verify client certificate
am 19.09.2002 17:52:53 von gabilmThis is a cryptographically signed message in MIME format.
--------------ms070705060205010803060207
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
Hi all.
I have a problem with a certificate chain and a server certificate, I
need help.
The certificate chain is formed by the Root CA Certificate and the
Subordinate CA Certificate below showed.
The server certificate is the last certificate.
I have configured apache with modssl and when i try to access to
https://imladris.dif.um.es I get the following error:
Apache/1.3.19 (Unix) ApacheJServ/1.1.2 mod_ssl/2.8.3 OpenSSL/0.9.6g
configured -- resuming normal operations
[Thu Sep 19 10:13:14 2002] [error] mod_ssl: SSL handshake failed (server
imladris.dif.um.es:443, client 2001:720:1710:f00::2) (OpenSSL library
error follows)
[Thu Sep 19 10:13:14 2002] [error] OpenSSL: error:14094412:SSL
routines:SSL3_READ_BYTES:sslv3 alert bad certificate [Hint: Subject CN
in certificate not server name or identical to CA!?]
Obviously it's a mistake, server certificate's subject is the same
than the server name (in httpd.conf file)
and it's not a CA.
I think the problem is in the path validation, in the NameConstraints
extensions (2.5.29.30), but I'm not sure.
I don't know if openssl supports this extensins and if it's well
configured.
Any idea?
Thanks, Gabi.
** Root CA Certificate **
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=ES, O=umu, OU=umu, CN=PKIv6 3.2 ca root
Validity
Not Before: Sep 16 22:00:00 2002 GMT
Not After : Sep 16 22:00:00 2004 GMT
Subject: C=ES, O=umu, OU=umu, CN=PKIv6 3.2 ca root
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:aa:e5:b5:5b:0a:f4:ef:79:2a:4d:8e:84:e1:ce:
43:59:81:2d:b6:53:8c:97:77:4f:db:07:08:69:b0:
68:ea:1d:cd:fe:c2:a4:a2:08:ec:ce:ed:b4:13:91:
dc:da:bf:27:41:ef:f1:f3:3b:96:36:97:2f:9c:f3:
48:21:b3:a0:34:0d:8a:e8:04:cf:d5:c2:06:dd:cf:
5d:ea:7c:d5:9e:ab:92:65:7a:e1:32:ee:73:f4:4f:
99:be:18:5c:a0:84:5c:b0:09:f0:8a:68:61:1a:94:
ec:c5:95:9b:10:c4:0b:4b:e9:e0:2f:48:7b:2b:23:
56:02:56:a7:2c:16:c4:2f:0d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
Netscape Cert Type:
SSL Client, S/MIME, SSL CA, S/MIME CA, Object Signing CA
Signature Algorithm: md5WithRSAEncryption
*** Subordinate CA Certificate ***
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 28 (0x1c)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=ES, O=umu, OU=umu, CN=PKIv6 3.2 ca root
Validity
Not Before: Sep 17 11:25:36 2002 GMT
Not After : Sep 17 11:25:36 2003 GMT
Subject: C=ES, O=umu, OU=umu dd, CN=PKIv6 3.2 ca sub2
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (512 bit)
Modulus (512 bit):
00:b5:e5:36:3f:7a:29:a0:da:3a:67:60:4f:ed:52:
81:09:26:21:4d:a7:14:77:54:56:be:87:1d:5a:62:
26:89:aa:f4:00:19:e6:c5:d8:c0:68:71:0f:2b:b5:
7b:54:25:7f:98:2e:75:e6:65:76:b4:9f:39:99:2e:
56:19:b6:5e:27
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
2.5.29.30: critical
0...0...umu-euro6ix dd
X509v3 Basic Constraints: critical
CA:TRUE
Netscape Cert Type:
SSL Client, S/MIME, SSL CA, S/MIME CA, Object Signing CA
Signature Algorithm: md5WithRSAEncryption
*** Server Certificate (ServerName=imladris.dif.um.es) **
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 15 (0xf)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=ES, O=umu, OU=umu dd, CN=PKIv6 3.2 ca sub2
Validity
Not Before: Sep 17 15:55:07 2002 GMT
Not After : Sep 17 15:55:07 2003 GMT
Subject: C=ES, O=umu, OU=umu dd, CN=imladris.dif.um.es
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (512 bit)
Modulus (512 bit):
