Hi all,
I'm trying to configure client authentication for one of my sites (SuSe 9.0, apache 2.0.48, openssl-0.9.7b-133 distribution's rpm). You will find below the steps I'm following, the problem I have is that, when I go to the page, it first asks me to accept the server's certificate, then ask me to select one of the client certificate imported in the browser, and then: - on IE, it gives me the error "Cannot find server or DNS Error" - on Firefox, it gives me a blank page In the apache log file [Tue Jul 12 15:03:41 2005] [error] Re-negotiation handshake failed: Not accepted by client!? [Tue Jul 12 15:03:43 2005] [notice] child pid 9192 exit signal Segmentation fault (11) If I remove "SSLVerifyCLient require" and authenticate only the server, I can see the right web page. After several unsuccessful test, I'm wondering whether I'm missing something Here are the steps I follow: 1 Generate my own Certificate Authority: openssl genrsa -out itcilo-ca.key 2048 openssl req -new -x509 -days 3650 -key itcilo-ca.key -out itcilo-ca.crt 2 Generate the server key and request for signing openssl genrsa -out tomcat-server.key 1024 openssl req -new -key tomcat-server.key -out tomcat-server.csr 3 Sign the certificate signing request with the self-created certificate authority openssl x509 -req -in tomcat-server.csr -out tomcat-server.crt -sha1 -CA itcilo-ca.crt -CAkey itcilo-ca.key -days 3650 I had to create an itcilo-ca.srl file (echo "01" >itcilo-ca.srl) 4 Create a new private key and a certificate request for the user: openssl genrsa -out lams.key 1024 openssl req -new -key lams.key -out lams.csr 5 Sign the certificate request, thereby creating the client certificate: openssl x509 -req -in lams.csr -out lams.crt -sha1 -CA itcilo-ca.crt -CAkey itcilo-ca.key -days 3650 6 Generate the PKCS#12 certificate: openssl pkcs12 -export -in lams.crt -inkey lams.key -name "Lams Gael Cert" -out lams.p12 7 Import the certificate into the browser And here is my virtual host configuration: <VirtualHost *:443> ServerAdmin myemailaddress DocumentRoot /srv/www/vhosts/myfqdn ServerName myfqdn SSLEngine on SSLCertificateFile /etc/apache2/ssl.crt/tomcat-server.crt SSLCertificateKeyFile /etc/apache2/ssl.key/tomcat-server.key SSLCACertificateFile /etc/apache2/ssl.crt/itcilo-ca.crt </VirtualHost> <Directory /srv/www/vhosts/myfqdn> SSLRequireSSL SSLVerifyCLient require SSLVerifyDepth 1 Options Indexes AllowOverride None Order allow,deny Allow from all </Directory> Any help, pointer would be greatly appreciated Regards, gaël ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [hidden email] Automated List Manager [hidden email] |
Looks to me that client authentication failed. And
this is most likely due to client cert processing on the server side: [notice] child pid 9192 exit signal Segmentation fault (11) The above indicates that. Make sure client cert processing is done correctly on the server side. If it is a program failure, then you need to get the programmer to debug the program. Regards, Dr. Wu --- Gaël Lams <[hidden email]> wrote: > Hi all, > > I'm trying to configure client authentication for > one of my sites > (SuSe 9.0, apache 2.0.48, openssl-0.9.7b-133 > distribution's rpm). > You will find below the steps I'm following, the > problem I have is > that, when I go to the page, it first asks me to > accept the server's > certificate, then ask me to select one of the client > certificate > imported in the browser, and then: > - on IE, it gives me the error "Cannot find server > or DNS Error" > - on Firefox, it gives me a blank page > > In the apache log file > [Tue Jul 12 15:03:41 2005] [error] Re-negotiation > handshake failed: > Not accepted by client!? > [Tue Jul 12 15:03:43 2005] [notice] child pid 9192 > exit signal > Segmentation fault (11) > > If I remove "SSLVerifyCLient require" and > authenticate only the > server, I can see the right web page. > > After several unsuccessful test, I'm wondering > whether I'm missing something > > Here are the steps I follow: > > 1 Generate my own Certificate Authority: > > openssl genrsa -out itcilo-ca.key 2048 > openssl req -new -x509 -days 3650 -key