SSLVerifyClient fails

I got a big problem with SSLVerifyClient. I had a similar problem before,
but now the error(s?) is really more strange (in my point of view). I used
this tutorial: http://fra.nksteidl.de/Erinnerungen/OpenSSL.php

I hae got two sections. One with only server-side-SSL (works), and a folder
(called 'demo', with a file 'index.php') with client-side-SSL. When I call
the site my browser askes me to choose a cert i want to uns to enter the
site. I choose the right one (exportedvia pkcs), and then IE says "cannot
find server or dns ", and firebird doesn't do anything (it stays on my
startpage, but with the "lock"-symbol in Task).



So I have got a Root_CA, a Server_CA and a User_CA.

The Root_CA verifys the other 2 CAs. Server_CA verifys Server-Certificates
(no problem). User_CA verifys Client-Certificates.

I concated the Certificates from Root and User_CA "cat ..../RootCA.cert.pem
...../UserCA.cert.pem > UserCAchaincert.pem"

My integration in apache:

NameVirtualHost xxx.xxx.xxx.xxx:443

ServerName test.de
DocumentRoot /srv/www/htdocs/web3/html/test
php_admin_value open_basedir /srv/www/htdocs/web3/html/test

SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+e NULL
SSLProtocol all

AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl

SSLOptions +StdEnvVars +ExportCertData
ErrorLog "/var/log/apache2/test/ssl.log"
LogLevel debug
SSLVerifyClient none
SSLCertificateFile /etc/ssl/ServerCA/testcert.pem
SSLCertificateKeyFile /etc/ssl/ServerCA/testkey.pem
SSLCACertificateFile /etc/ssl/UserCA/UserCAchaincert.pem
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown



SSLRequireSSL
SSLVerifyClient require
SSLVerifyDepth 1


If you need something more, just let me know. And thank you very much in
advance for every helping idea, because i try to get this to work since
weeks.

Sven

P.S: I use Suse Linux 9.0 with mod_ssl and openssl 0.9.7b (would like to
update....)

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSLVerifyClient fails

Hi,

You have a intermediate and RootCA, try setting
SSLVerifyDepth equal to 2.

Regards
Matt

--- Sven Löschner wrote:

> I got a big problem with SSLVerifyClient. I had a
> similar problem before,
> but now the error(s?) is really more strange (in my
> point of view). I used
> this tutorial:
> http://fra.nksteidl.de/Erinnerungen/OpenSSL.php
>=20
> I hae got two sections. One with only
> server-side-SSL (works), and a folder
> (called 'demo', with a file 'index.php') with
> client-side-SSL. When I call
> the site my browser askes me to choose a cert i want
> to uns to enter the
> site. I choose the right one (exportedvia pkcs), and
> then IE says "cannot
> find server or dns ", and firebird doesn't do
> anything (it stays on my
> startpage, but with the "lock"-symbol in Task).
>=20
>=20
>=20
> So I have got a Root_CA, a Server_CA and a User_CA.
>=20
> The Root_CA verifys the other 2 CAs. Server_CA
> verifys Server-Certificates
> (no problem). User_CA verifys Client-Certificates.
>=20
> I concated the Certificates from Root and User_CA
> "cat ..../RootCA.cert.pem
> ..../UserCA.cert.pem > UserCAchaincert.pem"
>=20
> My integration in apache:
>=20
> NameVirtualHost xxx.xxx.xxx.xxx:443
>
> ServerName test.de
> DocumentRoot /srv/www/htdocs/web3/html/test
> php_admin_value open_basedir
> /srv/www/htdocs/web3/html/test
>
> SSLEngine on
> SSLCipherSuite
>
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+e NULL
> SSLProtocol all
>=20
> AddType application/x-x509-ca-cert .crt
> AddType application/x-pkcs7-crl .crl
>=20
> SSLOptions +StdEnvVars +ExportCertData
> ErrorLog "/var/log/apache2/test/ssl.log"
> LogLevel debug
> SSLVerifyClient none
> SSLCertificateFile
> /etc/ssl/ServerCA/testcert.pem
> SSLCertificateKeyFile
> /etc/ssl/ServerCA/testkey.pem
> SSLCACertificateFile
> /etc/ssl/UserCA/UserCAchaincert.pem
> SetEnvIf User-Agent ".*MSIE.*" nokeepalive
> ssl-unclean-shutdown
>=20
>
>
> SSLRequireSSL
> SSLVerifyClient require
> SSLVerifyDepth 1
> =20
>=20
> If you need something more, just let me know. And
> thank you very much in
> advance for every helping idea, because i try to get
> this to work since
> weeks.
>=20
> Sven
>=20
> P.S: I use Suse Linux 9.0 with mod_ssl and openssl
> 0.9.7b (would like to
> update....)
>=20
>
____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) =20
> www.modssl.org
> User Support Mailing List =20
> modssl-users@modssl.org
> Automated List Manager =20
> majordomo@modssl.org
>=20



=09
____________________________________________________
Start your day with Yahoo! - make it your home page=20
http://www.yahoo.com/r/hs=20
=20
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: SSLVerifyClient fails

> SSLVerifyDepth equal to 2.

