Bookmarks

Yahoo Gmail Google Facebook Delicious Twitter Reddit Stumpleupon Myspace Digg

Search queries

nrao wwwxxx, xxxxxdup, procmail change subject header, wwwXxx not20, Wwwxxx.doks sas, linux raid resync after reboot, bind-address mysql multiple, sanibleone xxxx, ftp://192.168.100.100/, www.xxxcon

Links

XODOX
Impressum

#1: SSLCACertificateFile getting ignored when I use a Location directive

Posted on 2010-07-22 18:07:06 by John Carpenter

--0-790917700-1279814826=:90633
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable

Hello, Adding <Location> around SSLVerifyClient and SSLVerifyDep=
th is causing my mutual =0Aauthentication to fail with a ssl_error_handshak=
e_failure_alert message.  =A0 I =0Acan't seem to determine what might b=
e causing this.   I'll just jump right to =0Athe code below: =0A[W=
ORKS] Excerpting my httpd.conf: <VirtualHost _default_:443>=0A=
=A0DocumentRoot "<path edited>/htdocs"  SSLEngine on  SSLCipherSuit=
e ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP:+e NULL  SSL=
CertificateFile "<path edited>/Cert/ssl.crt/server.crt"  SSLCertificate=
KeyFile "<path edited>/Cert/ssl.key/server.key"  SSLCACertificateFile "=
<path edited> Cert/ca.cer"  =A0SSLVerifyClient required  =A0SSLVeri=
fyDepth 1  <truncated> The above works like a charm.  =A0 The=
only problem is it works EVERYWHERE I use =0A443 ... which is as expected.=
  =A0 So when I add my <Location> directive as below =0AI get the Error=
code: ssl_error_handshake_failure_alert.     Though it properly =
=0Atriggers this error on requests to the specified location.  =A0 So I=
know that =0Apart is being picked up properly.  =A0 Does anybody know =
what can be causing =0Athis?    =A0 This seems to be how it was beh=
aving before I added in the =0ASSLCACertificateFile=A0information.  =A0=
Could the Location tag be causing the =0Aserver to somehow ignore my SSLCA=
CertificateFile?  =A0 [DOESN'T WORK]=A0:   Error code: =
ssl_error_handshake_failure_alert  =0A<VirtualHost _default_:443>  =
DocumentRoot "<path edited>/htdocs"  SSLEngine on  SSLCipherSuite A=
LL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP:+eN ULL  SSLCer=
tificateFile "<path edited>/Cert/ssl.crt/server.crt"  SSLCertificateKey=
File "<path edited>/Cert/ssl.key/server.key"  SSLCACertificateFile "<pa=
th edited> Cert/ca.cer"  <Location /logonWithCertificate>    SS=
LVerifyClient required  =A0SSLVerifyDepth 1  </Location>  =0A<t=
runcated> Thanks in advance for any insight. -John =

--0-790917700-1279814826=:90633
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable

