MSIE fail in SSLV3 connection with trusted intermediate authority.

MSIE fail in SSLV3 connection with trusted intermediate authority.

am 04.10.2002 20:07:50 von Olivier.Baulier

Apache: httpd-2.0.40
OpenSSL: openssl-0.9.6g


On a same HTTPS Apache server and with same client certificate, all connections from MSIE have failed, but all NS connections are issued properly.

MSIE with same client certificate, and same trusted intermediate authority one HTTPS Iplanet server 4 connect properly.

MSIE connect properly to HTPPS Apache sever when i use a certificate that is signed directly by root CA not from intermediate CA.

I use SSLV3 Protocol to protect a sub-directory with this setting:

SSLVerifyDepth 2
SSLVerifyClient require
SSLCACertificateFile R:\PDCI\dciweb\Apache2\dciwebca.crt
SSLOptions +ExportCertData +OptRenegotiate


Log file with debug setting gives:

God connection with NSE V4.7
[Mon Sep 30 14:39:24 2002] [debug] ssl_engine_kernel.c(1294): Certificate Verification: depth: 1, subject: /C=FR/ST=France/L=Puteaux/O=Reuters/OU=Reuters Financial SoftWare/CN=Reuters Financial SoftWare test authority/Email=catest@reuters.com, issuer: /C=FR/ST=France/L=Puteaux/O=Reuters/OU=Reuters Financial SoftWare/CN=Reuters Financial SoftWare test authority/Email=catest@reuters.com
[Mon Sep 30 14:39:24 2002] [debug] ssl_engine_kernel.c(1294): Certificate Verification: depth: 0, subject: /C=FR/ST=France/L=Puteaux/O=Reuters/OU=Reuters Financial SoftWare/CN=RCF User Authority/Email=rcf-user-ca@reuters.com, issuer: /C=FR/ST=France/L=Puteaux/O=Reuters/OU=Reuters Financial SoftWare/CN=Reuters Financial SoftWare test authority/Email=catest@reuters.com
[Mon Sep 30 14:39:24 2002] [debug] ssl_engine_kernel.c(1854): OpenSSL: Loop: SSLv3 read client certificate A
[Mon Sep 30 14:39:24 2002] [debug] ssl_engine_kernel.c(1854): OpenSSL: Loop: SSLv3 read client key exchange A
[Mon Sep 30 14:39:24 2002] [debug] ssl_engine_kernel.c(1854): OpenSSL: Loop: SSLv3 read certificate verify A

Bad connection vith MSIE 6
[Mon Sep 30 14:55:01 2002] [debug] ssl_engine_kernel.c(1294): Certificate Verification: depth: 1, subject: /C=FR/ST=France/L=Puteaux/O=Reuters/OU=Reuters Financial SoftWare/CN=RCF User Authority/Email=rcf-user-ca@reuters.com, issuer: /C=FR/ST=France/L=Puteaux/O=Reuters/OU=Reuters Financial SoftWare/CN=Reuters Financial SoftWare test authority/Email=catest@reuters.com
[Mon Sep 30 14:55:01 2002] [error] Certificate Verification: Error (24): invalid CA certificate
[Mon Sep 30 14:55:01 2002] [debug] ssl_engine_kernel.c(1864): OpenSSL: Write: SSLv3 read client certificate B
[Mon Sep 30 14:55:01 2002] [debug] ssl_engine_kernel.c(1883): OpenSSL: Exit: error in SSLv3 read client certificate B

Best regards
olivier.baulier@reuters.con



------------------------------------------------------------ - ---
Visit our Internet site at http://www.reuters.com

Any views expressed in this message are those of the individual
sender, except where the sender specifically states them to be
the views of Reuters Ltd.
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org