itcilo-ca.key > -out itcilo-ca.crt > > 2 Generate the server key and request for signing > > openssl genrsa -out tomcat-server.key 1024 > openssl req -new -key tomcat-server.key -out > tomcat-server.csr > > 3 Sign the certificate signing request with the > self-created > certificate authority > > openssl x509 -req -in tomcat-server.csr -out > tomcat-server.crt -sha1 > -CA itcilo-ca.crt -CAkey itcilo-ca.key -days 3650 > > I had to create an itcilo-ca.srl file (echo "01" > >itcilo-ca.srl) > > 4 Create a new private key and a certificate request > for the user: > openssl genrsa -out lams.key 1024 > openssl req -new -key lams.key -out lams.csr > > 5 Sign the certificate request, thereby creating the > client certificate: > openssl x509 -req -in lams.csr -out lams.crt -sha1 > -CA itcilo-ca.crt > -CAkey itcilo-ca.key -days 3650 > > 6 Generate the PKCS#12 certificate: > openssl pkcs12 -export -in lams.crt -inkey lams.key > -name "Lams Gael > Cert" -out lams.p12 > > 7 Import the certificate into the browser > > And here is my virtual host configuration: > <VirtualHost *:443> > ServerAdmin myemailaddress > DocumentRoot /srv/www/vhosts/myfqdn > ServerName myfqdn > SSLEngine on > SSLCertificateFile > /etc/apache2/ssl.crt/tomcat-server.crt > SSLCertificateKeyFile > /etc/apache2/ssl.key/tomcat-server.key > SSLCACertificateFile > /etc/apache2/ssl.crt/itcilo-ca.crt > > </VirtualHost> > > <Directory /srv/www/vhosts/myfqdn> > > SSLRequireSSL > SSLVerifyCLient require > SSLVerifyDepth 1 > > Options Indexes > AllowOverride None > Order allow,deny > Allow from all > > </Directory> > > Any help, pointer would be greatly appreciated > > Regards, > > gaël > > OpenSSL Project > http://www.openssl.org > User Support Mailing List > [hidden email] > Automated List Manager > [hidden email] > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [hidden email] Automated List Manager [hidden email] |
> The above indicates that. Make sure client cert
> processing is done correctly on the server side. If it > is a program failure, then you need to get the > programmer to debug the program. > Thank you for your answer. I'm not sure what you intend with "program failure": the pages served by this virtual host are for the time being only static html pages. The only programs involed are apache, openssl and the browser I tried the following command found in the openssl faq "openssl s_client -connect tomcat-ssl.itcilo.org:443 -state -debug" and it finished with the following error: SSL_connect:SSLv3 write client key exchange A write to 080B07A0 [080BFFC0] (6 bytes => -1 (0xFFFFFFFF)) SSL_connect:error in SSLv3 write finished A SSL_connect:error in SSLv3 write finished A I've googled a little bit but didn't really find something that allowed me to solve my problem. host:~/CA # openssl s_client -connect myhost:443 -showcerts -CAfile /root/CA/itcilo-ca.crt CONNECTED(00000003) depth=1 /C=IT/ST=Piemonte/L=Turin/O=ITCILO/OU=MIS/CN=ITCILO CA/emailAddress=[hidden email] verify return:1 depth=0 /C=IT/ST=Piemonte/L=Turin/O=ITCILO/OU=MIS/CN=myhost/emailAddress=[hidden email] verify return:1 17680:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1052:SSL alert number 40 17680:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:226: I also tried passing to "openssl s_client" the client certificate and key, with also an error, as you can see below: dolphin:~/CA # openssl s_client -cert lams.crt -key lams.key -CAfile itcilo-ca.crt -ssl3 -showcerts -connect myhost:443 CONNECTED(00000003) depth=1 /C=IT/ST=Piemonte/L=Turin/O=ITCILO/OU=MIS/CN=ITCILO CA/emailAddress=[hidden email] verify return:1 depth=0 /C=IT/ST=Piemonte/L=Turin/O=ITCILO/OU=MIS/CN=myhost/emailAddress=[hidden email] verify return:1 17910:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:529: I tried with ssl2 with same exit. I'm searching but really don't understand the problem. I also created again all the certificates with the same result. Any help would be appreciated as I'm pretty baffled Regards, Gaël ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [hidden email] Automated List Manager [hidden email] |
In reply to this post by Gaël Lams
Hi.