Thx, i tried Depth from 1 to 10....but no effect. I think my certificates
are wrong....Especially the concated one. Is there a way to proof these
certificates?

Sven

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: SSLVerifyClient fails

Try using "openssl s_client ...." to connect(? arg for
options). It'll give alot of debug info.

--- Sven Löschner wrote:

> > SSLVerifyDepth equal to 2.
>=20
> Thx, i tried Depth from 1 to 10....but no effect. I
> think my certificates
> are wrong....Especially the concated one. Is there a
> way to proof these
> certificates?
>=20
> Sven =20
>=20
>
____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) =20
> www.modssl.org
> User Support Mailing List =20
> modssl-users@modssl.org
> Automated List Manager =20
> majordomo@modssl.org
>=20



=09
____________________________________________________
Start your day with Yahoo! - make it your home page=20
http://www.yahoo.com/r/hs=20
=20
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: SSLVerifyClient fails

> Try using "openssl s_client ...." to connect(? arg for
> options). It'll give alot of debug info.

Okay, I tried "openssl s_client -connect www.test.de:443 -CAfile
/etc/ssl/UserCA/UserCAchaincert.pem -verify 3 -cert
/etc/ssl/UserCA/svencert.pem -key /etc/ssl/UserCA/svenkey.pem -reconnect
-showcerts -state -bugs"

The output is the following:

CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=0 /C=DE/ST=NRW/L=Hattingen/O=MX/OU=Demo
Server/CN=www.test.de/emailAddress=info@test.de
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=DE/ST=NRW/L=Hattingen/O=MX/OU=Demo
Server/CN=www.test.de/emailAddress=info@test.de
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=DE/ST=NRW/L=Hattingen/O=MX/OU=Demo
Server/CN=www.test.de/emailAddress=info@test.de
verify error:num=21:unable to verify the first certificate
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client certificate A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write certificate verify A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:failed in SSLv3 read finished A
22430:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:226:



Sven

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSLVerifyClient fails

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig5F14D37EB43A87E35E9A48C1
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Sven Löschner schrieb:
>>Try using "openssl s_client ...." to connect(? arg for=20
>>options). It'll give alot of debug info.
>=20
>=20
> Okay, I tried "openssl s_client -connect www.test.de:443 -CAfile
> /etc/ssl/UserCA/UserCAchaincert.pem -verify 3 -cert
> /etc/ssl/UserCA/svencert.pem -key /etc/ssl/UserCA/svenkey.pem -reconnec=
t
> -showcerts -state -bugs"
>=20
> The output is the following:
>=20
> CONNECTED(00000003)
> SSL_connect:before/connect initialization
> SSL_connect:SSLv2/v3 write client hello A
> SSL_connect:SSLv3 read server hello A
> depth=3D0 /C=3DDE/ST=3DNRW/L=3DHattingen/O=3DMX/OU=3DDemo
> Server/CN=3Dwww.test.de/emailAddress=3Dinfo@test.de
> verify error:num=3D20:unable to get local issuer certificate

Seems you don't have the required Root-CA-Certificates installed on your
webserver. (you need the root-certificate of your client-certificates)
anyone correct me if I'm wrong.

Paul
--=20
Linux-User #271918 with the Linux Counter, http://counter.li.org/


--------------enig5F14D37EB43A87E35E9A48C1
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFC8cr/qErKtBWD7VQRAp0DAKCuMkxcT+xx9f5/+voXL0qvPgNomwCe MRwt
uH0ACRRbnXuUIZ9ebRB/Bmw=
=N1Pk
-----END PGP SIGNATURE-----

--------------enig5F14D37EB43A87E35E9A48C1--
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: SSLVerifyClient fails

Ok, a friend of mine sent me a working ca-cert with a working client
cert....but it's not working for me. I guess I will set up an Apache 1.x,
and delete the Apache2, because it makes a lot of trouble in working
correctly e.g. with openssl. I tried a lot of versions, but always errors
(OpenSSL 0.9.7f - 0.9.8, Apache 2.0.48, 2.0.54, 2.0.55-dev)


Sven

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org