httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From g f <gfo...@gmail.com>
Subject Re: [users@httpd] SSL library error 1 in handshake
Date Tue, 18 Jan 2011 15:36:20 GMT
Hello Martin,
thanks for the reply.
I have those directives already and it all works until I add:
*SSLVerifyClient require*

I changed this directive to *optional* and it seems to work now, though I am
not so confidant in this configuration.
I wonder if there is a way to pass the client cert through to the python
proxy?

Thanks,
G40

On Tue, Jan 18, 2011 at 9:30 AM, Martin Kuba <makub@ics.muni.cz> wrote:

> Hi G40,
>
> the "SSLVerifyClient require" requires that the client presents a
> certificate.
> You have to configure also the list of Certification Authorities that
> the server accepts by the following directives:
>
>  SSLCACertificatePath /etc/ssl/certs/
> or
>  SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
>
> If the client certificate is not signed by a root CA, but by some
> intermediate CA,
> which may be in turn signed by another intermediate CA, etc., you need also
> to set the value for SSLVerifyDepth to the highest length of the
> certificate chain
> that the client may provide.
>
> The "Allow" directives play no role in this, because the error you have got
> happened during the SSL handshake, which is sooner than the Allow
> directives are applied.
>
> Martin
>
> Dne 18.1.2011 16:16, g f napsal(a):
>
>  Hello all,
>> I have a debian os running Apache 2.2.16(debian) along with tomcat 6.0.29.
>> I use mod_jk as well as mod_auth_kerb module for apache. Apache and the
>> modules are debian repository packages.
>>
>> I recently attempted to activate common access cards and if I just
>> activate them but do not force them it works great.
>> Once I force access cards, I get the following error and my web-apps
>> break.
>>
>> Force access cards via:
>> |SSLVerifyClient require
>> SSLVerifyDepth 2|
>>
>> info level logging error.log:
>> [Tue Jan 18 14:47:07 2011] [info] [client 127.0.1.1] SSL library error 1
>> in handshake (server myserver.xxx.xxx.xxx:443)
>> [Tue Jan 18 14:47:07 2011] [info] SSL Library Error: 336105671
>> error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return
>> a certificate No CAs known to server for verification?
>>
>> The web-app that throws this message uses a python proxy to make an ajax
>> call to a different web context (we do this to avoid the cross site error).
>> I believe what is happening is that the python script [client 127.0.1.1]
>> is making the request to apache without valid client certs and hence is
>> getting denied.
>> I have a directive in apache2_home/sites-enabled/default-ssl conf file
>> that I had hoped would solve this issue(however it does not).
>> directive in default-ssl conf file
>> |Allow from localhost
>> Allow from 127.0.1.1
>> Allow from 127.0.0.1
>>
>> |Is there a solution to this issue?
>> Perhaps a way to not require client cert from localhost?
>> Thanks for any advice, much appreciated!
>>
>> Cheers,
>>  G40
>>
>
>
> --
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Supercomputing Center Brno             Martin Kuba
> Institute of Computer Science    email: makub@ics.muni.cz
> Masaryk University             http://www.ics.muni.cz/~makub/<http://www.ics.muni.cz/%7Emakub/>
> Botanicka 68a, 60200 Brno, CZ     mobil: +420-603-533775
> --------------------------------------------------------------
>
>

Mime
View raw message