httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alan Brown" <>
Subject [users@httpd] SSL Client Authentication Problem
Date Wed, 29 Dec 2010 01:07:23 GMT
[ REPOST: I apologise for all the blank lines in the above post ]
Hi all,
I am working in a test environment with Apache v2.2.14 on XP Pro SP3 and I
have experienced difficulties setting up SSL Client Authentication.

I have used the openssl command line tool to set up my private key, server
certificate, and a certificate authority, and I have configured the
httpd-ssl.conf file. All works as expected, except when I try to configure
SSL Client Authentication. All browsers report an error and are unable to
establish an SSL session, eg with Firefox :-

Secure Connection Failed
An error occurred during a connection to myhost_1.
SSL peer was unable to negotiate an acceptable set of security parameters.
(Error code: ssl_error_handshake_failure_alert)

(myhost_1 is configured as in hosts file)

In the config which works I have :-

<VirtualHost _default_:443>
SSLEngine on
SSLCertificateFile "/xampp/xampp/apache/conf/test/server.crt"
SSLCertificateKeyFile "/xampp/xampp/apache/conf/test/server.key"
#SSLCACertificateFile "/xampp/xampp/apache/conf/test/ca/ca.crt"
#SSLVerifyClient require
#SSLVerifyDepth  10

When I uncomment the lines to configure SSL Client Authentication then I get
the above errors. The browser is supposed to request which client
certificate the user wants to use, then I can select the one I created and
signed with ca.crt, which I have set as a trusted CA in the browser.

My Apache server has the following identifier (from HTTP Response header) :-
Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4

The openssl version I am using is also 0.9.8l (l for 'link').

Here are the openssl commands I used :-

openssl genrsa -out ca.key 1024
openssl req -new -key ca.key -x509 -days 60 -out ca.crt
openssl genrsa -out server.key 1024
openssl req -new -key server.key  -days 90 -out server.csr
openssl x509 -req -in server.csr -set_serial 451470 -CA ca\ca.crt -CAkey
ca\ca.key -out server.crt
openssl genrsa -out client_a.key 1024
openssl req -new -key client_a.key  -days 90 -out client_a.csr
openssl x509 -req -in client_a.csr -set_serial 451470 -CA
..\ca\ca.crt -CAkey ..\ca\ca.key -out client_a.crt

I have carefully studied all documentation and I just wonder why this is not
working - have I misunderstood something or is there possibly a bug?

Thank you in advance for any advice.


The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message