Apache 2.0 + ssl + client cert + server cert

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Apache 2.0 + ssl + client cert + server cert

Fco .J. Arias
Hello I'm trying to use apache with client auth, but I can't. The
problem is in logs errors:

.
.
.
before other CA
a, B ,C ,D, E, F are strings
.
[Wed Jul 06 21:56:47 2005] [debug] ssl_engine_init.c(1095): CA
certificate: /C=A/ST=B/L=C/O=D/OU=Webserver
Team/CN=www.foo.com/emailAddress=[hidden email]
[Wed Jul 06 21:56:47 2005] [debug] ssl_engine_init.c(1095): CA
certificate: /C=A/ST=B/L=C/O=D/OU=Webserver
Team/CN=www.foo.com/emailAddress=[hidden email]
[Wed Jul 06 21:56:47 2005] [debug] ssl_engine_init.c(1095): CA
certificate: /C=A/ST=B/L=C/O=D/OU=Certificate Authority/CN=F
CA/emailAddress=[hidden email]

.
.
.
[Wed Jul 06 21:57:34 2005] [debug] ssl_engine_kernel.c(1210):
Certificate Verification: depth: 0, subject:
/C=A/ST=B/L=C/O=None/OU=None/CN=Fran D, /emailAddress=[hidden email],
issuer: /C=A/ST=B/L=C/O=D/OU=Certificate Authority/CN=F
CA/emailAddress=[hidden email]
[Wed Jul 06 21:57:44 2005] [error] Certificate Verification: Error (20):
unable to get local issuer certificate
[Wed Jul 06 21:57:44 2005] [debug] ssl_engine_kernel.c(1790): OpenSSL:
Write: SSLv3 read client certificate B
[Wed Jul 06 21:57:44 2005] [debug] ssl_engine_kernel.c(1809): OpenSSL:
Exit: error in SSLv3 read client certificate B
[Wed Jul 06 21:57:44 2005] [debug] ssl_engine_kernel.c(1809): OpenSSL:
Exit: error in SSLv3 read client certificate B
[Wed Jul 06 21:57:44 2005] [info] SSL library error 1 in handshake
(server www.foo.com:8443, client 192.168.0.2)
[Wed Jul 06 21:57:44 2005] [info] SSL Library Error: 336105650
error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate
returned
[Wed Jul 06 21:57:44 2005] [info] Connection to child 2 closed with
abortive shutdown(server www.foo.com:8443, client 192.168.0.2)


Anyone know How to solve this problem?



It's posible get datum of certificates(like CN of client or server) into
Apache C API?

Thanks, Fran.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Apache 2.0 + ssl + client cert + server cert

Joseph Oreste Bruni
Is your client sending only its certificate, or are you sending the entire certificate chain?
It looks like your server is unable to rebuild the cert. chain from the client to the root.



-----Original Message-----
From: "Fco .J. Arias" <[hidden email]>
Sent: Jul 6, 2005 2:47 PM
To: [hidden email]
Subject: Apache 2.0 + ssl + client cert + server cert

Hello I'm trying to use apache with client auth, but I can't. The
problem is in logs errors:

.
.
.
before other CA
a, B ,C ,D, E, F are strings
.
[Wed Jul 06 21:56:47 2005] [debug] ssl_engine_init.c(1095): CA
certificate: /C=A/ST=B/L=C/O=D/OU=Webserver
Team/CN=www.foo.com/emailAddress=[hidden email]
[Wed Jul 06 21:56:47 2005] [debug] ssl_engine_init.c(1095): CA
certificate: /C=A/ST=B/L=C/O=D/OU=Webserver
Team/CN=www.foo.com/emailAddress=[hidden email]
[Wed Jul 06 21:56:47 2005] [debug] ssl_engine_init.c(1095): CA
certificate: /C=A/ST=B/L=C/O=D/OU=Certificate Authority/CN=F
CA/emailAddress=[hidden email]

