Bookmarks

Yahoo Gmail Google Facebook Delicious Twitter Reddit Stumpleupon Myspace Digg

Search queries

sqldatasource dal, wwwxxxenden, convert raid5 to raid 10 mdadm, apache force chunked, nrao wwwxxx, xxxxxdup, procmail change subject header, wwwXxx not20, Wwwxxx.doks sas, linux raid resync after reboot

Links

XODOX
Impressum

#1: SSLCACertificateFile getting ignored when I use a Location directive

Posted on 2010-07-22 18:07:06 by John Carpenter

--0-790917700-1279814826=:90633
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable

Hello, Adding <Location> around SSLVerifyClient and SSLVerifyDep=
th is causing my mutual =0Aauthentication to fail with a ssl_error_handshak=
e_failure_alert message.  =A0 I =0Acan't seem to determine what might b=
e causing this.   I'll just jump right to =0Athe code below: =0A[W=
ORKS] Excerpting my httpd.conf: <VirtualHost _default_:443>=0A=
=A0DocumentRoot "<path edited>/htdocs"  SSLEngine on  SSLCipherSuit=
e ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP:+e NULL  SSL=
CertificateFile "<path edited>/Cert/ssl.crt/server.crt"  SSLCertificate=
KeyFile "<path edited>/Cert/ssl.key/server.key"  SSLCACertificateFile "=
<path edited> Cert/ca.cer"  =A0SSLVerifyClient required  =A0SSLVeri=
fyDepth 1  <truncated> The above works like a charm.  =A0 The=
only problem is it works EVERYWHERE I use =0A443 ... which is as expected.=
  =A0 So when I add my <Location> directive as below =0AI get the Error=
code: ssl_error_handshake_failure_alert.     Though it properly =
=0Atriggers this error on requests to the specified location.  =A0 So I=
know that =0Apart is being picked up properly.  =A0 Does anybody know =
what can be causing =0Athis?    =A0 This seems to be how it was beh=
aving before I added in the =0ASSLCACertificateFile=A0information.  =A0=
Could the Location tag be causing the =0Aserver to somehow ignore my SSLCA=
CertificateFile?  =A0 [DOESN'T WORK]=A0:   Error code: =
ssl_error_handshake_failure_alert  =0A<VirtualHost _default_:443>  =
DocumentRoot "<path edited>/htdocs"  SSLEngine on  SSLCipherSuite A=
LL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP:+eN ULL  SSLCer=
tificateFile "<path edited>/Cert/ssl.crt/server.crt"  SSLCertificateKey=
File "<path edited>/Cert/ssl.key/server.key"  SSLCACertificateFile "<pa=
th edited> Cert/ca.cer"  <Location /logonWithCertificate>    SS=
LVerifyClient required  =A0SSLVerifyDepth 1  </Location>  =0A<t=
runcated> Thanks in advance for any insight. -John =

--0-790917700-1279814826=:90633
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable

