Apache 2 and client authenticaction

Apache 2 and client authenticaction

am 14.05.2003 13:57:30 von Juan Angel Martin

Hi all,

I have one Linux server with Apache 1.3.27 and it's configured for
client authentication in one port.

When I connect with it at that port with IE 6.0.or Netscape 7.0 or 4.78,
the server asks me the container's password that keeps the private key
needed for authenticate me only one time.

But I have another with Apache 2.0.45, configured as the other one with
1.3.27; it has the same SSL virtual hosts configuration options.

With this server, the server asks me the container's password that keeps
the private key needed for authenticate me for every frame o picture
that the page shows.

How can I get that the server with Apache 2.0.45 only asks me for the
password one time like the other one with Apache 1.3.27?

Thanks in advance
Juanan

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Apache 2 and client authenticaction

am 14.05.2003 14:24:28 von Estrade Matthieu

Hi,

I have exactly the same problem. On each new document (not in temp file=20
of IE), my browser ask me to choose which client certificate i want to=20
use for the secured web site.
Even if i have only one.
First, i was thinking it was because of the browser, so i looked into IE=20
configuration, but i found nothing.
Then i look with apache in debug mode and i saw that the client seems to=20
no send again the certificate.

Maybe it's a problem of session handling. i played with SessionCache=20
parameters and SessionCacheTimeout, but nothing more happened.
I will try to find more debug information.

Regards,

Estrade Matthieu

Juan Angel Martin wrote:

> Hi all,
>
> I have one Linux server with Apache 1.3.27 and it's configured for=20
> client authentication in one port.
>
> When I connect with it at that port with IE 6.0.or Netscape 7.0 or=20
> 4.78, the server asks me the container's password that keeps the=20
> private key needed for authenticate me only one time.
>
> But I have another with Apache 2.0.45, configured as the other one=20
> with 1.3.27; it has the same SSL virtual hosts configuration options.
>
> With this server, the server asks me the container's password that=20
> keeps the private key needed for authenticate me for every frame o=20
> picture that the page shows.
>
> How can I get that the server with Apache 2.0.45 only asks me for the=20
> password one time like the other one with Apache 1.3.27?
>
> Thanks in advance
> Juanan
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
> ____________________________________________________________ _________
> Envie de discuter en "live" avec vos amis ? T=E9l=E9charger MSN Messeng=
er
> http://www.ifrance.com/_reloc/m la 1=E8re messagerie instantan=E9e de F=
rance
>


____________________________________________________________ _________
Envie de discuter en "live" avec vos amis ? T=E9l=E9charger MSN Messenger
http://www.ifrance.com/_reloc/m la 1=E8re messagerie instantan=E9e de Fra=
nce

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: Apache 2 and client authenticaction

am 14.05.2003 14:38:12 von ahmed.nauman

Hi all,

I had earlier mailed my problem also related to client authentication. =
That i have set apache with mod ssl for mutual authentication, but =
client certificate does not seem to be transferred for authentication. =
But surprizingly this is happening when i mention CA of client in =
httpd.conf for Server as=20
"SSLCACertificateFile" directive. If i don't mention this directive, it =
displays a message on browser side that certificate is not from some of =
the trusted CA. If we see the log, [Please see list archive for my =
previous message] either the Server is not loading the certificate of =
client's CA properly or client Certificate does not seem to be returned =
when server asks for it.

Please advise.

Regards
Nauman

-----Original Message-----
From: Estrade Matthieu [mailto:estrade-m@ifrance.com]
Sent: Wednesday, May 14, 2003 8:24 AM
To: modssl-users@modssl.org
Subject: Re: Apache 2 and client authenticaction


Hi,

I have exactly the same problem. On each new document (not in temp file=20
of IE), my browser ask me to choose which client certificate i want to=20
use for the secured web site.
Even if i have only one.
First, i was thinking it was because of the browser, so i looked into IE =

configuration, but i found nothing.
Then i look with apache in debug mode and i saw that the client seems to =

no send again the certificate.

Maybe it's a problem of session handling. i played with SessionCache=20
parameters and SessionCacheTimeout, but nothing more happened.
I will try to find more debug information.