Have you imported the CA of the client cert on the server side? A verify depth of 1 has been set, which could mean that the client cert is self signed? Can you set it to some higher value and try? Also can you check whether the option "SSL_VERIFY_FAIL_IF_NO_PEER_CERT"? It looks to me a definitive server side issue.. Can you retry the same thing from Mozilla or something. FYI: I implemented the exacy same thing recently and didnt see such problems..is your server mod_ssl? Thanks --Gayathri > The above indicates that. Make sure client cert > processing is done correctly on the server side. If it > is a program failure, then you need to get the > programmer to debug the program. > Thank you for your answer. I'm not sure what you intend with "program failure": the pages served by this virtual host are for the time being only static html pages. The only programs involed are apache, openssl and the browser I tried the following command found in the openssl faq "openssl s_client -connect tomcat-ssl.itcilo.org:443 -state -debug" and it finished with the following error: SSL_connect:SSLv3 write client key exchange A write to 080B07A0 [080BFFC0] (6 bytes => -1 (0xFFFFFFFF)) SSL_connect:error in SSLv3 write finished A SSL_connect:error in SSLv3 write finished A I've googled a little bit but didn't really find something that allowed me to solve my problem. host:~/CA # openssl s_client -connect myhost:443 -showcerts -CAfile /root/CA/itcilo-ca.crt CONNECTED(00000003) depth=1 /C=IT/ST=Piemonte/L=Turin/O=ITCILO/OU=MIS/CN=ITCILO CA/emailAddress=[hidden email] verify return:1 depth=0 /C=IT/ST=Piemonte/L=Turin/O=ITCILO/OU=MIS/CN=myhost/emailAddress=[hidden email] verify return:1 17680:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1052:SSL alert number 40 17680:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:226: I also tried passing to "openssl s_client" the client certificate and key, with also an error, as you can see below: dolphin:~/CA # openssl s_client -cert lams.crt -key lams.key -CAfile itcilo-ca.crt -ssl3 -showcerts -connect myhost:443 CONNECTED(00000003) depth=1 /C=IT/ST=Piemonte/L=Turin/O=ITCILO/OU=MIS/CN=ITCILO CA/emailAddress=[hidden email] verify return:1 depth=0 /C=IT/ST=Piemonte/L=Turin/O=ITCILO/OU=MIS/CN=myhost/emailAddress=[hidden email] verify return:1 17910:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:529: I tried with ssl2 with same exit. I'm searching but really don't understand the problem. I also created again all the certificates with the same result. Any help would be appreciated as I'm pretty baffled Regards, Gaël ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [hidden email] Automated List Manager [hidden email] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [hidden email] Automated List Manager [hidden email] |
> Hi.
Hi, Thanks for the reply > Have you imported the CA of the client cert on the server side? Yes, it's the itcilo-ca.crt, I put it in ssl.crt (self-signed) > A verify depth of 1 has been set, which could mean that the client > cert is self signed? Can you set it to some higher value and try? Yes, it's a self signed certificate, I tried with a higher values (5) without any success > Also can you check whether the option "SSL_VERIFY_FAIL_IF_NO_PEER_CERT"? I searched for the string on my server but can not find it. In which should I find it? > Can you retry the same thing from Mozilla or something. I tried with firefox with the same result > is your server mod_ssl? Yes, apache 2 on suse includes it by default. I turned the loglevel to debug and attached the log file below, just in case There are a lot of Wed Jul 13 11:48:34 2005] [debug] ssl_engine_kernel.c(1793): OpenSSL: Handshake: start [Wed Jul 13 11:48:34 2005] [debug] ssl_engine_kernel.c(1801): OpenSSL: Loop: before/accept initialization [Wed Jul 13 11:48:34 2005] [debug] ssl_engine_io.c(1518): OpenSSL: I/O error, 11 bytes expected to read on BIO#836ffc8 [mem: 8377648] [Wed Jul 13 11:48:34 2005] [debug] ssl_engine_kernel.c(1830): OpenSSL: Exit: error in SSLv2/v3 read client hello A [Wed Jul 13 11:48:34 2005] [info] (70014)End of file found: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!] [Wed Jul 13 11:48:34 2005] [info] Connection to child 9 closed with abortive shutdown(server