[BugDB] Netscape always asking client certificate (PR#719)
am 18.06.2002 17:40:08 von modssl-bugdbFull_Name: Thierry Pajot
Version: 2.8
OS: NT
Submission from: (NULL) (212.208.137.226)
I'm using mod_ssl on a 2.0.36 Apache Server on Windows NT.
In my configuration, client who want to access to URL like "/cert" have to
present a X509 Client Certificate. Anything but "/cert" is not protected.
When using Netscape communicator 4.75, with the following configuration,
Netscape ask me for client certificate at each page !!! When i'm using Internet
Explorer 6 it works ok.
For testing, i have 2 certificate in my Netscape browser configuration so each
time a window is opened for me to choose which certifitate i want to use.
This is my Apache configuration (sorry it's large) :
# begin
ServerName tpa.axe-dci.fr:88
Listen 193.56.53.65:88
LoadModule log_config_module modules/mod_log_config.so
LoadModule mime_module modules/mod_mime.so
LoadModule ssl_module modules/mod_ssl.so
LoadModule setenvif_module modules/mod_setenvif.so
ServerRoot "C:/Apache2"
PidFile conf/apache-wapis.pid
ServerSignature Off
ServerTokens Full
UseCanonicalName On
Timeout 300
KeepAlive On
KeepAliveTimeout 15
MaxKeepAliveRequests 100
MaxRequestsPerChild 0
ThreadsPerChild 50
ListenBackLog 511
HostnameLookups Off
ErrorLog logs/error-wapis.log
LogLevel warn
LogFormat "%h %l %u %t \"%r\" %>s %U %b %v %p \"%q\"" custom
CustomLog logs/access-wapis.log custom
LoadModule dciweb_module c:/pdci/dciweb/wapi/apache2/dciweb.dll
RepIni C:\pdci\dciweb\wapi\apache2
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog exec:C:/Apache2/conf/sslpsw-wapis.cmd
SSLSessionCache shm:logs/ssl_scache(512000)
SSLSessionCacheTimeout 300
SSLMutex sem
SSLRandomSeed startup file:C:\pdci\dciweb\wapi\apache2/dciweb.rnd
SSLRandomSeed connect file:C:\pdci\dciweb\wapi\apache2/dciweb.rnd
SSLLog logs/ssl_engine_log
SSLLogLevel warn
SSLEngine on
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0
force-response-1.0
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+e NULL
SSLCertificateFile C:\pdci\dciweb\wapi\apache2/dciweb.crt
SSLCertificateKeyFile C:\pdci\dciweb\wapi\apache2/dciweb.key
SSLVerifyClient none
SSLVerifyClient require
SSLVerifyDepth 1
SSLCACertificateFile C:\pdci\dciweb\wapi\apache2/dciwebca.crt
SSLOptions +ExportCertData
TypesConfig conf/mime.types
DefaultType text/plain
DocumentRoot "c:/pdci/dciweb/wapi/apache2/pub/inetpubs"
AllowOverride None
Options None
SetHandler dci-requete
BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
BrowserMatch "RealPlayer 4\.0" force-response-1.0
BrowserMatch "Java/1\.0" force-response-1.0
BrowserMatch "JDK/1\.0" force-response-1.0
# end
Note that with the following configuration, the same as the first but without le
# begin
SSLVerifyClient require
SSLVerifyDepth 1
SSLCACertificateFile C:\pdci\dciweb\wapi\apache2/dciwebca.crt
SSLOptions +ExportCertData
# end
I think
Netscape (but not IE).
I have tried to add SSLOptions +OptRenegotiate but it doesnt work better.
Any idea to help me ?
Thanks.
Thierry.
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org