client certificate problems

client certificate problems

am 11.01.2005 19:32:41 von john mcnicholas

In short I'm working on duplicating a web site locally for testing and
I am unable to get Client certificates to work here in my lab.

The "main/public" site is using apache 1.3.33 on OS X and is properly
configured for client certs, but I can't get this test configuration
to work. I am using "Apache 2.0.52" so that could be a factor.
(if necessary, I will try to reconfigure with 1.3.33)

The client browser is IE 6.x and what is odd is when I navigate to the
"main/public" site I am prompted to select a certificate, but when
I navigate to the "test" site IE 6.x just times out. For that reason
I am suspicious of the apache configuration but I can't be certain.

I tried with FireFox (1.0) and it also timed out. Firefox is
configured to "ask every time" for client cert. selection and
like IE, I am not prompted.

(I'm also suspicious as to why I can't select the client certificate
from the IE dialog for the test site - only the certificate for the
public site is listed.)

The virtual host configuration is listed below ("ssl.conf" was
unchanged for 2.0.52) and the error in the ssl.log is also listed
below. If anyone could offer any trouble shooting tips that would
be greatly appreciated.

Thanks for your time and assistance.

John

//-------------------------------------------------

Additional information:

Version: Apache/2.0.52
OS: Mac OS X 10.3.7

//-------------------------------------------------

// here is the log of the error:

[info] Initial (No.1) HTTPS request received for child 5 (server
www.apollo.home:443)
[debug] ssl_engine_kernel.c(422): Changed client verification type will
force renegotiation
[info] Requesting connection re-negotiation
[debug] ssl_engine_kernel.c(650): Performing full renegotiation:
complete handshake protocol
[info] Awaiting re-negotiation handshake
[debug] ssl_engine_kernel.c(1756): OpenSSL: Handshake: start
[debug] ssl_engine_kernel.c(1764): OpenSSL: Loop: before accept
initialization
[debug] ssl_engine_io.c(1517): OpenSSL: I/O error, 5 bytes expected to
read on BIO#1280be0 [mem: 7f7000]
[debug] ssl_engine_kernel.c(1793): OpenSSL: Exit: error in SSLv2 read
client hello B
[error] Re-negotiation handshake failed: Not accepted by client!?


//-------------------------------------------------

// here is the virtual host info:


DocumentRoot "/some_directory/ssl_site"
ServerAdmin webmaster@testing.com
ServerName www.apollo.home
LogLevel warn
# LogLevel debug

SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

# Per-Server Logging:

CustomLog logs/apollo/443.access.log "%t %h %{SSL_PROTOCOL}x
%{SSL_CIPHER}x \"%r\" %b"

ErrorLog logs/apollo/443.error.log
DirectoryIndex "index.html"

#
# ssl stuff
#
SSLEngine On
SSLProtocol all -SSLv3
SSLCipherSuite
"ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+ eNULL"

#
#
LogLevel debug
ErrorLog "logs/apollo/ssl.log"
SSLOptions +StdEnvVars +ExportCertData

#----------------------------------------
#
# path to certificates and private key
#
SSLCertificateFile
"/some_directory/openssl/servers/www.apollo.home.cert.pem"
SSLCertificateKeyFile
"/some_directory/openssl/servers/www.apollo.home.key.unencry pted"

SSLCACertificateFile
"/some_directory/openssl/private/CA-1.cert.pem"



SSLVerifyClient require
SSLVerifyDepth 3







____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org