mutual authentication problem

mutual authentication problem

am 15.05.2003 22:05:13 von ahmed.nauman

Hi all,

I am sorry if you get this message twice. I am facing a strange problem with
implementation of client authentication. Please advise me.

i m trying to establish mutual authentication on apache web server. I did
this in httpd.conf file
SSLVerifyClient require

then when i accessed the server from browser - it asked me for client
certificate - i select one from the list - it displayed the message that it
is going to access a protected item i preseed OK - then it displayed error
message that certificate is not issued from trusted CA.

I added this directive

SSLCACertificateFile "path to CA file" // I got this from
freecerts.entrust.com

Now i save it, restart the server. And when i try to access it from browser
- it follows the same path but after pressing OK [see above] it does not
display error or actual page. It says the page can not be displayed. I have
seen server log - which shows the GET_CLIENT_CERTIFICATE: no certificate
returned

Why i am having this problem ? i m sepcifying client certificate. It happens
only when i specify SSLCACertificateFile directive. Please advise.
Here is log at server side

[12/May/2003 15:34:29 29091] [info] Connection to child 0 established
(server cddfs1.nj.ssmb.com:8443, client 168.109.64.190)
[12/May/2003 15:34:29 29091] [info] Seeding PRNG with 1160 bytes of entropy
[12/May/2003 15:34:29 29091] [error] Certificate Verification: Error (20):
unable to get local issuer certificate
[12/May/2003 15:34:29 29091] [error] SSL handshake failed (server
cddfs1.nj.ssmb.com:8443, client 168.109.64.190) (OpenSSL library error
follows)
[12/May/2003 15:34:29 29091] [error] OpenSSL: error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
[12/May/2003 15:34:33 29091] [info] Connection to child 0 established
(server cddfs1.nj.ssmb.com:8443, client 168.109.64.190)
[12/May/2003 15:34:33 29091] [info] Seeding PRNG with 1160 bytes of entropy
[12/May/2003 15:34:33 29091] [error] Certificate Verification: Error (20):
unable to get local issuer certificate
[12/May/2003 15:34:33 29091] [error] SSL handshake failed (server
cddfs1.nj.ssmb.com:8443, client 168.109.64.190) (OpenSSL library error
follows)
[12/May/2003 15:34:33 29091] [error] OpenSSL: error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned


Regards,
Nauman

-----Original Message-----
From: Geoff Thorpe [mailto:geoff@geoffthorpe.net]
Sent: Thursday, May 15, 2003 3:57 PM
To: Apache Users
Cc: ModSSL Users
Subject: [ANNOUNCE] distcache 0.4.1


Hi all,

Distcache version 0.4.1 has been released, and with it a patch/README for
Apache 2.0.45. The existing support for Apache 1.3 (mod_ssl version
2.8.14) remains.

If you want shared SSL/TLS session caching between servers, please give it
a try;

http://www.distcache.org/

Regards,
Geoff

--
Geoff Thorpe
geoff@geoffthorpe.net
http://www.geoffthorpe.net/

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: mutual authentication problem

am 16.05.2003 09:41:43 von Juan Angel Martin

Hi Ahmed,

Are you sure that you have the CA certificate that have issued the cert=20
that you use to autheticate in your server in SSLCACertificateFile?

Cause the main error is:

[12/May/2003 15:34:29 29091] [error] Certificate Verification: Error (20)=
:unable to get local issuer certificate

All the best
Juanan

Nauman, Ahmed [IT] escribi=F3:

>Hi all,
>
>I am sorry if you get this message twice. I am facing a strange problem =
with
>implementation of client authentication. Please advise me.
>
>i m trying to establish mutual authentication on apache web server. I di=
d
>this in httpd.conf file
>SSLVerifyClient require
>
>then when i accessed the server from browser - it asked me for client
>certificate - i select one from the list - it displayed the message that=
it
>is going to access a protected item i preseed OK - then it displayed err=
or
>message that certificate is not issued from trusted CA.
>
>I added this directive
>
>SSLCACertificateFile "path to CA file" // I got this from
>freecerts.entrust.com
>
>Now i save it, restart the server. And when i try to access it from brow=
ser
>- it follows the same path but after pressing OK [see above] it does not
>display error or actual page. It says the page can not be displayed. I h=
ave
>seen server log - which shows the GET_CLIENT_CERTIFICATE: no certificate
>returned
>
>Why i am having this problem ? i m sepcifying client certificate. It hap=
pens
>only when i specify SSLCACertificateFile directive. Please advise.
>Here is log at server side
>
>[12/May/2003 15:34:29 29091] [info] Connection to child 0 established
>(server cddfs1.nj.ssmb.com:8443, client 168.109.64.190)
>[12/May/2003 15:34:29 29091] [info] Seeding PRNG with 1160 bytes of ent=
ropy
>[12/May/2003 15:34:29 29091] [error] Certificate Verification: Error (20=
):
>unable to get local issuer certificate
>[12/May/2003 15:34:29 29091] [error] SSL handshake failed (server
>cddfs1.nj.ssmb.com:8443, client 168.109.64.190) (OpenSSL library error
>follows)
>[12/May/2003 15:34:29 29091] [error] OpenSSL: error:140890B2:SSL
>routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
>[12/May/2003 15:34:33 29091] [info] Connection to child 0 established
>(server cddfs1.nj.ssmb.com:8443, client 168.109.64.190)
>[12/May/2003 15:34:33 29091] [info] Seeding PRNG with 1160 bytes of ent=
ropy
>[12/May/2003 15:34:33 29091] [error] Certificate Verification: Error (20=
):
>unable to get local issuer certificate
>[12/May/2003 15:34:33 29091] [error] SSL handshake failed (server
>cddfs1.nj.ssmb.com:8443, client 168.109.64.190) (OpenSSL library error
>follows)
>[12/May/2003 15:34:33 29091] [error] OpenSSL: error:140890B2:SSL
>routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
>
>
>Regards,
>Nauman
>
>-----Original Message-----
>From: Geoff Thorpe [mailto:geoff@geoffthorpe.net]
>Sent: Thursday, May 15, 2003 3:57 PM
>To: Apache Users
>Cc: ModSSL Users
>Subject: [ANNOUNCE] distcache 0.4.1
>
>
>Hi all,
>
>Distcache version 0.4.1 has been released, and with it a patch/README fo=
r=20
>Apache 2.0.45. The existing support for Apache 1.3 (mod_ssl version=20
>2.8.14) remains.
>
>If you want shared SSL/TLS session caching between servers, please give =
it=20
>a try;
>
> http://www.distcache.org/
>
>Regards,
>Geoff
>
> =20
>


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org