client certificates won"t verify under Apache

client certificates won"t verify under Apache

am 04.09.2005 23:07:51 von Aaron Turner

I'm running CentOS 4.1 with Apache 2.0.52 and trying to setup client
SSL authentication using an internal CA. I've read the docs and
checked the list archives for someone having the same problem or any
hints, but have come up empty so far. Anyways...

Running:
openssl verify -CAfile ssl.crt/cacert.crt -purpose sslclient
aaron_turner.crt

Returns OK.

But configuring apache with:
SSLProtocol all
SSLCipherSuite HIGH:MEDIUM
SSLCertificateFile conf/ssl.crt/updates.musecurity.net.crt
SSLCertificateKeyFile conf/ssl.key/updates.musecurity.net
SSLCACertificatePath conf/ssl.crt
SSLVerifyClient require
SSLVerifyDepth 1

where my conf/ssl.crt directory has the cacert.crt with the
approrpriate hashes, when I run:

openssl s_client -connect updates.musecurity.net:443 -CAfile
cacert.pem -cert aaron_turner.pem -certform pem -showcerts -verify 1

I get:
[error] Certificate Verification: Error (19): self signed certificate
in certificate chain

In my ssl_error_log.

openssl returns:
verify depth is 1
CONNECTED(00000003)
depth=1 /C=US/ST=California/L=Sunnyvale/O=MuSecurity, Inc./
emailAddress=aturner@musecurity.com
verify return:1
depth=0 /C=US/ST=California/L=Sunnyvale/O=MuSecurity, Inc./OU=Update
Server/CN=updates.musecurity.net/emailAddress=mu-support@mus ecurity.com
verify return:1
871:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown
ca:s3_pkt.c:1054:SSL alert number 48
871:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:230:


I think somewhat related is my problem with using:
SSLCACertificateFile conf/ssl.crt/cacert.crt

which gives me an error:
SSLCACertificateFile: file '/etc/httpd/conf/ssl.crt/cacert.crt' does
not exist or is empty

which is quite strange since the file does exist, contains the
certificate and has the correct perms (files are 644 and directories
755). I've even tried copying over the aaron_turner.crt to the conf/
ssl.crt directory and regenerating the hashes, but that doesn't help.

I can only assume I'm missing something horribly obvious, but I've
been working on this for hours with no luck...

TIA,
Aaron

--
Aaron Turner, Sr. Security Engineer

Ph: 408.329.1956


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org