Re-negotiation problems with *all* clients
am 15.11.2002 03:14:25 von pilslI'm running apache and mod_ssl for a long time now. Now I wanted to
add support for client-auth and got in big troubles at the beginning.
As soon as any client wants to connect to a folder that (I tested
netscape7, opera6, konqueror and lynx2.8) the client gets an
unspecified error (or crashes like opera6) and the server (apache2) has the
following in its logs:
[Fri Nov 15 03:05:06 2002] [error] Re-negotiation handshake failed: Not accepted by client!?
[Fri Nov 15 03:05:06 2002] [error] SSL handshake failed (server c2.goldfisch.at:443, client 62.99.146.117)
[Fri Nov 15 03:05:06 2002] [error] SSL Library Error: 336105671 error:140890C7:lib(20):func(137):reason(199)
The config is very simple:
SSLPassPhraseDialog builtin
SSLSessionCache none
SSLSessionCacheTimeout 300
SSLMutex file:logs/ssl_mutex
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLCertificateFile /data/ssl/peter/www.goldfisch.at.crt
SSLCertificateKeyFile /data/ssl/peter/www.goldfisch.at.key
SSLCACertificateFile /data/ssl/peter/ca.crt
SSLVerifyClient require
SSLVerifyDepth 1
I didnt install any client-certs by now (cause I still dont know how
to do this : I was hoped to get asked for it by the client when
connecting)
Now I fear that my ca.crt has wrong format. This is my own selfsigned
CertificateAuthority that I used to sign www.goldfisch.at.crt too.
I also tried to create a new client-cert and put the crt-part there
instead with the same result.
By now I dont know if a client-cert is the crt-part that is signed by
my CA and the ca-crt must be put to the SSLCACertificateFile-directive
or if I should just create a new certificate (signed by my CA) and the
crt-part should be put in the SLCACertificateFile-directive and the
keyfile is the part that I need to install somehow at my client.
I really searched the mod_ssl-docs but I couldnt find the answer.
For the Re-negotiation-problem I found frequent entries dealing with
the same problem, but all seems to be related to problems with
MSIE-browsers that have a ssl-keep-alive bug or something. My problem
seems to be different, cause I dont use MSIE at all and the problem
occures with all clients I tried.
thnx,
peter
--
mag. peter pilsl
IT-Consulting
tel: +43-699-1-3574035
fax: +43-699-4-3574035
pilsl@goldfisch.at
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org