Regards,

Estrade Matthieu

Juan Angel Martin wrote:

> Hi all,
>
> I have one Linux server with Apache 1.3.27 and it's configured for=20
> client authentication in one port.
>
> When I connect with it at that port with IE 6.0.or Netscape 7.0 or=20
> 4.78, the server asks me the container's password that keeps the=20
> private key needed for authenticate me only one time.
>
> But I have another with Apache 2.0.45, configured as the other one=20
> with 1.3.27; it has the same SSL virtual hosts configuration options.
>
> With this server, the server asks me the container's password that=20
> keeps the private key needed for authenticate me for every frame o=20
> picture that the page shows.
>
> How can I get that the server with Apache 2.0.45 only asks me for the=20
> password one time like the other one with Apache 1.3.27?
>
> Thanks in advance
> Juanan
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
> ____________________________________________________________ _________
> Envie de discuter en "live" avec vos amis ? T=E9l=E9charger MSN =
Messenger
> http://www.ifrance.com/_reloc/m la 1=E8re messagerie instantan=E9e de =
France
>


____________________________________________________________ _________
Envie de discuter en "live" avec vos amis ? T=E9l=E9charger MSN =
Messenger
http://www.ifrance.com/_reloc/m la 1=E8re messagerie instantan=E9e de =
France

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Apache 2 and client authenticaction

am 14.05.2003 18:34:00 von Juan Angel Martin

--------------020409060002040702080304
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable

Hi,

This the part of log obtained when I request one html page with two=20
frames. The browser asks me for the password 4 times.

[info] Connection to child 1 established (xxx.xxx.xxx:4443, client=20
xxx.xxx.xxx.xxx)
[info] Seeding PRNG with 512 bytes of entropy
[debug] ssl_engine_kernel.c(1757): OpenSSL: Handshake: start

[debug] ssl_engine_kernel.c(1761): OpenSSL: Handshake: done
[info] Connection: Client IP: xxx.xxx.xxx.xxx, Protocol: SSLv3, Cipher:=20
RC4-MD5 (128/128 bits)
[info] Initial (No.1) HTTPS request received for child 1 (xxx.xxx.xxx:444=
3)
[info] Connection to child 1 closed with unclean=20
shutdown(xxx.xxx.xxx:4443, client xxx.xxx.xxx.xxx)
[info] Connection to child 6 established (xxx.xxx.xxx:4443, client=20
xxx.xxx.xxx.xxx)
[info] Seeding PRNG with 512 bytes of entropy
[debug] ssl_engine_kernel.c(1757): OpenSSL: Handshake: start

[debug] ssl_engine_kernel.c(1761): OpenSSL: Handshake: done
[info] Connection: Client IP: xxx.xxx.xxx.xxx, Protocol: SSLv3, Cipher:=20
RC4-MD5 (128/128 bits)
[info] Initial (No.1) HTTPS request received for child 6 (xxx.xxx.xxx:444=
3)
[info] Connection to child 6 closed with unclean=20
shutdown(xxx.xxx.xxx:4443, client xxx.xxx.xxx.xxx)
[info] Connection to child 5 established (xxx.xxx.xxx:4443, client=20
xxx.xxx.xxx.xxx)
[info] Seeding PRNG with 512 bytes of entropy
[debug] ssl_engine_kernel.c(1757): OpenSSL: Handshake: start
[info] Connection to child 3 established (xxx.xxx.xxx:4443, client=20
xxx.xxx.xxx.xxx)
[info] Seeding PRNG with 512 bytes of entropy
[debug] ssl_engine_kernel.c(1757): OpenSSL: Handshake: start

[debug] ssl_engine_kernel.c(1761): OpenSSL: Handshake: done
[info] Connection: Client IP: xxx.xxx.xxx.xxx, Protocol: SSLv3, Cipher:=20
RC4-MD5 (128/128 bits)

[debug] ssl_engine_kernel.c(1761): OpenSSL: Handshake: done
[info] Connection: Client IP: xxx.xxx.xxx.xxx, Protocol: SSLv3, Cipher:=20
RC4-MD5 (128/128 bits)

[info] Initial (No.1) HTTPS request received for child 5 (xxx.xxx.xxx:444=
3)
[info] Initial (No.1) HTTPS request received for child 3 (xxx.xxx.xxx:444=
3)
[info] Connection to child 5 closed with unclean=20
shutdown(xxx.xxx.xxx:4443, client xxx.xxx.xxx.xxx)
[info] Connection to child 3 closed with unclean=20
shutdown(xxx.xxx.xxx:4443, client xxx.xxx.xxx.xxx)

You can see that there is 4 connections. But every connection is closed=20
with unclean shutdown, I don't know why.

