verify client certificate II

This is a cryptographically signed message in MIME format.

--------------ms030202060006040302080207
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit

Hi again.

I have verify these certificates from openssl command line:

openssl verify openssl verify -CAfile PKIv6_3.2_ca_sub2.p7c.pem
imladris.dif.um.esCert.pem

where:
PKIv6_3.2_ca_sub2.p7c.pem is a PEM certificates chain with "Root
CA Certificate" and "Subordinate CA Certificate"
imladris.dif.um.esCert.pem is the server certificate

and the result is

imladris.dif.um.esCert.pem: OK

It's verified ¡¡¡

It seem to be a problem of modssl module 2.8.3.

Can anybody help me?

Thanks, Gabi.

Gabriel López Millán wrote:

>
> Hi again.
>
> I have verify these certificates from openssl command line:
>
> openssl verify openssl verify -CAfile PKIv6_3.2_ca_sub2.p7c.pem
> imladris.dif.um.esCert.pem
>
> where:
> PKIv6_3.2_ca_sub2.p7c.pem is a PEM certificates chain with
> "Root CA Certificate" and "Subordinate CA Certificate"
> imladris.dif.um.esCert.pem is the server certificate
>
> and the result is
>
> imladris.dif.um.esCert.pem: OK
>
> It's verified ¡¡¡
>
> It seem to be a problem of modssl module 2.8.3.
>
> Can anybody help me?
>
> Thanks, Gabi.
>
>
> Gabriel López Millán wrote:
>
>> Hi all.
>>
>> I have a problem with a certificate chain and a server certificate,
>> I need help.
>> The certificate chain is formed by the Root CA Certificate and the
>> Subordinate CA Certificate below showed.
>> The server certificate is the last certificate.
>> I have configured apache with modssl and when i try to access to
>> https://imladris.dif.um.es I get the following error:
>>
>> Apache/1.3.19 (Unix) ApacheJServ/1.1.2 mod_ssl/2.8.3 OpenSSL/0.9.6g
>> configured -- resuming normal operations
>> [Thu Sep 19 10:13:14 2002] [error] mod_ssl: SSL handshake failed
>> (server imladris.dif.um.es:443, client 2001:720:1710:f00::2) (OpenSSL
>> library error follows)
>> [Thu Sep 19 10:13:14 2002] [error] OpenSSL: error:14094412:SSL
>> routines:SSL3_READ_BYTES:sslv3 alert bad certificate [Hint: Subject
>> CN in certificate not server name or identical to CA!?]
>>
>> Obviously it's a mistake, server certificate's subject is the same
>> than the server name (in httpd.conf file)
>> and it's not a CA.
>>
>> I think the problem is in the path validation, in the
>> NameConstraints extensions (2.5.29.30), but I'm not sure.
>> I don't know if openssl supports this extensins and if it's well
>> configured.
>>
>> Any idea?
>>
>> Thanks, Gabi.
>>
>>
>> ** Root CA Certificate **
>>
>> Certificate:
>> Data:
>> Version: 3 (0x2)
>> Serial Number: 1 (0x1)
>> Signature Algorithm: md5WithRSAEncryption
>> Issuer: C=ES, O=umu, OU=umu, CN=PKIv6 3.2 ca root
>> Validity
>> Not Before: Sep 16 22:00:00 2002 GMT
>> Not After : Sep 16 22:00:00 2004 GMT
>> Subject: C=ES, O=umu, OU=umu, CN=PKIv6 3.2 ca root
