SSLVerifyClient

Please please help me get this stuff working.
I want client authentication. Currently, I am trying
to get authentication work with my own CA, but that is foobar.
I have an intranet where the people already have certificates.
I want to use the CA that signed those as well.
When s_client does work, it shows that the server
is requesting certificates signed by the allowed CAs, so I am
content with that.

It seems as if the browser is not sending the certificates to Apache.

I'm running Mac OS X Tiger, I've tried importing my own certificates
into Keychain, but that makes no difference, and besides, I already
have a certificate for my intranet in there that should work.
Moreover, my own signed certificates don't have purposes like "client
authentication,"
which is perhaps the cause of some of the trouble.

Any advice will be appreciated.

When I have SSLVerifyClient none

I can log into the SSL enabled server just fine.


When it is SSLVerifyClient optional

s_client without a certificate works

s_client with a certificate produces:

CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1 /C=US/ST=/L=/O=/OU=/CN=/
Email=
verify return:1
depth=0 /C=US/ST=/L=/O=/OU=Server/
CN=/Email=
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client certificate A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write certificate verify A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL3 alert read:fatal:unknown CA
SSL_connect:failed in SSLv3 read finished A
5100:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown
ca:s3_pkt.c:1046:SSL alert number 48
5100:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:226:

and a browser causes:

[28/Jun/2005 07:20:28 05071] [info] Connection to child 0
established (server :443, client 127.0.0.1)
[28/Jun/2005 07:20:28 05071] [info] Seeding PRNG with 0 bytes of
entropy
[28/Jun/2005 07:20:28 05071] [error] Certificate Verification: Error
(20): unable to get local issuer certificate
[28/Jun/2005 07:20:28 05071] [error] SSL handshake failed (server
:443, client 127.0.0.1) (OpenSSL library error follows)
[28/Jun/2005 07:20:28 05071] [error] OpenSSL: error:140890B2:lib
(20):func(137):reason(178)


When it is SSLVerifyClient require

s_client without certificate: same as with cert above

s_client with certificate:

CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1 /C=US/ST=/L=/O=/OU=/CN=/
Email=
verify return:1
depth=0 /C=US/ST=/L=/O=/OU=/CN=/
Email=
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client certificate A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write certificate verify A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL3 alert read:fatal:unknown CA
SSL_connect:failed in SSLv3 read finished A
5111:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown
ca:s3_pkt.c:1046:SSL alert number 48
5111:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:226:

browser produces errors:

[28/Jun/2005 07:20:28 05071] [info] Connection to child 0
established (server :443, client 127.0.0.1)
[28/Jun/2005 07:20:28 05071] [info] Seeding PRNG with 0 bytes of
entropy
[28/Jun/2005 07:20:28 05071] [error] Certificate Verification: Error
(20): unable to get local issuer certificate
[28/Jun/2005 07:20:28 05071] [error] SSL handshake failed (server
:443, client 127.0.0.1) (OpenSSL library error follows)
[28/Jun/2005 07:20:28 05071] [error] OpenSSL: error:140890B2:lib
(20):func(137):reason(178)



Running s_server always works, and the client certificate from the
browser is loaded up.
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSLVerifyClient

lingwitt@bellsouth.net schrieb:
> browser produces errors:
>
> [28/Jun/2005 07:20:28 05071] [info] Connection to child 0 established
> (server :443, client 127.0.0.1)
> [28/Jun/2005 07:20:28 05071] [info] Seeding PRNG with 0 bytes of entropy
> [28/Jun/2005 07:20:28 05071] [error] Certificate Verification: Error
> (20): unable to get local issuer certificate

Hi lingwitt,

obviously the CA that signed your clients is not known to the server.
Take a look at

http://www.modssl.org/docs/2.8/ssl_howto.html#ToC6
http://www.modssl.org/docs/2.8/ssl_reference.html#ToC14

Greetings from Germany,
Eckard
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSLVerifyClient

--Apple-Mail-17--78798119
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=ISO-8859-1;
delsp=yes;
format=flowed

Offensichtlich verstehe ich, daß alle, die Sie sagen. Arroganter =20
Dummkopf.
Erklären Sie mir interessierendes etwas.