tomcat-ssl.itcilo.org:443, client ::1) [Wed Jul 13 11:48:34 2005] [info] Connection to child 9 established (server tomcat-ssl.itcilo.org:443, client ::1) [Wed Jul 13 11:48:34 2005] [info] Seeding PRNG with 136 bytes of entropy and then [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_kernel.c(1793): OpenSSL: Handshake: start [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_kernel.c(1801): OpenSSL: Loop: before/accept initialization [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1507): OpenSSL: read 11/11 bytes from BIO#8372060 [mem: 83776d8] (BIO dump follows) [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1454): +-------------------------------------------------------------------------+ [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1479): | 0000: 80 67 01 03 00 00 4e 00-00 00 10 .g....N.... | [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1485): +-------------------------------------------------------------------------+ [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1507): OpenSSL: read 94/94 bytes from BIO#8372060 [mem: 83776e3] (BIO dump follows) [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1454): +-------------------------------------------------------------------------+ [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1479): | 0000: 01 00 80 03 00 80 07 00-c0 06 00 40 02 00 80 04 ...........@.... | [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1479): | 0010: 00 80 00 00 39 00 00 38-00 00 35 00 00 33 00 00 ....9..8..5..3.. | [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1479): | 0020: 32 00 00 04 00 00 05 00-00 2f 00 00 16 00 00 13 2......../...... | [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1479): | 0030: 00 fe ff 00 00 0a 00 00-15 00 00 12 00 fe fe 00 ................ | [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1479): | 0040: 00 09 00 00 64 00 00 62-00 00 03 00 00 06 69 13 ....d..b......i. | [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1479): | 0050: 73 ff 86 72 4e 7d 52 4a-fe 9a b9 38 b9 1e s..rN}RJ...8.. | [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1485): +-------------------------------------------------------------------------+ [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_kernel.c(1801): OpenSSL: Loop: SSLv3 read client hello A [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_kernel.c(1801): OpenSSL: Loop: SSLv3 write server hello A [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_kernel.c(1801): OpenSSL: Loop: SSLv3 write certificate A [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_kernel.c(1185): handing out temporary 1024 bit DH key [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_kernel.c(1801): OpenSSL: Loop: SSLv3 write key exchange A [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_kernel.c(1801): OpenSSL: Loop: SSLv3 write certificate request A [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_kernel.c(1801): OpenSSL: Loop: SSLv3 flush data [Wed Jul 13 11:48:47 2005] [debug] ssl_engine_io.c(1507): OpenSSL: read 5/5 bytes from BIO#8372060 [mem: 83776d8] (BIO dump follows) [Wed Jul 13 11:48:47 2005] [debug] ssl_engine_io.c(1454): +-------------------------------------------------------------------------+ [Wed Jul 13 11:48:47 2005] [debug] ssl_engine_io.c(1479): | 0000: 16 03 00 04 16 ..... | [Wed Jul 13 11:48:47 2005] [debug] ssl_engine_io.c(1485): +-------------------------------------------------------------------------+ [Wed Jul 13 11:48:47 2005] [debug] ssl_engine_io.c(1507): OpenSSL: read 1046/1046 bytes from BIO#8372060 [mem: 83776dd] (BIO dump follows) [Wed Jul 13 11:48:47 2005] [debug] ssl_engine_io.c(1454): +-------------------------------------------------------------------------+ [Wed Jul 13 11:48:47 2005] [debug] ssl_engine_io.c(1479): | 0000: 0b 00 03 06 00 03 03 00-03 00 30 82 02 fc 30 82 ..........0...0. | [Wed Jul 13 11:48:47 2005] [debug] ssl_engine_io.c(1479): | 0010: 01 e4 02 01 02 30 0d 06-09 2a 86 48 86 f7 0d 01 .....0...*.H.... | [Wed Jul 13 11 Regards Gaël |
In reply to this post by Gaël Lams
Hi Again.,
