problem with server type x509 certificates installed on client side

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

problem with server type x509 certificates installed on client side

John Chmelicek


     For last few years we succesfully used both client or server type x509 certificates (specified purpose of 'SSL Server' or 'SSL Client') on our application client side to communicates with Apache web server versions 1.3.22 up to 1.3.33 until openssl_0.9.7g and mod_ssl-2.8.22-1.3.33.
The only change I had to make was to edit source file

and replace line
  SSL_set_purpose(ssl, X509_PURPOSE_SSL_SERVER);
  SSL_CTX_set_purpose(ctx, X509_PURPOSE_ANY);

just before  code for
     * Configure Client Authentication details

But since openssl_0.9.7h and mod_ssl-2.8.22-1.3.33 this change does not work anymore. The code for SSL_set_purpose(ssl, X509_PURPOSE_SSL_SERVER) in file ssl_engine_init.c is not present and adding line
SSL_CTX_set_purpose(ctx, X509_PURPOSE_ANY) does not help.

I still need to verify client certificate and retrive the CN value from it which means I have set parameter as
SSLVerifyClient require


This is the error message I see in error_log:
[error] mod_ssl: Certificate Verification: Error (26): unsupported certificate purpose
[error] mod_ssl: SSL handshake failed (server, client (OpenSSL library error follows)
[error] OpenSSL: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned


Please, any suggestions how to solve this issue with latest


and also with

Thanks a lot for any suggestions.

John Chmelicek


Yahoo! FareChase - Search multiple travel sites in one click.