Regards
Juanan


Nauman, Ahmed [IT] escribi=F3:

>Hi all,
>
>I had earlier mailed my problem also related to client authentication. T=
hat i have set apache with mod ssl for mutual authentication, but client =
certificate does not seem to be transferred for authentication. But surpr=
izingly this is happening when i mention CA of client in httpd.conf for S=
erver as=20
>"SSLCACertificateFile" directive. If i don't mention this directive, it =
displays a message on browser side that certificate is not from some of t=
he trusted CA. If we see the log, [Please see list archive for my previou=
s message] either the Server is not loading the certificate of client's C=
A properly or client Certificate does not seem to be returned when server=
asks for it.
>
>Please advise.
>
>Regards
>Nauman
>
>-----Original Message-----
>From: Estrade Matthieu [mailto:estrade-m@ifrance.com]
>Sent: Wednesday, May 14, 2003 8:24 AM
>To: modssl-users@modssl.org
>Subject: Re: Apache 2 and client authenticaction
>
>
>Hi,
>
>I have exactly the same problem. On each new document (not in temp file=20
>of IE), my browser ask me to choose which client certificate i want to=20
>use for the secured web site.
>Even if i have only one.
>First, i was thinking it was because of the browser, so i looked into IE=
=20
>configuration, but i found nothing.
>Then i look with apache in debug mode and i saw that the client seems to=
=20
>no send again the certificate.
>
>Maybe it's a problem of session handling. i played with SessionCache=20
>parameters and SessionCacheTimeout, but nothing more happened.
>I will try to find more debug information.
>
>Regards,
>
>Estrade Matthieu
>
>Juan Angel Martin wrote:
>
> =20
>
>>Hi all,
>>
>>I have one Linux server with Apache 1.3.27 and it's configured for=20
>>client authentication in one port.
>>
>>When I connect with it at that port with IE 6.0.or Netscape 7.0 or=20
>>4.78, the server asks me the container's password that keeps the=20
>>private key needed for authenticate me only one time.
>>
>>But I have another with Apache 2.0.45, configured as the other one=20
>>with 1.3.27; it has the same SSL virtual hosts configuration options.
>>
>>With this server, the server asks me the container's password that=20
>>keeps the private key needed for authenticate me for every frame o=20
>>picture that the page shows.
>>
>>How can I get that the server with Apache 2.0.45 only asks me for the=20
>>password one time like the other one with Apache 1.3.27?
>>
>>Thanks in advance
>>Juanan
>>
>>__________________________________________________________ ____________
>>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>>User Support Mailing List modssl-users@modssl.org
>>Automated List Manager majordomo@modssl.org
>>__________________________________________________________ ___________
>>Envie de discuter en "live" avec vos amis ? T=E9l=E9charger MSN Messeng=
er
>>http://www.ifrance.com/_reloc/m la 1=E8re messagerie instantan=E9e de F=
rance
>>
>> =20
>>
>
>
>___________________________________________________________ __________
>Envie de discuter en "live" avec vos amis ? T=E9l=E9charger MSN Messenge=
r
>http://www.ifrance.com/_reloc/m la 1=E8re messagerie instantan=E9e de Fr=
ance
>
>___________________________________________________________ ___________
>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>User Support Mailing List modssl-users@modssl.org
>Automated List Manager majordomo@modssl.org
>___________________________________________________________ ___________
>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>User Support Mailing List modssl-users@modssl.org
>Automated List Manager majordomo@modssl.org
>
>
> =20
>


--------------020409060002040702080304
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit








Hi,



This the part of log obtained when I request one html page with two frames.
The browser asks me for the password 4 times.



[info] Connection to child 1 established (xxx.xxx.xxx:4443,
client xxx.xxx.xxx.xxx)

[info] Seeding PRNG with 512 bytes of entropy

[debug] ssl_engine_kernel.c(1757): OpenSSL: Handshake: start



[debug] ssl_engine_kernel.c(1761): OpenSSL: Handshake: done

[info] Connection: Client IP: xxx.xxx.xxx.xxx, Protocol: SSLv3, Cipher: RC4-MD5
(128/128 bits)

[info] Initial (No.1) HTTPS request received for child 1 (xxx.xxx.xxx:4443)

[info] Connection to child 1 closed with unclean shutdown(xxx.xxx.xxx:4443,
client xxx.xxx.xxx.xxx)

[info] Connection to child 6 established (xxx.xxx.xxx:4443, client xxx.xxx.xxx.xxx)

[info] Seeding PRNG with 512 bytes of entropy

[debug] ssl_engine_kernel.c(1757): OpenSSL: Handshake: start



[debug] ssl_engine_kernel.c(1761): OpenSSL: Handshake: done

[info] Connection: Client IP: xxx.xxx.xxx.xxx, Protocol: SSLv3, Cipher: RC4-MD5
(128/128 bits)

[info] Initial (No.1) HTTPS request received for child 6 (xxx.xxx.xxx:4443)

[info] Connection to child 6 closed with unclean shutdown(xxx.xxx.xxx:4443,
client xxx.xxx.xxx.xxx)

[info] Connection to child 5 established (xxx.xxx.xxx:4443, client xxx.xxx.xxx.xxx)

