Problem with SSLVerifyClient

Dear Sirs
I write to ask for a little help about a problem with Apache configuratio=
n.
=20
My system is: Apache-AdvancedExtranetServer/2.0.48 (Mandrake Linux/6mdk) =
mod_ssl/2.0.48
OpenSSL/0.9.7c PHP/4.3.4
=20
I want read client distinguished name into php page (client using browser=
with pkcs12
certificate inside),
so I add the following lines into /etc/httpd/conf.d/41_mod_ssl.default-vh=
ost.conf
=20
SSLCertificateFile /etc/grid-security/tomcatcert.pem
SSLCertificateKeyFile /etc/grid-security/tomcatkey.pem.plain
SSLCACertificateFile /etc/grid-security/certificates/33b4aee4.0
SSLVerifyClient require
=20
=20
When I try to contact http server in https mode, connection is refuse and=
in=20
ssl_error_log a see "[notice] child pid 11835 exit signal Segmentation fa=
ult (11)"
=20
Could someone help me?
=20
Thanks
Fulvio Lazzarato
=20











=09

=09
=09
____________________________________________________________
Yahoo! Companion - Scarica gratis la toolbar di Ricerca di Yahoo!=20
http://companion.yahoo.it
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Problem with SSLVerifyClient

--- Fulvio LAZ wrote:
>
>
> Dear Sirs
> I write to ask for a little help about a problem
> with Apache configuration.
>
> My system is: Apache-AdvancedExtranetServer/2.0.48
> (Mandrake Linux/6mdk) mod_ssl/2.0.48
> OpenSSL/0.9.7c PHP/4.3.4
>
> I want read client distinguished name into php page
> (client using browser with pkcs12
> certificate inside),
> so I add the following lines into
> /etc/httpd/conf.d/41_mod_ssl.default-vhost.conf
>
> SSLCertificateFile
> /etc/grid-security/tomcatcert.pem
> SSLCertificateKeyFile
> /etc/grid-security/tomcatkey.pem.plain
> SSLCACertificateFile
> /etc/grid-security/certificates/33b4aee4.0
> SSLVerifyClient require
>
>
> When I try to contact http server in https mode,
> connection is refuse and in
> ssl_error_log a see "[notice] child pid 11835 exit
> signal Segmentation fault (11)"
>
> Could someone help me?
>
> Thanks
> Fulvio Lazzarato
>

First of all does it work if you comment the
"SSLVerifyClient require"
directive out. Also do you get a core file and can
you do a backtrace in gdb (with lib info)?

Regards
Matt



__________________________________
Do you Yahoo!?
Yahoo! Mail Address AutoComplete - You start. We finish.
http://promotions.yahoo.com/new_mail
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Problem with SSLVerifyClient

> First of all does it work if you comment the
> "SSLVerifyClient require"
> directive out. Also do you get a core file and can
> you do a backtrace in gdb (with lib info)?
>=20
> Regards
> Matt
>=20
>=20
Dear Matt, thanks for your reply=20

If I set "SSLVerifyClient optional" (or comment it) apache work but clien=
t CA aren't send to my
server (I need client distinguished name)

If I set "LogLevel debug" and "SSLVerifyClient require" I can see into "e=
rror_log":

[info] Server built: Mar 16 2004 15:30:28
[debug] prefork.c(1037): AcceptMutex: pthread (default: pthread)
[notice] child pid 18934 exit signal Segmentation fault (11)

and into "ssl_error_log"
[debug] ssl_engine_kernel.c(1786): OpenSSL: Loop: SSLv3 read client hello=
A =20
[debug] ssl_engine_kernel.c(1786): OpenSSL: Loop: SSLv3 write server hell=
o A
[debug] ssl_engine_kernel.c(1786): OpenSSL: Loop: SSLv3 write certificate=
A =20
[debug] ssl_engine_kernel.c(1170): handing out temporary 1024 bit DH key
[debug] ssl_engine_kernel.c(1786): OpenSSL: Loop: SSLv3 write key exchang=
e A =20
[debug] ssl_engine_kernel.c(1786): OpenSSL: Loop: SSLv3 write certificate=
request A
[debug] ssl_engine_kernel.c(1786): OpenSSL: Loop: SSLv3 flush data =
=20
[debug] ssl_engine_io.c(1499): OpenSSL: read 5/5 bytes from BIO#818ab68 [=
mem: 81921e8] (BIO dump
follows) =
=20
[debug] ssl_engine_io.c(1446): +-----------------=
-------------+ =20
=
=20
[debug] ssl_engine_io.c(1471): | 0000: 16 03 00 04 c9 | =
=20
=
[debug]
ssl_engine_io.c(1477): +------------------------------+ =
=20
[deb=
ug]
ssl_engine_io.c(1499): OpenSSL: read 1225/1225 bytes from BIO#818ab68 [me=
m: 81921ed] (BI
O dump follows)
..............
..............



