l --0016e650a4f227ca34049537e053 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
I'm using client certificates to control access t= o specific sections of a site.
=A0
The relevant parts of the config include:
=A0
SSLVerifyClient none
SSLCACertificateFile "/home/apache/certs/= client_ca.crt"
in the main part of the ssl config, and then
=A0
SSLVerifyClient require
SSLVerifyDepth 1
=A0
in the location section that covers that part of the site that certifi= cates are needed for
=A0
=A0
This appears to be working, but I am getting an unwanted entries in th= e error log.
=A0
For example, when connecting from Chrome I get:

[Wed Nov 17 03:54:17 2010] [error] [client x.x.x.x] Re-negotiation= handshake failed: Not accepted by client!?
=A0
When connecting from IE I get:
=A0
[Wed Nov 17 03:51:57 2010] [error] [client x.x.x.x] Re-negotiation han= dshake failed: Not accepted by client!?
[Wed Nov 17 03:52:05 2010] [erro= r] [client x.x.x.x] insecure SSL re-negotiation required, but a pipelined r= equest is present; keepalive disabled
=A0
Is there anything I can do to stop these happening? The connections do= seem to be working in that when you go to the relevant URL the browers to = prompt for a certificate selection, and once that is done they are able to = browser the site.
=A0
If there is nothing that can stop these errors, is there something tha= t can be done to stop them from being logged - would rather not have the er= ror log filling up with something that does actaully seem to be working.
=A0
This is using Apache 2.2.15 and OpenSSL 0.9.8l
=A0
--0016e650a4f227ca34049537e053--