This is what I found from the "log" file you sent..is this pointing to the same CA cert "itcilo-ca.crt, I put it in ssl.crt" ? debug] ssl_engine_init.c(1112): CA certificate: /C=IT/ST=Piemonte/L=Turin/O=ITCILO/OU=MIS/CN=ITCILO CA/emailAddress=[hidden email] [Wed Jul 13 11:48:34 2005] [debug] ssl_engine_init.c(703): Configuring server certificate chain (1 CA certificate) You will not find that option "SSL_VERIFY_FAIL_IF_NO_PEER_CERT" thats openssl macro..I thought you had written your own server.. found this link http://httpd.apache.org/docs-2.0/mod/mod_ssl.html perhaps your already aware of this..but sorry no idea abt apache mod ssl :) Thanks Gayathri > Hi. Hi, Thanks for the reply > Have you imported the CA of the client cert on the server side? Yes, it's the itcilo-ca.crt, I put it in ssl.crt (self-signed) > A verify depth of 1 has been set, which could mean that the client > cert is self signed? Can you set it to some higher value and try? Yes, it's a self signed certificate, I tried with a higher values (5) without any success > Also can you check whether the option "SSL_VERIFY_FAIL_IF_NO_PEER_CERT"? I searched for the string on my server but can not find it. In which should I find it? > Can you retry the same thing from Mozilla or something. I tried with firefox with the same result > is your server mod_ssl? Yes, apache 2 on suse includes it by default. I turned the loglevel to debug and attached the log file below, just in case There are a lot of Wed Jul 13 11:48:34 2005] [debug] ssl_engine_kernel.c(1793): OpenSSL: Handshake: start [Wed Jul 13 11:48:34 2005] [debug] ssl_engine_kernel.c(1801): OpenSSL: Loop: before/accept initialization [Wed Jul 13 11:48:34 2005] [debug] ssl_engine_io.c(1518): OpenSSL: I/O error, 11 bytes expected to read on BIO#836ffc8 [mem: 8377648] [Wed Jul 13 11:48:34 2005] [debug] ssl_engine_kernel.c(1830): OpenSSL: Exit: error in SSLv2/v3 read client hello A [Wed Jul 13 11:48:34 2005] [info] (70014)End of file found: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!] [Wed Jul 13 11:48:34 2005] [info] Connection to child 9 closed with abortive shutdown(server tomcat-ssl.itcilo.org:443, client ::1) [Wed Jul 13 11:48:34 2005] [info] Connection to child 9 established (server tomcat-ssl.itcilo.org:443, client ::1) [Wed Jul 13 11:48:34 2005] [info] Seeding PRNG with 136 bytes of entropy and then [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_kernel.c(1793): OpenSSL: Handshake: start [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_kernel.c(1801): OpenSSL: Loop: before/accept initialization [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1507): OpenSSL: read 11/11 bytes from BIO#8372060 [mem: 83776d8] (BIO dump follows) [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1454): +-------------------------------------------------------------------------+ [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1479): | 0000: 80 67 01 03 00 00 4e 00-00 00 10 .g....N.... | [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1485): +-------------------------------------------------------------------------+ [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1507): OpenSSL: read 94/94 bytes from BIO#8372060 [mem: 83776e3] (BIO dump follows) [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1454): +-------------------------------------------------------------------------+ [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1479): | 0000: 01 00 80 03 00 80 07 00-c0 06 00 40 02 00 80 04 ...........@.... | [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1479): | 0010: 00 80 00 00 39 00 00 38-00 00 35 00 00 33 00 00 ....9..8..5..3.. | [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1479): | 0020: 32 00 00 04 00 00 05 00-00 2f 00 00 16 00 00 13 2......../...... | [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1479): | 0030: 00 fe ff 00 00 0a 00 00-15 00 00 12 00 fe fe 00 ................ | [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1479): | 0040: 00 09 00 00 64 00 00 62-00 00 03 00 00 06 69 13 ....d..b......i. | [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1479): | 0050: 73 ff 86 72 4e 7d 52 4a-fe 9a b9 38 b9 1e s..rN}RJ...8.. | [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1485): +-------------------------------------------------------------------------+ [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_kernel.c(1801): OpenSSL: Loop: SSLv3 read client hello A [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_kernel.c(1801): OpenSSL: Loop: SSLv3 write server hello A [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_kernel.c(1801): OpenSSL: Loop: SSLv3 write certificate A [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_kernel.c(1185): handing out temporary 1024 bit DH key [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_kernel.c(1801): OpenSSL: Loop: SSLv3 write key exchange A [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_kernel.c(1801): OpenSSL: Loop: SSLv3 write certificate request A [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_kernel.c(1801): OpenSSL: Loop: SSLv3 flush data [Wed Jul 13 11:48:47 2005] [debug] ssl_engine_io.c(1507): OpenSSL: read 5/5 bytes from BIO#8372060 [mem: 83776d8] (BIO dump follows) [Wed Jul 13 11:48:47 2005] [debug] ssl_engine_io.c(1454): +-------------------------------------------------------------------------+ [Wed Jul 13 11:48:47 2005] [debug] ssl_engine_io.c(1479): | 0000: 16 03 00 04 16 ..... | [Wed Jul 13 11:48:47 2005] [debug] ssl_engine_io.c(1485): +-------------------------------------------------------------------------+ [Wed Jul 13 11:48:47 2005] [debug] ssl_engine_io.c(1507): OpenSSL: read 1046/1046 bytes from BIO#8372060 [mem: 83776dd] (BIO dump follows) [Wed Jul 13 11:48:47 2005] [debug] ssl_engine_io.c(1454): +-------------------------------------------------------------------------+ [Wed Jul 13 11:48:47 2005] [debug] ssl_engine_io.c(1479): | 0000: 0b 00 03 06 00 03 03 00-03 00 30 82 02 fc 30 82 ..........0...0. | [Wed Jul 13 11:48:47 2005] [debug] ssl_engine_io.c(1479): | 0010: 01 e4 02 01 02 30 0d 06-09 2a 86 48 86 f7 0d 01 .....0...*.H.... | [Wed Jul 13 11 Regards Gaël ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [hidden email] Automated List Manager [hidden email] |
In reply to this post by Gaël Lams
Hey can you try setting verify depth to Zero and not pointing to any CA cert
i.e SSLCACertificatePath pointing to null? Thanks --Gayathri > Hi Again., > > This is what I found from the "log" file you sent..is this pointing to the > same CA cert "itcilo-ca.crt, I put it in ssl.crt" ? > > debug] ssl_engine_init.c(1112): CA certificate: > /C=IT/ST=Piemonte/L=Turin/O=ITCILO/OU=MIS/CN=ITCILO > CA/emailAddress=[hidden email] > [Wed Jul 13 11:48:34 2005] [debug] ssl_engine_init.c(703): Configuring > server certificate chain (1 CA certificate) > > You will not find that option "SSL_VERIFY_FAIL_IF_NO_PEER_CERT" thats > openssl macro..I thought you had written your own server.. > > found this link > http://httpd.apache.org/docs-2.0/mod/mod_ssl.html > perhaps your already aware of this..but sorry no idea abt apache mod ssl > :) > > Thanks > Gayathri > > > >> Hi. > > Hi, > > Thanks for the reply > >> Have you imported the CA of the client cert on the server side? > > Yes, it's the itcilo-ca.crt, I put it in ssl.crt (self-signed) > >> A verify depth of 1 has been set, which could mean that the client >> cert is self signed? Can you set it to some higher value and try? > > Yes, it's a self signed certificate, I tried with a higher values (5) > without any success > >> Also can you check whether the option "SSL_VERIFY_FAIL_IF_NO_PEER_CERT"? > > I searched for the string on my server but can not find it. In which > should I find it? > >> Can you retry the same thing from Mozilla or something. > > I tried with firefox with the same result > >> is your server mod_ssl? > > Yes, apache 2 on suse includes it by default. > > I turned the loglevel to debug and attached the log file below, just in > case > > There are a lot of > Wed Jul 13 11:48:34 2005] [debug] ssl_engine_kernel.c(1793): OpenSSL: > Handshake: start > [Wed Jul 13 11:48:34 2005] [debug] ssl_engine_kernel.c(1801): OpenSSL: > Loop: before/accept initialization > [Wed Jul 13 11:48:34 2005] [debug] ssl_engine_io.c(1518): OpenSSL: I/O > error, 11 bytes expected to read on BIO#836ffc8 [mem: 8377648] > [Wed Jul 13 11:48:34 2005] [debug] ssl_engine_kernel.c(1830): OpenSSL: > Exit: error in SSLv2/v3 read client hello A > [Wed Jul 13 11:48:34 2005] [info] (70014)End of file found: SSL > handshake interrupted by system [Hint: Stop button pressed in > browser?!] > [Wed Jul 13 11:48:34 2005] [info] Connection to child 9 closed with > abortive shutdown(server tomcat-ssl.itcilo.org:443, client ::1) > [Wed