<html><head><style type=3D"text/css"><!-- DIV {margin:0px;} --></style></he=
ad><body><div style=3D"font-family:times new roman, new york, times, serif;=
font-size:12pt"><DIV>&nbsp;</DIV>=0A<DIV style=3D"FONT-FAMILY: times new ro=
man, new york, times, serif; FONT-SIZE: 12pt">=0A<DIV style=3D"FONT-FAMILY:=
times new roman, new york, times, serif; FONT-SIZE: 12pt">=0A<DIV style=3D=
"FONT-FAMILY: times new roman, new york, times, serif; FONT-SIZE: 12pt">=0A=
<DIV>Hello,</DIV>=0A<DIV>&nbsp;</DIV>=0A<DIV>Adding &lt;Location&gt; around=
SSLVerifyClient and SSLVerifyDepth is causing my mutual authentication to =
fail with a ssl_error_handshake_failure_alert message.&nbsp;&nbsp;&nbsp; I =
can't seem to determine what might be causing this.&nbsp;&nbsp; I'll just j=
ump right to the code below:</DIV>=0A<DIV>&nbsp;</DIV>=0A<DIV>&nbsp;</DIV>=
=0A<DIV>[WORKS]</DIV>=0A<DIV>&nbsp;</DIV>=0A<DIV>Excerpting my httpd.conf: =
</DIV>=0A<DIV>&nbsp;</DIV>=0A<DIV>&lt;VirtualHost _default_:443&gt;<BR>&nbs=
p;DocumentRoot "&lt;path edited&gt;/htdocs"<BR>&nbsp;SSLEngine on<BR>&nbsp;=
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP:+e =
NULL<BR>&nbsp;SSLCertificateFile "&lt;path edited&gt;/Cert/ssl.crt/server.c=
rt"<BR>&nbsp;SSLCertificateKeyFile "&lt;path edited&gt;/Cert/ssl.key/server=
..key"<BR>&nbsp;SSLCACertificateFile "&lt;path edited&gt; Cert/ca.cer"<BR>&n=
bsp;&nbsp;SSLVerifyClient required<BR>&nbsp;&nbsp;SSLVerifyDepth 1<BR>&nbsp=
;&lt;truncated&gt; </DIV>=0A<DIV>&nbsp;</DIV>=0A<DIV>The above works like a=
charm.&nbsp;&nbsp;&nbsp; The only problem is it works EVERYWHERE I use 443=
... which is as expected.&nbsp;&nbsp;&nbsp; So when I add my &lt;Location&=
gt; directive as below I get the Error code: ssl_error_handshake_failure_al=
ert.&nbsp;&nbsp;&nbsp;&nbsp; Though it properly triggers this error on requ=
ests to the specified location.&nbsp;&nbsp;&nbsp; So I know that part is be=
ing picked up properly.&nbsp;&nbsp;&nbsp; Does anybody know what can be cau=
sing this?&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; This seems to be how it was behavi=
ng before I added in the SSLCACertificateFile&nbsp;information.&nbsp;&nbsp;=
&nbsp; Could the Location tag be causing the server to somehow ignore my SS=
LCACertificateFile?&nbsp;&nbsp;&nbsp; </DIV>=0A<DIV>&nbsp;</DIV>=0A<DIV>&nb=
sp;</DIV>=0A<DIV>[DOESN'T WORK]&nbsp;:&nbsp;&nbsp; <FONT color=3D#ff0000>Er=
ror code: ssl_error_handshake_failure_alert</FONT></DIV>=0A<DIV><FONT color=
=3D#ff0000></FONT>&nbsp;</DIV>=0A<DIV>&lt;VirtualHost _default_:443&gt;<BR>=
&nbsp;DocumentRoot "&lt;path edited&gt;/htdocs"<BR>&nbsp;SSLEngine on<BR>&n=
bsp;SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EX=
P:+eNULL<BR>&nbsp;SSLCertificateFile "&lt;path edited&gt;/Cert/ssl.crt/serv=
er.crt"<BR>&nbsp;SSLCertificateKeyFile "&lt;path edited&gt;/Cert/ssl.key/se=
rver.key"<BR>&nbsp;SSLCACertificateFile "&lt;path edited&gt; Cert/ca.cer"<B=
R>&nbsp;<FONT color=3D#ff0000> </FONT><FONT color=3D#0080ff>&lt;Location /l=
ogonWithCertificate&gt;</FONT>&nbsp;</DIV>=0A<DIV>&nbsp;&nbsp;SSLVerifyClie=
nt required<BR>&nbsp;&nbsp;SSLVerifyDepth 1</DIV>=0A<DIV>&nbsp;<FONT color=
=3D#0080ff>&lt;/Location&gt;</FONT><BR>&nbsp;</DIV>=0A<DIV>&lt;truncated&gt=
; </DIV>=0A<DIV>&nbsp;</DIV>=0A<DIV>Thanks in advance for any insight. </DI=
V>=0A<DIV>&nbsp;</DIV>=0A<DIV>-John</DIV></DIV><BR>=0A<META content=3Don ht=
tp-equiv=3Dx-dns-prefetch-control></DIV></DIV></div><br> =
</body></html>
--0-790917700-1279814826=:90633--

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Report this message