[info] Seeding PRNG with 512 bytes of entropy

[debug] ssl_engine_kernel.c(1757): OpenSSL: Handshake: start

[info] Connection to child 3 established (xxx.xxx.xxx:4443, client xxx.xxx.xxx.xxx)

[info] Seeding PRNG with 512 bytes of entropy

[debug] ssl_engine_kernel.c(1757): OpenSSL: Handshake: start



[debug] ssl_engine_kernel.c(1761): OpenSSL: Handshake: done

[info] Connection: Client IP: xxx.xxx.xxx.xxx, Protocol: SSLv3, Cipher: RC4-MD5
(128/128 bits)



[debug] ssl_engine_kernel.c(1761): OpenSSL: Handshake: done

[info] Connection: Client IP: xxx.xxx.xxx.xxx, Protocol: SSLv3, Cipher: RC4-MD5
(128/128 bits)



[info] Initial (No.1) HTTPS request received for child 5 (xxx.xxx.xxx:4443)

[info] Initial (No.1) HTTPS request received for child 3 (xxx.xxx.xxx:4443)

[info] Connection to child 5 closed with unclean shutdown(xxx.xxx.xxx:4443,
client xxx.xxx.xxx.xxx)

[info] Connection to child 3 closed with unclean shutdown(xxx.xxx.xxx:4443,
client xxx.xxx.xxx.xxx)



You can see that there is 4 connections. But every connection is closed with
unclean shutdown, I don't know why.



Regards

Juanan





Nauman, Ahmed [IT] escribió:

cite="mid9F1AE1497901D71185A20002A56B9B2601B0FBE0@exchny43.n y.ssmb.com">
Hi all,



I had earlier mailed my problem also related to client authentication. That i have set apache with mod ssl for mutual authentication, but client certificate does not seem to be transferred for authentication. But surprizingly this is happening when i mention CA of client in httpd.conf for Server as 

"SSLCACertificateFile" directive. If i don't mention this directive, it displays a message on browser side that certificate is not from some of the trusted CA. If we see the log, [Please see list archive for my previous message] either the Server is not loading the certificate of client's CA properly or client Certificate does not seem to be returned when server asks for it.



Please advise.



Regards

Nauman



-----Original Message-----

From: Estrade Matthieu []

Sent: Wednesday, May 14, 2003 8:24 AM

To: 

Subject: Re: Apache 2 and client authenticaction





Hi,



I have exactly the same problem. On each new document (not in temp file 

of IE), my browser ask me to choose which client certificate i want to 

use for the secured web site.

Even if i have only one.

First, i was thinking it was because of the browser, so i looked into IE 

configuration, but i found nothing.

Then i look with apache in debug mode and i saw that the client seems to 

no send again the certificate.



Maybe it's a problem of session handling. i played with SessionCache 

parameters and SessionCacheTimeout, but nothing more happened.

I will try to find more debug information.



Regards,



Estrade Matthieu



Juan Angel Martin wrote:



  


Hi all,



I have one Linux server with Apache 1.3.27 and it's configured for 

client authentication in one port.



When I connect with it at that port with IE 6.0.or Netscape 7.0 or 

4.78, the server asks me the container's password that keeps the 

private key needed for authenticate me only one time.



But I have another with Apache 2.0.45, configured as the other one 

with 1.3.27; it has the same SSL virtual hosts configuration options.



With this server, the server asks me the container's password that 

keeps the private key needed for authenticate me for every frame o 

picture that the page shows.



How can I get that the server with Apache 2.0.45 only asks me for the 

password one time like the other one with Apache 1.3.27?



Thanks in advance

Juanan



 ____________________________________________________________ __________

Apache Interface to OpenSSL (mod_ssl)                   

User Support Mailing List                      

Automated List Manager                            

 ____________________________________________________________ _________

Envie de discuter en "live" avec vos amis ? Télécharger MSN Messenger

 la 1ère messagerie instantanée de France



    






 ____________________________________________________________ _________

Envie de discuter en "live" avec vos amis ? Télécharger MSN Messenger

 la 1ère messagerie instantanée de France



 ____________________________________________________________ __________

Apache Interface to OpenSSL (mod_ssl)                   

User Support Mailing List                      

Automated List Manager                            

 ____________________________________________________________ __________

Apache Interface to OpenSSL (mod_ssl)                   

User Support Mailing List                      

Automated List Manager







--------------020409060002040702080304--

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE : Apache 2 and client authenticaction

am 14.05.2003 21:06:05 von Estrade Matthieu

This is a multi-part message in MIME format.