Jul 13 11:48:34 2005] [info] Connection to child 9 established > (server tomcat-ssl.itcilo.org:443, client ::1) > [Wed Jul 13 11:48:34 2005] [info] Seeding PRNG with 136 bytes of entropy > > and then > [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_kernel.c(1793): OpenSSL: > Handshake: start > [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_kernel.c(1801): OpenSSL: > Loop: before/accept initialization > [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1507): OpenSSL: > read 11/11 bytes from BIO#8372060 [mem: 83776d8] (BIO dump follows) > [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1454): > +-------------------------------------------------------------------------+ > [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1479): | 0000: 80 > 67 01 03 00 00 4e 00-00 00 10 .g....N.... | > [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1485): > +-------------------------------------------------------------------------+ > [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1507): OpenSSL: > read 94/94 bytes from BIO#8372060 [mem: 83776e3] (BIO dump follows) > [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1454): > +-------------------------------------------------------------------------+ > [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1479): | 0000: 01 > 00 80 03 00 80 07 00-c0 06 00 40 02 00 80 04 ...........@.... | > [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1479): | 0010: 00 > 80 00 00 39 00 00 38-00 00 35 00 00 33 00 00 ....9..8..5..3.. | > [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1479): | 0020: 32 > 00 00 04 00 00 05 00-00 2f 00 00 16 00 00 13 2......../...... | > [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1479): | 0030: 00 > fe ff 00 00 0a 00 00-15 00 00 12 00 fe fe 00 ................ | > [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1479): | 0040: 00 > 09 00 00 64 00 00 62-00 00 03 00 00 06 69 13 ....d..b......i. | > [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1479): | 0050: 73 > ff 86 72 4e 7d 52 4a-fe 9a b9 38 b9 1e s..rN}RJ...8.. | > [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1485): > +-------------------------------------------------------------------------+ > [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_kernel.c(1801): OpenSSL: > Loop: SSLv3 read client hello A > [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_kernel.c(1801): OpenSSL: > Loop: SSLv3 write server hello A > [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_kernel.c(1801): OpenSSL: > Loop: SSLv3 write certificate A > [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_kernel.c(1185): handing > out temporary 1024 bit DH key > [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_kernel.c(1801): OpenSSL: > Loop: SSLv3 write key exchange A > [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_kernel.c(1801): OpenSSL: > Loop: SSLv3 write certificate request A > [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_kernel.c(1801): OpenSSL: > Loop: SSLv3 flush data > [Wed Jul 13 11:48:47 2005] [debug] ssl_engine_io.c(1507): OpenSSL: > read 5/5 bytes from BIO#8372060 [mem: 83776d8] (BIO dump follows) > [Wed Jul 13 11:48:47 2005] [debug] ssl_engine_io.c(1454): > +-------------------------------------------------------------------------+ > [Wed Jul 13 11:48:47 2005] [debug] ssl_engine_io.c(1479): | 0000: 16 > 03 00 04 16 ..... | > [Wed Jul 13 11:48:47 2005] [debug] ssl_engine_io.c(1485): > +-------------------------------------------------------------------------+ > [Wed Jul 13 11:48:47 2005] [debug] ssl_engine_io.c(1507): OpenSSL: > read 1046/1046 bytes from BIO#8372060 [mem: 83776dd] (BIO dump > follows) > [Wed Jul 13 11:48:47 2005] [debug] ssl_engine_io.c(1454): > +-------------------------------------------------------------------------+ > [Wed Jul 13 11:48:47 2005] [debug] ssl_engine_io.c(1479): | 0000: 0b > 00 03 06 00 03 03 00-03 00 30 82 02 fc 30 82 ..........0...0. | > [Wed Jul 13 11:48:47 2005] [debug] ssl_engine_io.c(1479): | 0010: 01 > e4 02 01 02 30 0d 06-09 2a 86 48 86 f7 0d 01 .....0...*.H.... | > [Wed Jul 13 11 > > Regards > > Gaël > > > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [hidden email] Automated List Manager [hidden email] |
Free forum by Nabble | Edit this page |