<html><head><style type=3D"text/css"><!-- DIV {margin:0px;} --></style></he=
ad><body><div style=3D"font-family:times new roman, new york, times, serif;=
font-size:12pt"><DIV>&nbsp;</DIV>=0A<DIV style=3D"FONT-FAMILY: times new ro=
man, new york, times, serif; FONT-SIZE: 12pt">=0A<DIV style=3D"FONT-FAMILY:=
times new roman, new york, times, serif; FONT-SIZE: 12pt">=0A<DIV style=3D=
"FONT-FAMILY: times new roman, new york, times, serif; FONT-SIZE: 12pt">=0A=
<DIV>Hello,</DIV>=0A<DIV>&nbsp;</DIV>=0A<DIV>Adding &lt;Location&gt; around=
SSLVerifyClient and SSLVerifyDepth is causing my mutual authentication to =
fail with a ssl_error_handshake_failure_alert message.&nbsp;&nbsp;&nbsp; I =
can't seem to determine what might be causing this.&nbsp;&nbsp; I'll just j=
ump right to the code below:</DIV>=0A<DIV>&nbsp;</DIV>=0A<DIV>&nbsp;</DIV>=
=0A<DIV>[WORKS]</DIV>=0A<DIV>&nbsp;</DIV>=0A<DIV>Excerpting my httpd.conf: =
</DIV>=0A<DIV>&nbsp;</DIV>=0A<DIV>&lt;VirtualHost _default_:443&gt;<BR>&nbs=
p;DocumentRoot "&lt;path edited&gt;/htdocs"<BR>&nbsp;SSLEngine on<BR>&nbsp;=
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP:+e =
NULL<BR>&nbsp;SSLCertificateFile "&lt;path edited&gt;/Cert/ssl.crt/server.c=
rt"<BR>&nbsp;SSLCertificateKeyFile "&lt;path edited&gt;/Cert/ssl.key/server=
..key"<BR>&nbsp;SSLCACertificateFile "&lt;path edited&gt; Cert/ca.cer"<BR>&n=
bsp;&nbsp;SSLVerifyClient required<BR>&nbsp;&nbsp;SSLVerifyDepth 1<BR>&nbsp=
;&lt;truncated&gt; </DIV>=0A<DIV>&nbsp;</DIV>=0A<DIV>The above works like a=
charm.&nbsp;&nbsp;&nbsp; The only problem is it works EVERYWHERE I use 443=
... which is as expected.&nbsp;&nbsp;&nbsp; So when I add my &lt;Location&=
gt; directive as below I get the Error code: ssl_error_handshake_failure_al=
ert.&nbsp;&nbsp;&nbsp;&nbsp; Though it properly triggers this error on requ=
ests to the specified location.&nbsp;&nbsp;&nbsp; So I know that part is be=
ing picked up properly.&nbsp;&nbsp;&nbsp; Does anybody know what can be cau=
sing this?&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; This seems to be how it was behavi=
ng before I added in the SSLCACertificateFile&nbsp;information.&nbsp;&nbsp;=
&nbsp; Could the Location tag be causing the server to somehow ignore my SS=
LCACertificateFile?&nbsp;&nbsp;&nbsp; </DIV>=0A<DIV>&nbsp;</DIV>=0A<DIV>&nb=
sp;</DIV>=0A<DIV>[DOESN'T WORK]&nbsp;:&nbsp;&nbsp; <FONT color=3D#ff0000>Er=
ror code: ssl_error_handshake_failure_alert</FONT></DIV>=0A<DIV><FONT color=
=3D#ff0000></FONT>&nbsp;</DIV>=0A<DIV>&lt;VirtualHost _default_:443&gt;<BR>=
&nbsp;DocumentRoot "&lt;path edited&gt;/htdocs"<BR>&nbsp;SSLEngine on<BR>&n=
bsp;SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EX=
P:+eNULL<BR>&nbsp;SSLCertificateFile "&lt;path edited&gt;/Cert/ssl.crt/serv=
er.crt"<BR>&nbsp;SSLCertificateKeyFile "&lt;path edited&gt;/Cert/ssl.key/se=
rver.key"<BR>&nbsp;SSLCACertificateFile "&lt;path edited&gt; Cert/ca.cer"<B=
R>&nbsp;<FONT color=3D#ff0000> </FONT><FONT color=3D#0080ff>&lt;Location /l=
ogonWithCertificate&gt;</FONT>&nbsp;</DIV>=0A<DIV>&nbsp;&nbsp;SSLVerifyClie=
nt required<BR>&nbsp;&nbsp;SSLVerifyDepth 1</DIV>=0A<DIV>&nbsp;<FONT color=
=3D#0080ff>&lt;/Location&gt;</FONT><BR>&nbsp;</DIV>=0A<DIV>&lt;truncated&gt=
; </DIV>=0A<DIV>&nbsp;</DIV>=0A<DIV>Thanks in advance for any insight. </DI=
V>=0A<DIV>&nbsp;</DIV>=0A<DIV>-John</DIV></DIV><BR>=0A<META content=3Don ht=
tp-equiv=3Dx-dns-prefetch-control></DIV></DIV></div><br> =
</body></html>
--0-790917700-1279814826=:90633--

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Report this message