------=_NextPart_000_0001_01C31A5C.A65EF420
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Hi,
=20
I have exactly the same logs as yours.
But i think when you say it asks the password, it=92s the passphrase of
the private key of client certificate.
When i do my test, i use IE and it=92s show me many times the client
certificate list to make me choose one.
=20
I am continuing to search...
=20
Regards,
=20
Estrade Matthieu
=20
-----Message d'origine-----
De : owner-modssl-users@modssl.org
[mailto:owner-modssl-users@modssl.org] De la part de Juan Angel Martin
Envoy=E9 : mercredi 14 mai 2003 18:34
=C0 : modssl-users@modssl.org
Objet : Re: Apache 2 and client authenticaction
=20
Hi,

This the part of log obtained when I request one html page with two
frames. The browser asks me for the password 4 times.

[info] Connection to child 1 established (xxx.xxx.xxx:4443, client
xxx.xxx.xxx.xxx)
[info] Seeding PRNG with 512 bytes of entropy
[debug] ssl_engine_kernel.c(1757): OpenSSL: Handshake: start

[debug] ssl_engine_kernel.c(1761): OpenSSL: Handshake: done
[info] Connection: Client IP: xxx.xxx.xxx.xxx, Protocol: SSLv3, Cipher:
RC4-MD5 (128/128 bits)
[info] Initial (No.1) HTTPS request received for child 1
(xxx.xxx.xxx:4443)
[info] Connection to child 1 closed with unclean
shutdown(xxx.xxx.xxx:4443, client xxx.xxx.xxx.xxx)
[info] Connection to child 6 established (xxx.xxx.xxx:4443, client
xxx.xxx.xxx.xxx)
[info] Seeding PRNG with 512 bytes of entropy
[debug] ssl_engine_kernel.c(1757): OpenSSL: Handshake: start

[debug] ssl_engine_kernel.c(1761): OpenSSL: Handshake: done
[info] Connection: Client IP: xxx.xxx.xxx.xxx, Protocol: SSLv3, Cipher:
RC4-MD5 (128/128 bits)
[info] Initial (No.1) HTTPS request received for child 6
(xxx.xxx.xxx:4443)
[info] Connection to child 6 closed with unclean
shutdown(xxx.xxx.xxx:4443, client xxx.xxx.xxx.xxx)
[info] Connection to child 5 established (xxx.xxx.xxx:4443, client
xxx.xxx.xxx.xxx)
[info] Seeding PRNG with 512 bytes of entropy
[debug] ssl_engine_kernel.c(1757): OpenSSL: Handshake: start
[info] Connection to child 3 established (xxx.xxx.xxx:4443, client
xxx.xxx.xxx.xxx)
[info] Seeding PRNG with 512 bytes of entropy
[debug] ssl_engine_kernel.c(1757): OpenSSL: Handshake: start

[debug] ssl_engine_kernel.c(1761): OpenSSL: Handshake: done
[info] Connection: Client IP: xxx.xxx.xxx.xxx, Protocol: SSLv3, Cipher:
RC4-MD5 (128/128 bits)

[debug] ssl_engine_kernel.c(1761): OpenSSL: Handshake: done
[info] Connection: Client IP: xxx.xxx.xxx.xxx, Protocol: SSLv3, Cipher:
RC4-MD5 (128/128 bits)

[info] Initial (No.1) HTTPS request received for child 5
(xxx.xxx.xxx:4443)
[info] Initial (No.1) HTTPS request received for child 3
(xxx.xxx.xxx:4443)
[info] Connection to child 5 closed with unclean
shutdown(xxx.xxx.xxx:4443, client xxx.xxx.xxx.xxx)
[info] Connection to child 3 closed with unclean
shutdown(xxx.xxx.xxx:4443, client xxx.xxx.xxx.xxx)

You can see that there is 4 connections. But every connection is closed
with unclean shutdown, I don't know why.

Regards
Juanan


Nauman, Ahmed [IT] escribi=F3:


Hi all,
=20
I had earlier mailed my problem also related to client authentication.
That i have set apache with mod ssl for mutual authentication, but
client certificate does not seem to be transferred for authentication.
But surprizingly this is happening when i mention CA of client in
httpd.conf for Server as=20
"SSLCACertificateFile" directive. If i don't mention this directive, it
displays a message on browser side that certificate is not from some of
the trusted CA. If we see the log, [Please see list archive for my
previous message] either the Server is not loading the certificate of
client's CA properly or client Certificate does not seem to be returned
when server asks for it.
=20
Please advise.
=20
Regards
Nauman
=20
-----Original Message-----
From: Estrade Matthieu [mailto:estrade-m@ifrance.com]
Sent: Wednesday, May 14, 2003 8:24 AM
To: modssl-users@modssl.org
Subject: Re: Apache 2 and client authenticaction
=20
=20
Hi,
=20
I have exactly the same problem. On each new document (not in temp file=20
of IE), my browser ask me to choose which client certificate i want to=20
use for the secured web site.
Even if i have only one.
First, i was thinking it was because of the browser, so i looked into IE