>> Subject Public Key Info:
>> Public Key Algorithm: rsaEncryption
>> RSA Public Key: (1024 bit)
>> Modulus (1024 bit):
>> 00:aa:e5:b5:5b:0a:f4:ef:79:2a:4d:8e:84:e1:ce:
>> 43:59:81:2d:b6:53:8c:97:77:4f:db:07:08:69:b0:
>> 68:ea:1d:cd:fe:c2:a4:a2:08:ec:ce:ed:b4:13:91:
>> dc:da:bf:27:41:ef:f1:f3:3b:96:36:97:2f:9c:f3:
>> 48:21:b3:a0:34:0d:8a:e8:04:cf:d5:c2:06:dd:cf:
>> 5d:ea:7c:d5:9e:ab:92:65:7a:e1:32:ee:73:f4:4f:
>> 99:be:18:5c:a0:84:5c:b0:09:f0:8a:68:61:1a:94:
>> ec:c5:95:9b:10:c4:0b:4b:e9:e0:2f:48:7b:2b:23:
>> 56:02:56:a7:2c:16:c4:2f:0d
>> Exponent: 65537 (0x10001)
>> X509v3 extensions:
>> X509v3 Key Usage: critical
>> Digital Signature, Certificate Sign, CRL Sign
>> X509v3 Basic Constraints: critical
>> CA:TRUE
>> Netscape Cert Type:
>> SSL Client, S/MIME, SSL CA, S/MIME CA, Object Signing CA
>> Signature Algorithm: md5WithRSAEncryption
>>
>>
>> *** Subordinate CA Certificate ***
>>
>> Certificate:
>> Data:
>> Version: 3 (0x2)
>> Serial Number: 28 (0x1c)
>> Signature Algorithm: md5WithRSAEncryption
>> Issuer: C=ES, O=umu, OU=umu, CN=PKIv6 3.2 ca root
>> Validity
>> Not Before: Sep 17 11:25:36 2002 GMT
>> Not After : Sep 17 11:25:36 2003 GMT
>> Subject: C=ES, O=umu, OU=umu dd, CN=PKIv6 3.2 ca sub2
>> Subject Public Key Info:
>> Public Key Algorithm: rsaEncryption
>> RSA Public Key: (512 bit)
>> Modulus (512 bit):
>> 00:b5:e5:36:3f:7a:29:a0:da:3a:67:60:4f:ed:52:
>> 81:09:26:21:4d:a7:14:77:54:56:be:87:1d:5a:62:
>> 26:89:aa:f4:00:19:e6:c5:d8:c0:68:71:0f:2b:b5:
>> 7b:54:25:7f:98:2e:75:e6:65:76:b4:9f:39:99:2e:
>> 56:19:b6:5e:27
>> Exponent: 65537 (0x10001)
>> X509v3 extensions:
>> X509v3 Key Usage: critical
>> Certificate Sign, CRL Sign
>> 2.5.29.30: critical
>> 0...0...umu-euro6ix dd
>> X509v3 Basic Constraints: critical
>> CA:TRUE
>> Netscape Cert Type:
>> SSL Client, S/MIME, SSL CA, S/MIME CA, Object Signing CA
>> Signature Algorithm: md5WithRSAEncryption
>>
>> *** Server Certificate (ServerName=imladris.dif.um.es) **
>>
>> Certificate:
>> Data:
>> Version: 3 (0x2)
>> Serial Number: 15 (0xf)
>> Signature Algorithm: md5WithRSAEncryption
>> Issuer: C=ES, O=umu, OU=umu dd, CN=PKIv6 3.2 ca sub2
>> Validity
>> Not Before: Sep 17 15:55:07 2002 GMT
>> Not After : Sep 17 15:55:07 2003 GMT
>> Subject: C=ES, O=umu, OU=umu dd, CN=imladris.dif.um.es
>> Subject Public Key Info:
>> Public Key Algorithm: rsaEncryption
>> RSA Public Key: (512 bit)
>> Modulus (512 bit):
>> 00:b6:85:42:e5:32:6f:30:5f:69:8f:c1:93:ca:a6:
>> 19:3a:67:b7:c0:d2:12:e0:7d:c2:75:0f:4e:00:30:
>> 16:4f:39:fb:9a:49:5d:db:18:bb:20:b4:6b:67:df:
>> ca:96:2f:18:1e:95:b9:56:9b:19:72:9a:2a:78:b7:
>> 09:d9:0f:15:37
>> Exponent: 65537 (0x10001)
>> X509v3 extensions:
>> Netscape Cert Type:
>> SSL Server, S/MIME, Object Signing
>> X509v3 Basic Constraints:
>> CA:FALSE
>> X509v3 Subject Alternative Name:
>> email:gabilm@dif.um.es
>> Signature Algorithm: md5WithRSAEncryption
>>
>
>


