Problems with Thawte freemail certificate and Apache

Problems with Thawte freemail certificate and Apache

am 19.08.2002 14:01:26 von Dave Kelly

Hello,

I would appreciate any help on this please.

I am using Apache 1.3.23 on RedHat 7.3 with mod_ssl 2.8.7 and openssl
0.9.6b-28.
This web server provides access to our internal Bugzilla database.

I have set up a CA on my server using /usr/share/ssl/misc/CA.pl and I
issue browser certificates from it.

I have copied the CA certificate and appended it to
/etc/httpd/conf/ssl.crt/ca-bundle.crt.

I have the following configuration in httpd.conf:


Options ExecCGI FollowSymLinks
SSLVerifyClient require
SSLVerifyDepth 1
SSLRequireSSL
SSLRequire %{SSL_CLIENT_S_DN_OU} in {"Support", "Bugzilla"}


I have also uncommented:

SSLCACertificatePath /etc/httpd/conf/ssl.crt
SSLCACertificateFile /etc/httpd/conf/ssl.crt/ca-bundle.crt

in httpd.conf.

I generated an Apache server certificate using

make testcert

in /etc/httpd/conf so that the correct machine name was in the CN attribute.

This is all working fine. However, my colleague and I both have Thawte
freemail certificates installed and that's when we get a problem.

Using Mozilla with the configuration set to prompt for a certificate,
both the browser certificate and the Thawte certificate are displayed
with the Thawte certificate being listed first. If the configuration is
set to automatically select a certificate, the Thawte certificate is
chosen.
The behaviour is similar using IE.

The symptoms we see in Bugzilla is that we seem to be circulating
through the same of 3-4 pages (depending upon what we choose).

The ssl_engine_log file shows:

[19/Aug/2002 12:35:23 01206] [error] Re-negotiation handshake failed:
Not accepted by client!?
[19/Aug/2002 12:35:23 01206] [error] SSL error on writing data (OpenSSL
library error follows)
[19/Aug/2002 12:35:23 01206] [error] OpenSSL:
error:1409E0E5:lib(20):func(158):reason(229)


When we remove the Thawte certificate, everything works.

The Thawte certificate has no O or OU specified so why do the browsers
find a match with it ?

Cheers

Dave.

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org