configuration, but i found nothing.
Then i look with apache in debug mode and i saw that the client seems to

no send again the certificate.
=20
Maybe it's a problem of session handling. i played with SessionCache=20
parameters and SessionCacheTimeout, but nothing more happened.
I will try to find more debug information.
=20
Regards,
=20
Estrade Matthieu
=20
Juan Angel Martin wrote:
=20
=20
Hi all,
=20
I have one Linux server with Apache 1.3.27 and it's configured for=20
client authentication in one port.
=20
When I connect with it at that port with IE 6.0.or Netscape 7.0 or=20
4.78, the server asks me the container's password that keeps the=20
private key needed for authenticate me only one time.
=20
But I have another with Apache 2.0.45, configured as the other one=20
with 1.3.27; it has the same SSL virtual hosts configuration options.
=20
With this server, the server asks me the container's password that=20
keeps the private key needed for authenticate me for every frame o=20
picture that the page shows.
=20
How can I get that the server with Apache 2.0.45 only asks me for the=20
password one time like the other one with Apache 1.3.27?
=20
Thanks in advance
Juanan
=20
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
____________________________________________________________ _________
Envie de discuter en "live" avec vos amis ? T=E9l=E9charger MSN =
Messenger
http://www.ifrance.com/_reloc/m la 1=E8re messagerie instantan=E9e de =
France
=20
=20
=20
=20
____________________________________________________________ _________
Envie de discuter en "live" avec vos amis ? T=E9l=E9charger MSN =
Messenger
http://www.ifrance.com/_reloc/m la 1=E8re messagerie instantan=E9e de =
France
=20
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
=20
=20
=20
=20

------=_NextPart_000_0001_01C31A5C.A65EF420
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable


xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns=3D"http://www.w3.org/TR/REC-html40">


charset=3Diso-8859-1">















style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Hi,



style=3D'font-size:
10.0pt;font-family:Arial;color:navy'> 



lang=3DEN-GB
style=3D'font-size:10.0pt;font-family:Arial;color:navy;mso-a nsi-language:=
EN-GB'>I
have exactly the same logs as yours.



lang=3DEN-GB
style=3D'font-size:10.0pt;font-family:Arial;color:navy;mso-a nsi-language:=
EN-GB'>But
i think when you say it asks the password, it’s the passphrase of =
the
private key of client certificate.



lang=3DEN-GB
style=3D'font-size:10.0pt;font-family:Arial;color:navy;mso-a nsi-language:=
EN-GB'>When
i do my test, i use IE and it’s show me many times the client =
certificate
list to make me choose one.



lang=3DEN-GB
style=3D'font-size:10.0pt;font-family:Arial;color:navy;mso-a nsi-language:=
EN-GB'> 



lang=3DEN-GB
style=3D'font-size:10.0pt;font-family:Arial;color:navy;mso-a nsi-language:=
EN-GB'>I
am continuing to search...



lang=3DEN-GB
style=3D'font-size:10.0pt;font-family:Arial;color:navy;mso-a nsi-language:=
EN-GB'> 



lang=3DEN-GB
style=3D'font-size:10.0pt;font-family:Arial;color:navy;mso-a nsi-language:=
EN-GB'>Regards,



lang=3DEN-GB
style=3D'font-size:10.0pt;font-family:Arial;color:navy;mso-a nsi-language:=
EN-GB'> 



lang=3DEN-GB
style=3D'font-size:10.0pt;font-family:Arial;color:navy;mso-a nsi-language:=
EN-GB'>Estrade
Matthieu



lang=3DEN-GB
style=3D'font-size:10.0pt;font-family:Arial;color:navy;mso-a nsi-language:=
EN-GB'> 



face=3DTahoma> style=3D'font-size:10.0pt;font-family:Tahoma'>-----Message =
d'origine-----

De : =
owner-modssl-users@modssl.org
[mailto:owner-modssl-users@modssl.org] style=3D'font-weight:bold'>De la
part de Juan Angel Martin

Envoy=E9 : mercredi =
14 mai 2003
18:34

=C0 : =
modssl-users@modssl.org

Objet : Re: Apache 2 =
and
client authenticaction



face=3D"Times New Roman"> style=3D'font-size:12.0pt'> 



face=3D"Times New Roman">Hi,



This the part of log obtained when I request one html page with two =
frames. The
browser asks me for the password 4 times.