--
-------------------------------------------------
Gabriel Lopez Millan - Grupo ANTS-CIRCuS
Facultad de Informática
Universidad de Murcia (España) Tfo: +34 968367645



--------------ms030202060006040302080207
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
Content-Transfer-Encoding: base64

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEH AQAAoIIFqjCC
AtEwggI6oAMCAQICAU4wDQYJKoZIhvcNAQEEBQAwNjELMAkGA1UEBhMCRVMx DDAKBgNVBAoT
A1VNVTEZMBcGA1UEAxMQRXVybzZpeCBQS0kgSSBDQTAeFw0wMjA5MDIxMDA3 NTlaFw0wMzA5
MDIxMDA3NTlaMEsxCzAJBgNVBAYTAkVTMQwwCgYDVQQKEwNVTVUxDzANBgNV BAsTBkNJUkN1
UzEdMBsGA1UEAxMUR2FicmllbCBMb3BleiBNaWxsYW4wgZ8wDQYJKoZIhvcN AQEBBQADgY0A
MIGJAoGBAKXTRt9kXetQDFpsekd2r7W7Lpe46QauguBWX/VaHCgstNXliWxz gjgD63ZHBZnQ
nh8FPO+N/lRp11WbT1ATn7k8zbtUix14eyPTT6CN/srVl1NWsNZAP40+dAlY s/owGB2hQETH
KYO0ySapvzjijtFItEWKbbMsZMI4mxES4i/5AgMBAAGjgdkwgdYwSAYDVR0g BEEwPzA9BgUr
BgcICTA0MDIGCCsGAQUFBwIBFiZodHRwczovLzE1NS41NC45NS42Ni9waXNj aXMvY3BzcG9p
bnRlcjAwBggrBgEFBQcBAQQkMCIwIAYIKwYBBQUHMAKGFGh0dHBzOi8vMTU1 LjU0Ljk1LjY2
MBEGCWCGSAGG+EIBAQQEAwIFoDAJBgNVHRMEAjAAMB0GA1UdJQQWMBQGCCsG AQUFBwMCBggr
BgEFBQcDBDAbBgNVHREEFDASgRBnYWJpbG1AZGlmLnVtLmVzMA0GCSqGSIb3 DQEBBAUAA4GB
AK5k8njocBtGpwDWQMjV11x4wZYuDlBnN+xagUU+21JKNlktBQnCh23YL4Fn +ida/C8SXMP/
DfLG+FgaCoq4G4md5LKkO++xFIiUZ4Ei5/B5ZEa3l0iljG4TpbE77Ta4wWH4 Zu9vexudi5yw
6QPJdSR1CwyATtdFyvWc5mHaeGhqMIIC0TCCAjqgAwIBAgIBTjANBgkqhkiG 9w0BAQQFADA2
MQswCQYDVQQGEwJFUzEMMAoGA1UEChMDVU1VMRkwFwYDVQQDExBFdXJvNml4 IFBLSSBJIENB
MB4XDTAyMDkwMjEwMDc1OVoXDTAzMDkwMjEwMDc1OVowSzELMAkGA1UEBhMC RVMxDDAKBgNV
BAoTA1VNVTEPMA0GA1UECxMGQ0lSQ3VTMR0wGwYDVQQDExRHYWJyaWVsIExv cGV6IE1pbGxh
bjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEApdNG32Rd61AMWmx6R3av tbsul7jpBq6C
4FZf9VocKCy01eWJbHOCOAPrdkcFmdCeHwU8743+VGnXVZtPUBOfuTzNu1SL HXh7I9NPoI3+
ytWXU1aw1kA/jT50CViz+jAYHaFARMcpg7TJJqm/OOKO0Ui0RYptsyxkwjib ERLiL/kCAwEA
AaOB2TCB1jBIBgNVHSAEQTA/MD0GBSsGBwgJMDQwMgYIKwYBBQUHAgEWJmh0 dHBzOi8vMTU1
LjU0Ljk1LjY2L3Bpc2Npcy9jcHNwb2ludGVyMDAGCCsGAQUFBwEBBCQwIjAg BggrBgEFBQcw
AoYUaHR0cHM6Ly8xNTUuNTQuOTUuNjYwEQYJYIZIAYb4QgEBBAQDAgWgMAkG A1UdEwQCMAAw
HQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMBsGA1UdEQQUMBKBEGdh YmlsbUBkaWYu
dW0uZXMwDQYJKoZIhvcNAQEEBQADgYEArmTyeOhwG0anANZAyNXXXHjBli4O UGc37FqBRT7b
Uko2WS0FCcKHbdgvgWf6J1r8LxJcw/8N8sb4WBoKirgbiZ3ksqQ777EUiJRn gSLn8HlkRreX
SKWMbhOlsTvtNrjBYfhm7297G52LnLDpA8l1JHULDIBO10XK9ZzmYdp4aGox ggHjMIIB3wIB
ATA7MDYxCzAJBgNVBAYTAkVTMQwwCgYDVQQKEwNVTVUxGTAXBgNVBAMTEEV1 cm82aXggUEtJ
IEkgQ0ECAU4wCQYFKw4DAhoFAKCB/zAYBgkqhkiG9w0BCQMxCwYJKoZIhvcN AQcBMBwGCSqG
SIb3DQEJBTEPFw0wMjA5MTkxNjMwMzdaMCMGCSqGSIb3DQEJBDEWBBSdVIyz ACUY3fFVMfff
mQaTERcnmDBMBgsqhkiG9w0BCRACCzE9oDswNjELMAkGA1UEBhMCRVMxDDAK BgNVBAoTA1VN
VTEZMBcGA1UEAxMQRXVybzZpeCBQS0kgSSBDQQIBTjBSBgkqhkiG9w0BCQ8x RTBDMAoGCCqG
SIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMC BzANBggqhkiG
9w0DAgIBKDANBgkqhkiG9w0BAQEFAASBgEZKuJ8pOcjFS+460HrEeX9KJc5e GxYC/k8A4Y+o
ABi0jCQK8+dKzGnFWHGyDKcKJGtTplhfXyuMKdPJhVtmrSRM7gPLAR1wPclm sXVmCiESvHBG
XS9afJU3xY5UDnGRRpcr8JxSHz5B6A3vbdive1M/B5KTQzqHksW0S4ihTZgF AAAAAAAA
--------------ms030202060006040302080207--

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org