Problems with Client authentication with smart card

Problems with Client authentication with smart card

am 27.05.2003 09:25:15 von Giovanni Cuccu

Hi all,
I'm trying to develop a client authentication web site with smart cards,
but I have some problems.
in order to understand client auth I created my own CA with server and
client certs. All works well, the site is visible only to clients with my
certs installed. When I use smart cards things are not the same.
I got an error regarding certificate B.
Here is my apache log (with no bio dump).
[Mon May 26 12:35:14 2003] [debug] ssl_engine_kernel.c(1757): OpenSSL:
Handshake: start
[Mon May 26 12:35:14 2003] [debug] ssl_engine_kernel.c(1765): OpenSSL:
Loop: before/accept initialization
[Mon May 26 12:35:14 2003] [debug] ssl_engine_kernel.c(1794): OpenSSL:
Exit: error in SSLv3 read client certificate A
[Mon May 26 12:35:14 2003] [debug] ssl_engine_kernel.c(1794): OpenSSL:
Exit: error in SSLv3 read client certificate A
[Mon May 26 12:35:14 2003] [info] (70014)End of file found: SSL handshake
interrupted by system [Hint: Stop button pressed in browser?!]
[Mon May 26 12:35:14 2003] [info] Connection to child 3 closed with
abortive shutdown(server gio:443, client 127.0.0.1)

[Mon May 26 12:35:16 2003] [debug] ssl_engine_kernel.c(1765): OpenSSL:
Loop: SSLv3 read client hello A
[Mon May 26 12:35:16 2003] [debug] ssl_engine_kernel.c(1765): OpenSSL:
Loop: SSLv3 write server hello A
[Mon May 26 12:35:16 2003] [debug] ssl_engine_kernel.c(1765): OpenSSL:
Loop: SSLv3 write certificate A
[Mon May 26 12:35:16 2003] [debug] ssl_engine_kernel.c(1765): OpenSSL:
Loop: SSLv3 write certificate request A
[Mon May 26 12:35:16 2003] [debug] ssl_engine_kernel.c(1765): OpenSSL:
Loop: SSLv3 flush data
[Mon May 26 12:35:17 2003] [debug] ssl_engine_io.c(1478): OpenSSL: read 5/5
bytes from BIO#5c27a8 [mem: 617568] (BIO dump follows)
[Mon May 26 12:35:24 2003] [debug] ssl_engine_kernel.c(1198): Certificate
Verification: depth: 1, subject: /C=IT/O=InfoCamere SCpA/OU=Ente
Certificatore del Sistema Camerale/CN=InfoCamere Servizi di Certificazione,
issuer: /C=IT/O=InfoCamere SCpA/OU=Ente Certificatore del Sistema
Camerale/CN=InfoCamere Servizi di Certificazione
[Mon May 26 12:35:24 2003] [debug] ssl_engine_kernel.c(1198): Certificate
Verification: depth: 0, subject: /C=IT/O=Non Dichiarato/OU=RA=AZIENDA
OSPEDALIERA DI
PADOVA/CN=MASTROGIACOMO/STEFANO/2003149474A11/emailAddress=s mastrogiacomo@dianoema.it/dnQualifier=2003149474A11/serialNu mber=MSTSFN75C19A944V/SN=MASTROGIACOMO/GN=STEFANO,
issuer: /C=IT/O=InfoCamere SCpA/OU=Ente Certificatore del Sistema
Camerale/CN=InfoCamere Servizi di Certificazione
[Mon May 26 12:35:24 2003] [debug] ssl_engine_kernel.c(1765): OpenSSL:
Loop: SSLv3 read client certificate A
[Mon May 26 12:35:24 2003] [debug] ssl_engine_kernel.c(1765): OpenSSL:
Loop: SSLv3 read client key exchange A
[Mon May 26 12:35:24 2003] [debug] ssl_engine_kernel.c(1775): OpenSSL:
Write: SSLv3 read certificate verify B
[Mon May 26 12:35:24 2003] [debug] ssl_engine_kernel.c(1789): OpenSSL:
Exit: failed in SSLv3 read certificate verify B
[Mon May 26 12:35:24 2003] [info] SSL library error 1 in handshake (server
gio:443, client 127.0.0.1)
[Mon May 26 12:35:24 2003] [info] SSL Library Error: 67567722
error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01
[Mon May 26 12:35:24 2003] [info] SSL Library Error: 67530866
error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed
[Mon May 26 12:35:24 2003] [info] SSL Library Error: 336101498
error:1408807A:SSL routines:SSL3_GET_CERT_VERIFY:bad rsa signature
[Mon May 26 12:35:24 2003] [info] Connection to child 2 closed with
abortive shutdown(server gio:443, client 127.0.0.1)
I don't understand clearly the reason.
Certificate B is the CA one which must be sent from the browser?
If the above is correct is it possible that the browser tries to retrieve
the ca cert from the samrt card and does not find it (I have the CA cert
installed in the browser in the CA list)?
Can anyone help me or tell me where to find more documentation?
Thanks in advance,
Giovanni


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org