Das CA wird durch den Server erkannt.

Grüße von den US

On Jun 28, 2005, at 8:14 AM, Eckard Wille wrote:

> lingwitt@bellsouth.net schrieb:
>
>> browser produces errors:
>> [28/Jun/2005 07:20:28 05071] [info] Connection to child 0 =20
>> established (server :443, client 127.0.0.1)
>> [28/Jun/2005 07:20:28 05071] [info] Seeding PRNG with 0 bytes of =20=

>> entropy
>> [28/Jun/2005 07:20:28 05071] [error] Certificate Verification: =20
>> Error (20): unable to get local issuer certificate
>>
>
> Hi lingwitt,
>
> obviously the CA that signed your clients is not known to the =20
> server. Take a look at
>
> http://www.modssl.org/docs/2.8/ssl_howto.html#ToC6
> http://www.modssl.org/docs/2.8/ssl_reference.html#ToC14
>
> Greetings from Germany,
> Eckard


--Apple-Mail-17--78798119
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
charset=ISO-8859-1

-khtml-line-break: after-white-space; ">

Re: SSLVerifyClient

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

lingwitt@bellsouth.net wrote:
> Offensichtlich verstehe ich, daß alle, die Sie sagen. Arroganter Dumm=
kopf.
> Erklären Sie mir interessierendes etwas.
>=20
> Das CA wird durch den Server erkannt.
>=20
> Grüße von den US
>=20
Sure?
First: this is an english mailing-list, so please write only in english
and not in such a ugly german word-puzzle.

Next: Write below the quote so you don't produce TOFU (Text oben,
Fullqoute unten

Last: Read http://learn.to/quote/

I think that Eckard Wille might be right. So have some experiments with
your ca-files and certificates.

Paul
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (MingW32)

iEYEARECAAYFAkLBXkUACgkQqErKtBWD7VStpQCeN0GB4nmhZcJz5EwCqdXU mno8
3rkAoOx908jbK/YpKH6GKBIs/kSeShPh
=3DNQne
-----END PGP SIGNATURE-----

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSLVerifyClient

--Apple-Mail-19--70227880
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
charset=US-ASCII;
delsp=yes;
format=flowed

This can't be the problem, as I specify the CA using
SSLCACertificatePath using the proper HASH names. I've also tried
SSLCACertificateFile.

using s_client with SSLVerifyClient optional, it shows that the
server is correctly identifying which CAs are allowed.

I think the problem is with Safari and Keychain. I shall look further
into the matter.

On Jun 28, 2005, at 10:27 AM, Paul Puschmann wrote:

> I think that Eckard Wille might be right. So have some experiments
> with
> your ca-files and certificates.


--Apple-Mail-19--70227880
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
charset=US-ASCII

-khtml-line-break: after-white-space; ">

Re: SSLVerifyClient

--Apple-Mail-2-11933830
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
charset=US-ASCII;
delsp=yes;
format=flowed

Indeed, the trouble was with Safari and Keychain. Apparently, having
more than one certificate confuses Safari. I am not sure what to do
now, except get a different browser. Any advice would be appreciated.

On Jun 28, 2005, at 11:01 AM, lingwitt@bellsouth.net wrote:

> This can't be the problem, as I specify the CA using
> SSLCACertificatePath using the proper HASH names. I've also tried
> SSLCACertificateFile.
>
> using s_client with SSLVerifyClient optional, it shows that the
> server is correctly identifying which CAs are allowed.
>
> I think the problem is with Safari and Keychain. I shall look
> further into the matter.
>
> On Jun 28, 2005, at 10:27 AM, Paul Puschmann wrote:
>
>> I think that Eckard Wille might be right. So have some experiments
>> with
>> your ca-files and certificates.
>


--Apple-Mail-2-11933830
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
charset=US-ASCII

-khtml-line-break: after-white-space; ">

Re: SSLVerifyClient

--Apple-Mail-1-55986566
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
charset=US-ASCII;
delsp=yes;
format=flowed

Firefox works like a charm.