=09

=09
=09
____________________________________________________________
Yahoo! Companion - Scarica gratis la toolbar di Ricerca di Yahoo!=20
http://companion.yahoo.it
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Problem with SSLVerifyClient

On Thu, Jul 01, 2004 at 10:50:30PM +0200, Fulvio LAZ wrote:
> If I set "LogLevel debug" and "SSLVerifyClient require" I can see into "error_log":
>
> [info] Server built: Mar 16 2004 15:30:28
> [debug] prefork.c(1037): AcceptMutex: pthread (default: pthread)
> [notice] child pid 18934 exit signal Segmentation fault (11)

Is this with 2.0.49? There's a known segfault in the 2.0.49 mod_ssl -
upgrade to 2.0.50.

Regards,

joe
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Problem with SSLVerifyClient

Someone know were I can find apache2-mod_ssl 2.50 ?

Thanks
Fulvio




=09

=09
=09
____________________________________________________________
Yahoo! Companion - Scarica gratis la toolbar di Ricerca di Yahoo!=20
http://companion.yahoo.it
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Problem with SSLVerifyClient

You dont need the hash link for the
SSLCACertificateFile just put the real filename in.

Also are you using a root and intermediate cert, then
add "SSLVerifyDepth 2".

Upgrading may be a good idea but I have "Apache/2.0.48
(Unix) mod_ssl/2.0.48 OpenSSL/0.9.7c" running with
client cert auth. But then thats RH on i386 (custom
compile).

SSLCACertificateFile
/etc/grid-security/certificates/33b4aee4.0
SSLVerifyClient require


--- Fulvio LAZ wrote:
>
> > First of all does it work if you comment the
> > "SSLVerifyClient require"
> > directive out. Also do you get a core file and
> can
> > you do a backtrace in gdb (with lib info)?
> >
> > Regards
> > Matt
> >
> >
> Dear Matt, thanks for your reply
>
> If I set "SSLVerifyClient optional" (or comment it)
> apache work but client CA aren't send to my
> server (I need client distinguished name)
>
> If I set "LogLevel debug" and "SSLVerifyClient
> require" I can see into "error_log":
>
> [info] Server built: Mar 16 2004 15:30:28
> [debug] prefork.c(1037): AcceptMutex: pthread
> (default: pthread)
> [notice] child pid 18934 exit signal Segmentation
> fault (11)
>
> and into "ssl_error_log"
> [debug] ssl_engine_kernel.c(1786): OpenSSL: Loop:
> SSLv3 read client hello A
> [debug] ssl_engine_kernel.c(1786): OpenSSL: Loop:
> SSLv3 write server hello A
> [debug] ssl_engine_kernel.c(1786): OpenSSL: Loop:
> SSLv3 write certificate A
> [debug] ssl_engine_kernel.c(1170): handing out
> temporary 1024 bit DH key
> [debug] ssl_engine_kernel.c(1786): OpenSSL: Loop:
> SSLv3 write key exchange A
> [debug] ssl_engine_kernel.c(1786): OpenSSL: Loop:
> SSLv3 write certificate request A
> [debug] ssl_engine_kernel.c(1786): OpenSSL: Loop:
> SSLv3 flush data
> [debug] ssl_engine_io.c(1499): OpenSSL: read 5/5
> bytes from BIO#818ab68 [mem: 81921e8] (BIO dump
> follows)
>
> [debug]
> ssl_engine_io.c(1446):
> +------------------------------+
>
>
> [debug] ssl_engine_io.c(1471): | 0000: 16 03 00 04
> c9 |
>
> [debug]
> ssl_engine_io.c(1477):
> +------------------------------+
>
>
> [debug]
> ssl_engine_io.c(1499): OpenSSL: read 1225/1225 bytes
> from BIO#818ab68 [mem: 81921ed] (BI
> O dump follows)
> .............
> .............
>
>
>
>
>
>
>
>
____________________________________________________________
> Yahoo! Companion - Scarica gratis la toolbar di
> Ricerca di Yahoo!
> http://companion.yahoo.it
>
____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl)
> www.modssl.org
> User Support Mailing List
> modssl-users@modssl.org
> Automated List Manager
> majordomo@modssl.org
>




__________________________________
Do you Yahoo!?
Read only the mail you want - Yahoo! Mail SpamGuard.
http://promotions.yahoo.com/new_mail
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org