Client authentication fails - why (oh why) ?

Client authentication fails - why (oh why) ?

am 18.06.2002 18:15:28 von Renne Tergujeff

Hello all,
After studying various guides and mail archives for days and days, with no
luck, I'm now turning to you.
I would really appreciate some advice -- any advice. Thanks in advance!

Case & situation:

I need to arrange SOAP connection with both client and server side
authentication. Currently using Tomcat 4.0.3, Apache 1.3.22, OpenSSL 0.9.6c
and mod_ssl 2.8.8. Plus Apache SOAP 2.3. And it's working, as long as I
only require server authentication. The server certificate is certified by
a CA, which is created by myself. The CA certificate is in the client's
keystore and thus the server certificate offered by the server is
recognized. Nice and fine.

Problem:

A client certificate has been certified by the same aforementioned,
self-made CA. This certificate is in the client keystore. Apache/modssl
correctly sends the CA certificate to the client in the SSL
CertificateRequest phase. AFAIK, this should result in the client
certificate being accepted. The problem of course is, it never does that.


Some data:

* The client is Win NT 4, the server is Redhat Linux.

* The error message in ssl_engine_log is: OpenSSL: error:140890C7:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
[Hint: No CAs known to server for verification?]

* httpd.conf includes:
SSLCertificateFile [the_correct_path_to]/server.crt
SSLCertificateKeyFile [the_correct_path_to]/server.key
SSLCACertificateFile [the_correct_path_to]/cacert.pem
SSLVerifyClient require
SSLVerifyDepth 1

* Because the client authentication fails, server closes the connection,
which at the client side results in: Exception while waiting for close
java.net.SocketException: Cannot send after socket shutdown: JVM_recv in
socket input stream read

* Some pondering follows... As far as I understand, having the client
certificate in the server keystore is not necessary, as Apache/modssl sends
the CA certificate pointed to in SSLCACertificateFile directive. Am I right
in that? At least doing so didn't improve the situation. In fact, I don't
think Apache looks into the keystore at all... how about that, am I right
there? :-) And how about this: does it matter where I create the client
certificate, on the server or on the client -- as long as I fill in the
same data? And finally: besides the obvious(?) PEM/DER format differences,
does it matter if I use openssl or keytool for certificate creation etc.?


Now I'd cross my fingers if I did that -- hoping for some replies.
Thank you and have a nice day,

Renne Tergujeff
VTT Information Technology
Espoo, Finland

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org