On Jun 29, 2005, at 9:50 AM, lingwitt@bellsouth.net wrote:

> Indeed, the trouble was with Safari and Keychain. Apparently,
> having more than one certificate confuses Safari. I am not sure
> what to do now, except get a different browser. Any advice would be
> appreciated.
>
> On Jun 28, 2005, at 11:01 AM, lingwitt@bellsouth.net wrote:
>
>> This can't be the problem, as I specify the CA using
>> SSLCACertificatePath using the proper HASH names. I've also tried
>> SSLCACertificateFile.
>>
>> using s_client with SSLVerifyClient optional, it shows that the
>> server is correctly identifying which CAs are allowed.
>>
>> I think the problem is with Safari and Keychain. I shall look
>> further into the matter.
>>
>> On Jun 28, 2005, at 10:27 AM, Paul Puschmann wrote:
>>
>>> I think that Eckard Wille might be right. So have some
>>> experiments with
>>> your ca-files and certificates.
>>
>


--Apple-Mail-1-55986566
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
charset=US-ASCII

-khtml-line-break: after-white-space; ">

SSLCACertificatePath

User authentication works when I specify
SSLCACertificateFile

However, it does not work when I use
SSLCACertificatePath

I use the Makefile.crt renamed Makefile in the same directory pointed
to by SSLCACertificatePath
The has symlinks are created.

The log shows that Apache loads those certificates in, but when I try
to authenticate, it can't find them.

Thanks for your response.
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSLCACertificatePath

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

lingwitt@bellsouth.net wrote:
> User authentication works when I specify
> SSLCACertificateFile
>
> However, it does not work when I use
> SSLCACertificatePath
>
> I use the Makefile.crt renamed Makefile in the same directory pointed
> to by SSLCACertificatePath
> The has symlinks are created.
>
> The log shows that Apache loads those certificates in, but when I try
> to authenticate, it can't find them.
>
Yes, there are some problems with SSLCACertificatePath.
I used SSLCACertificateFile and have put all certificate-entries in one
file. This worked for me.

Paul
- --
Linux-User #271918 with the Linux Counter, http://counter.li.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (MingW32)

iEYEARECAAYFAkLDpF0ACgkQqErKtBWD7VRs+wCfSsCouThgc6mT5MyQprbv CbJi
rDkAoPFUHhuQo1e9uLJF/WBDrRZkCs6F
=bVdr
-----END PGP SIGNATURE-----

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSLVerifyClient

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

lingwitt@bellsouth.net wrote:
> Indeed, the trouble was with Safari and Keychain. Apparently, having
> more than one certificate confuses Safari. I am not sure what to do now,
> except get a different browser. Any advice would be appreciated.
>
> On Jun 28, 2005, at 11:01 AM, lingwitt@bellsouth.net
> wrote:
>
>> This can't be the problem, as I specify the CA using
>> SSLCACertificatePath using the proper HASH names. I've also tried
>> SSLCACertificateFile.
>>
>> using s_client with SSLVerifyClient optional, it shows that the server
>> is correctly identifying which CAs are allowed.
>>
>> I think the problem is with Safari and Keychain. I shall look further
>> into the matter.
>>
Please answer BELOW THE QUOTE! Thank you.

Perhaps you could file a bug against Safari (or have a look in their
bug-database (if existent)).

Paul
- --
Linux-User #271918 with the Linux Counter, http://counter.li.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (MingW32)

iEYEARECAAYFAkLDpLUACgkQqErKtBWD7VQNWQCgu8DI++FBv5TCkrCDUUE5 hrFC
nYAAnAtzNNr3g+ljVeP8jEBpvzgZ4Q4y
=bgbS
-----END PGP SIGNATURE-----

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSLVerifyClient

--Apple-Mail-4-106417918
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
charset=US-ASCII;
format=flowed

On Jun 30, 2005, at 3:52 AM, Paul Puschmann wrote:

> Please answer BELOW THE QUOTE! Thank you.

I'm sorry about that. Thanks for the responses.


--Apple-Mail-4-106417918
Content-Transfer-Encoding: 7bit
Content-Type: text/html;
charset=US-ASCII