httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andre Kutz <>
Subject [users@httpd] Getting re-negotiation errors with client certificate
Date Tue, 22 Nov 2011 18:49:57 GMT
I am getting client certificate errors in the Apache error log:

[Tue Nov 22 10:06:49 2011] [error] [client] Re-negotiation
handshake failed: Not accepted by client!?
[Tue Nov 22 10:06:49 2011] [error] [client] Re-negotiation
request failed
[Tue Nov 22 10:06:49 2011] [error] SSL Library Error: 336126196
error:1408E0F4:SSL routines:SSL3_GET_MESSAGE:unexpected message
Error reading S/MIME message
18150:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
18150:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1
Error reading S/MIME message
18153:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
18153:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1

The relevant portion of the Apache configuration is this:

  SSLCACertificateFile /etc/mdm/client-ca-certs.pem

  SSLOptions +FakeBasicAuth +StrictRequire +StdEnvVars +OptRenegotiate
  SSLInsecureRenegotiation on
  SSLVerifyClient none

  <LocationMatch /device.*/checkin>
    SSLOptions +ExportCertData +OptRenegotiate
    SSLVerifyClient require
    SSLVerifyDepth 5

I have mobile devices running iOS 5 (iPhones and iPads) that have 
registered with a mobile-device management (MDM) service I am running. 
All these devices have client-certificates that were issued when they 
enrolled in the MDM service.

Even though I see these error messages, Apache *does* allow the devices 
to access the /checkin URL. But I want to understand what the error 
messages mean.

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message