[info] Connection =
to child 1
established (xxx.xxx.xxx:4443, client xxx.xxx.xxx.xxx)

[info] Seeding PRNG with 512 bytes of entropy

[debug] ssl_engine_kernel.c(1757): OpenSSL: Handshake: start



[debug] ssl_engine_kernel.c(1761): OpenSSL: Handshake: done

[info] Connection: Client IP: xxx.xxx.xxx.xxx, Protocol: SSLv3, Cipher: =
RC4-MD5
(128/128 bits)

[info] Initial (No.1) HTTPS request received for child 1 =
(xxx.xxx.xxx:4443)

[info] Connection to child 1 closed with unclean =
shutdown(xxx.xxx.xxx:4443,
client xxx.xxx.xxx.xxx)

[info] Connection to child 6 established (xxx.xxx.xxx:4443, client =
xxx.xxx.xxx.xxx)

[info] Seeding PRNG with 512 bytes of entropy

[debug] ssl_engine_kernel.c(1757): OpenSSL: Handshake: start



[debug] ssl_engine_kernel.c(1761): OpenSSL: Handshake: done

[info] Connection: Client IP: xxx.xxx.xxx.xxx, Protocol: SSLv3, Cipher: =
RC4-MD5
(128/128 bits)

[info] Initial (No.1) HTTPS request received for child 6 =
(xxx.xxx.xxx:4443)

[info] Connection to child 6 closed with unclean =
shutdown(xxx.xxx.xxx:4443,
client xxx.xxx.xxx.xxx)

[info] Connection to child 5 established (xxx.xxx.xxx:4443, client
xxx.xxx.xxx.xxx)

[info] Seeding PRNG with 512 bytes of entropy

[debug] ssl_engine_kernel.c(1757): OpenSSL: Handshake: start

[info] Connection to child 3 established (xxx.xxx.xxx:4443, client
xxx.xxx.xxx.xxx)

[info] Seeding PRNG with 512 bytes of entropy

[debug] ssl_engine_kernel.c(1757): OpenSSL: Handshake: start



[debug] ssl_engine_kernel.c(1761): OpenSSL: Handshake: done

[info] Connection: Client IP: xxx.xxx.xxx.xxx, Protocol: SSLv3, Cipher: =
RC4-MD5
(128/128 bits)



[debug] ssl_engine_kernel.c(1761): OpenSSL: Handshake: done

[info] Connection: Client IP: xxx.xxx.xxx.xxx, Protocol: SSLv3, Cipher: =
RC4-MD5
(128/128 bits)



[info] Initial (No.1) HTTPS request received for child 5 =
(xxx.xxx.xxx:4443)

[info] Initial (No.1) HTTPS request received for child 3 =
(xxx.xxx.xxx:4443)

[info] Connection to child 5 closed with unclean =
shutdown(xxx.xxx.xxx:4443,
client xxx.xxx.xxx.xxx)

[info] Connection to child 3 closed with unclean =
shutdown(xxx.xxx.xxx:4443,
client xxx.xxx.xxx.xxx)



You can see that there is 4 connections. But every connection is closed =
with
unclean shutdown, I don't know why.



Regards

Juanan





Nauman, Ahmed [IT] escribi=F3:
style=3D'mso-special-character:line-break'>

style=3D'mso-special-character:line-break'>




face=3D"Courier New">
style=3D'font-size:10.0pt'>Hi all,
style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>  style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>I had earlier mailed my problem also related =
to client authentication. That i have set apache with mod ssl for mutual =
authentication, but client certificate does not seem to be transferred =
for authentication. But surprizingly this is happening when i mention CA =
of client in httpd.conf for Server as =
 style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>"SSLCACertificateFile" directive. =
If i don't mention this directive, it displays a message on browser side =
that certificate is not from some of the trusted CA. If we see the log, =
[Please see list archive for my previous message] either the Server is =
not loading the certificate of client's CA properly or client =
Certificate does not seem to be returned when server asks for =
it. style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>  style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>Please =
advise. style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>  style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>Regards style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>Nauman style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>  style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>-----Original =
Message----- style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>From: Estrade Matthieu [ href=3D"mailto:estrade-m@ifrance.com">mailto:estrade-m@ifran ce.com] :p> style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>Sent: Wednesday, May 14, 2003 8:24 =
AM style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>To: href=3D"mailto:modssl-users@modssl.org">modssl-users@modssl. org<=
/o:p> style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>Subject: Re: Apache 2 and client =
authenticaction style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>  style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>  style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>Hi, style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>  style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>I have exactly the same problem. On each new =
document (not in temp file style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>of IE), my browser ask me to choose which =
client certificate i want to style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>use for the secured web =
site. style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>Even if i have only =
one. style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>First, i was thinking it was because of the =
browser, so i looked into IE style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>configuration, but i found =
nothing. style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>Then i look with apache in debug mode and i =
saw that the client seems to style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>no send again the =
certificate. style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>  style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>Maybe it's a problem of session handling. i =
played with SessionCache style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>parameters and SessionCacheTimeout, but =
nothing more happened. style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>I will try to find more debug =
information. style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>  style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>Regards, style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>  style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>Estrade =
Matthieu style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>  style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>Juan Angel Martin =
wrote: style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>  style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>=A0 =