.
.
.
[Wed Jul 06 21:57:34 2005] [debug] ssl_engine_kernel.c(1210):
Certificate Verification: depth: 0, subject:
/C=A/ST=B/L=C/O=None/OU=None/CN=Fran D, /emailAddress=[hidden email],
issuer: /C=A/ST=B/L=C/O=D/OU=Certificate Authority/CN=F
CA/emailAddress=[hidden email]
[Wed Jul 06 21:57:44 2005] [error] Certificate Verification: Error (20):
unable to get local issuer certificate
[Wed Jul 06 21:57:44 2005] [debug] ssl_engine_kernel.c(1790): OpenSSL:
Write: SSLv3 read client certificate B
[Wed Jul 06 21:57:44 2005] [debug] ssl_engine_kernel.c(1809): OpenSSL:
Exit: error in SSLv3 read client certificate B
[Wed Jul 06 21:57:44 2005] [debug] ssl_engine_kernel.c(1809): OpenSSL:
Exit: error in SSLv3 read client certificate B
[Wed Jul 06 21:57:44 2005] [info] SSL library error 1 in handshake
(server www.foo.com:8443, client 192.168.0.2)
[Wed Jul 06 21:57:44 2005] [info] SSL Library Error: 336105650
error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate
returned
[Wed Jul 06 21:57:44 2005] [info] Connection to child 2 closed with
abortive shutdown(server www.foo.com:8443, client 192.168.0.2)


Anyone know How to solve this problem?



It's posible get datum of certificates(like CN of client or server) into
Apache C API?

Thanks, Fran.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Apache 2.0 + ssl + client cert + server cert

Fco .J. Arias
Hello, I already solve the problem, seems that de message debug:
error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate
> returned

is false or incorrect, the correct debug message could be:

:sorry I can't verify the client certificate, I do not know the CA.
 
Thanks a lot. Fran

O Mér, 2005-07-06 ás 23:57, Joseph Bruni escribiu:

> Is your client sending only its certificate, or are you sending the entire certificate chain?
> It looks like your server is unable to rebuild the cert. chain from the client to the root.
>
>
>
> -----Original Message-----
> From: "Fco .J. Arias" <[hidden email]>
> Sent: Jul 6, 2005 2:47 PM
> To: [hidden email]
> Subject: Apache 2.0 + ssl + client cert + server cert
>
> Hello I'm trying to use apache with client auth, but I can't. The
> problem is in logs errors:
>
> .
> .
> .
> before other CA
> a, B ,C ,D, E, F are strings
> .
> [Wed Jul 06 21:56:47 2005] [debug] ssl_engine_init.c(1095): CA
> certificate: /C=A/ST=B/L=C/O=D/OU=Webserver
> Team/CN=www.foo.com/emailAddress=[hidden email]
> [Wed Jul 06 21:56:47 2005] [debug] ssl_engine_init.c(1095): CA
> certificate: /C=A/ST=B/L=C/O=D/OU=Webserver
> Team/CN=www.foo.com/emailAddress=[hidden email]
> [Wed Jul 06 21:56:47 2005] [debug] ssl_engine_init.c(1095): CA
> certificate: /C=A/ST=B/L=C/O=D/OU=Certificate Authority/CN=F
> CA/emailAddress=[hidden email]
>
> .
> .
> .
> [Wed Jul 06 21:57:34 2005] [debug] ssl_engine_kernel.c(1210):
> Certificate Verification: depth: 0, subject:
> /C=A/ST=B/L=C/O=None/OU=None/CN=Fran D, /emailAddress=[hidden email],
> issuer: /C=A/ST=B/L=C/O=D/OU=Certificate Authority/CN=F
> CA/emailAddress=[hidden email]
> [Wed Jul 06 21:57:44 2005] [error] Certificate Verification: Error (20):
> unable to get local issuer certificate
> [Wed Jul 06 21:57:44 2005] [debug] ssl_engine_kernel.c(1790): OpenSSL:
> Write: SSLv3 read client certificate B
> [Wed Jul 06 21:57:44 2005] [debug] ssl_engine_kernel.c(1809): OpenSSL:
> Exit: error in SSLv3 read client certificate B
> [Wed Jul 06 21:57:44 2005] [debug] ssl_engine_kernel.c(1809): OpenSSL:
> Exit: error in SSLv3 read client certificate B
> [Wed Jul 06 21:57:44 2005] [info] SSL library error 1 in handshake
> (server www.foo.com:8443, client 192.168.0.2)
> [Wed Jul 06 21:57:44 2005] [info] SSL Library Error: 336105650
> error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate
> returned
> [Wed Jul 06 21:57:44 2005] [info] Connection to child 2 closed with
> abortive shutdown(server www.foo.com:8443, client 192.168.0.2)
>
>
> Anyone know How to solve this problem?
>
>
>
> It's posible get datum of certificates(like CN of client or server) into
> Apache C API?
>
> Thanks, Fran.
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]