00:b6:85:42:e5:32:6f:30:5f:69:8f:c1:93:ca:a6:
19:3a:67:b7:c0:d2:12:e0:7d:c2:75:0f:4e:00:30:
16:4f:39:fb:9a:49:5d:db:18:bb:20:b4:6b:67:df:
ca:96:2f:18:1e:95:b9:56:9b:19:72:9a:2a:78:b7:
09:d9:0f:15:37
Exponent: 65537 (0x10001)
X509v3 extensions:
Netscape Cert Type:
SSL Server, S/MIME, Object Signing
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Alternative Name:
email:gabilm@dif.um.es
Signature Algorithm: md5WithRSAEncryption
--
-------------------------------------------------
Gabriel Lopez Millan - Grupo ANTS-CIRCuS
Facultad de Informática
Universidad de Murcia (España) Tfo: +34 968367645
--------------ms070705060205010803060207
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
Content-Transfer-Encoding: base64
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEH AQAAoIIFqjCC
AtEwggI6oAMCAQICAU4wDQYJKoZIhvcNAQEEBQAwNjELMAkGA1UEBhMCRVMx DDAKBgNVBAoT
A1VNVTEZMBcGA1UEAxMQRXVybzZpeCBQS0kgSSBDQTAeFw0wMjA5MDIxMDA3 NTlaFw0wMzA5
MDIxMDA3NTlaMEsxCzAJBgNVBAYTAkVTMQwwCgYDVQQKEwNVTVUxDzANBgNV BAsTBkNJUkN1
UzEdMBsGA1UEAxMUR2FicmllbCBMb3BleiBNaWxsYW4wgZ8wDQYJKoZIhvcN AQEBBQADgY0A
MIGJAoGBAKXTRt9kXetQDFpsekd2r7W7Lpe46QauguBWX/VaHCgstNXliWxz gjgD63ZHBZnQ
nh8FPO+N/lRp11WbT1ATn7k8zbtUix14eyPTT6CN/srVl1NWsNZAP40+dAlY s/owGB2hQETH
KYO0ySapvzjijtFItEWKbbMsZMI4mxES4i/5AgMBAAGjgdkwgdYwSAYDVR0g BEEwPzA9BgUr
BgcICTA0MDIGCCsGAQUFBwIBFiZodHRwczovLzE1NS41NC45NS42Ni9waXNj aXMvY3BzcG9p
bnRlcjAwBggrBgEFBQcBAQQkMCIwIAYIKwYBBQUHMAKGFGh0dHBzOi8vMTU1 LjU0Ljk1LjY2
MBEGCWCGSAGG+EIBAQQEAwIFoDAJBgNVHRMEAjAAMB0GA1UdJQQWMBQGCCsG AQUFBwMCBggr
BgEFBQcDBDAbBgNVHREEFDASgRBnYWJpbG1AZGlmLnVtLmVzMA0GCSqGSIb3 DQEBBAUAA4GB
AK5k8njocBtGpwDWQMjV11x4wZYuDlBnN+xagUU+21JKNlktBQnCh23YL4Fn +ida/C8SXMP/
DfLG+FgaCoq4G4md5LKkO++xFIiUZ4Ei5/B5ZEa3l0iljG4TpbE77Ta4wWH4 Zu9vexudi5yw
6QPJdSR1CwyATtdFyvWc5mHaeGhqMIIC0TCCAjqgAwIBAgIBTjANBgkqhkiG 9w0BAQQFADA2
MQswCQYDVQQGEwJFUzEMMAoGA1UEChMDVU1VMRkwFwYDVQQDExBFdXJvNml4 IFBLSSBJIENB
MB4XDTAyMDkwMjEwMDc1OVoXDTAzMDkwMjEwMDc1OVowSzELMAkGA1UEBhMC RVMxDDAKBgNV
BAoTA1VNVTEPMA0GA1UECxMGQ0lSQ3VTMR0wGwYDVQQDExRHYWJyaWVsIExv cGV6IE1pbGxh
bjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEApdNG32Rd61AMWmx6R3av tbsul7jpBq6C
4FZf9VocKCy01eWJbHOCOAPrdkcFmdCeHwU8743+VGnXVZtPUBOfuTzNu1SL HXh7I9NPoI3+
ytWXU1aw1kA/jT50CViz+jAYHaFARMcpg7TJJqm/OOKO0Ui0RYptsyxkwjib ERLiL/kCAwEA
AaOB2TCB1jBIBgNVHSAEQTA/MD0GBSsGBwgJMDQwMgYIKwYBBQUHAgEWJmh0 dHBzOi8vMTU1
LjU0Ljk1LjY2L3Bpc2Npcy9jcHNwb2ludGVyMDAGCCsGAQUFBwEBBCQwIjAg BggrBgEFBQcw
AoYUaHR0cHM6Ly8xNTUuNTQuOTUuNjYwEQYJYIZIAYb4QgEBBAQDAgWgMAkG A1UdEwQCMAAw
HQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMBsGA1UdEQQUMBKBEGdh YmlsbUBkaWYu
dW0uZXMwDQYJKoZIhvcNAQEEBQADgYEArmTyeOhwG0anANZAyNXXXHjBli4O UGc37FqBRT7b
Uko2WS0FCcKHbdgvgWf6J1r8LxJcw/8N8sb4WBoKirgbiZ3ksqQ777EUiJRn gSLn8HlkRreX
SKWMbhOlsTvtNrjBYfhm7297G52LnLDpA8l1JHULDIBO10XK9ZzmYdp4aGox ggHjMIIB3wIB
ATA7MDYxCzAJBgNVBAYTAkVTMQwwCgYDVQQKEwNVTVUxGTAXBgNVBAMTEEV1 cm82aXggUEtJ
IEkgQ0ECAU4wCQYFKw4DAhoFAKCB/zAYBgkqhkiG9w0BCQMxCwYJKoZIhvcN AQcBMBwGCSqG
SIb3DQEJBTEPFw0wMjA5MTkxNTUyNTNaMCMGCSqGSIb3DQEJBDEWBBShFEjd FQ1z9S/XZ7fs
6mRudx7mMTBMBgsqhkiG9w0BCRACCzE9oDswNjELMAkGA1UEBhMCRVMxDDAK BgNVBAoTA1VN
VTEZMBcGA1UEAxMQRXVybzZpeCBQS0kgSSBDQQIBTjBSBgkqhkiG9w0BCQ8x RTBDMAoGCCqG
SIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMC BzANBggqhkiG
9w0DAgIBKDANBgkqhkiG9w0BAQEFAASBgAiGkafYUwQgU77HpiI4qzZPOKGE ujZPdnvArUqW
S9aZiQFhxMWSoMy0OkHkw3ZiJTgGmDvTBZtgwhFJtVfe+WsEATaRJaEVYlcK ougz5dPH9qP4
UeGryc+5OY5+fjEv4tj3uC+B+5D0/h3UKmP1f0XL0YsVsYXLSi1BeftDxjYf AAAAAAAA
--------------ms070705060205010803060207--
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org