type=3Dcite> style=3D'margin-left:35.4pt' wrap=3D""> New"> style=3D'font-size:10.0pt'>Hi all, style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>  style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>I have one Linux server with Apache 1.3.27 =
and it's configured for style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>client authentication in one =
port. style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>  style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>When I connect with it at that port with IE =
6.0.or Netscape 7.0 or style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>4.78, the server asks me the container's =
password that keeps the style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>private key needed for authenticate me only =
one time. style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>  style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>But I have another with Apache 2.0.45, =
configured as the other one style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>with 1.3.27; it has the same SSL virtual =
hosts configuration options. style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>  style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>With this server, the server asks me the =
container's password that style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>keeps the private key needed for authenticate =
me for every frame o style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>picture that the page =
shows. style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>  style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>How can I get that the server with Apache =
2.0.45 only asks me for the style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>password one time like the other one with =
Apache 1.3.27? style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>  style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>Thanks in =
advance style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>Juanan style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>  style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>_________________________________ _____________=
________________________ style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>Apache Interface to OpenSSL (mod_ssl) style=3D'mso-spacerun:yes'>          =A0     =A0=
   href=3D"http://www.modssl.org">www.modssl.org > style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>User Support Mailing List style=3D'mso-spacerun:yes'>          =A0     =A0=
    =A0 href=3D"mailto:modssl-users@modssl.org">modssl-users@modssl. org<=
/o:p> style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>Automated List Manager style=3D'mso-spacerun:yes'>       style=3D'mso-spacerun:yes'>          =A0     =A0=
    =A0 href=3D"mailto:majordomo@modssl.org">majordomo@modssl.org<=
/span> style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>_________________________________ _____________=
_______________________ style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>Envie de discuter en "live" avec =
vos amis ? T=E9l=E9charger MSN =
Messenger style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'> href=3D"http://www.ifrance.com/_reloc/m">http://www.ifrance. com/_reloc/m<=
/a> la 1=E8re messagerie instantan=E9e de =
France style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>  style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>  =A0 =



face=3D"Courier New">
style=3D'font-size:10.0pt'> 
style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>  style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>_________________________________ _____________=
_______________________ style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>Envie de discuter en "live" avec =
vos amis ? T=E9l=E9charger MSN =
Messenger style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'> href=3D"http://www.ifrance.com/_reloc/m">http://www.ifrance. com/_reloc/m<=
/a> la 1=E8re messagerie instantan=E9e de =
France style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>  style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>_________________________________ _____________=
________________________ style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>Apache Interface to OpenSSL (mod_ssl) style=3D'mso-spacerun:yes'>          =A0     =A0=
   href=3D"http://www.modssl.org">www.modssl.org > style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>User Support Mailing List style=3D'mso-spacerun:yes'>          =A0     =A0=
    =A0 href=3D"mailto:modssl-users@modssl.org">modssl-users@modssl. org<=
/o:p> style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>Automated List Manager style=3D'mso-spacerun:yes'>          =A0     =A0=
          =A0 href=3D"mailto:majordomo@modssl.org">majordomo@modssl.org<=
/span> style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>_________________________________ _____________=
________________________ style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>Apache Interface to OpenSSL (mod_ssl) style=3D'mso-spacerun:yes'>          =A0     =A0=
   href=3D"http://www.modssl.org">www.modssl.org > style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>User Support Mailing List style=3D'mso-spacerun:yes'>          =A0     =A0=
    =A0 href=3D"mailto:modssl-users@modssl.org">modssl-users@modssl. org<=
/o:p> style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>Automated List Manager style=3D'mso-spacerun:yes'>          =A0     =A0=
          =A0 href=3D"mailto:majordomo@modssl.org">majordomo@modssl.org<=
/span> style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>  style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>  style=3D'margin-left:35.4pt'> style=3D'font-size:10.0pt'>=A0 =


face=3D"Times New Roman"> style=3D'font-size:12.0pt'> 









------=_NextPart_000_0001_01C31A5C.A65EF420--


____________________________________________________________ _________
Envie de discuter en "live" avec vos amis ? Télécharger MSN Messenger
http://www.ifrance.com/_reloc/m la 1ère messagerie instantanée de France

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org