problem with server type x509 certificates installed on client side

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

problem with server type x509 certificates installed on client side

John Chmelicek

Hello,

     For last few years we succesfully used both client or server type x509 certificates (specified purpose of 'SSL Server' or 'SSL Client') on our application client side to communicates with Apache web server versions 1.3.22 up to 1.3.33 until openssl_0.9.7g and mod_ssl-2.8.22-1.3.33.
The only change I had to make was to edit source file
mod_ssl-2.8.22-1.3.33/pkg.sslmod/ssl_engine_init.c

and replace line
  SSL_set_purpose(ssl, X509_PURPOSE_SSL_SERVER);
with
  SSL_CTX_set_purpose(ctx, X509_PURPOSE_ANY);

just before  code for
    /*
     * Configure Client Authentication details
     */


But since openssl_0.9.7h and mod_ssl-2.8.22-1.3.33 this change does not work anymore. The code for SSL_set_purpose(ssl, X509_PURPOSE_SSL_SERVER) in file ssl_engine_init.c is not present and adding line
SSL_CTX_set_purpose(ctx, X509_PURPOSE_ANY) does not help.

I still need to verify client certificate and retrive the CN value from it which means I have set parameter as
SSLVerifyClient require

 

This is the error message I see in error_log:
[error] mod_ssl: Certificate Verification: Error (26): unsupported certificate purpose
[error] mod_ssl: SSL handshake failed (server zcarh0uj.ca.nortel.com:443, client 47.129.93.32) (OpenSSL library error follows)
[error] OpenSSL: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned

 

Please, any suggestions how to solve this issue with latest
apache_1.3.34
openssl-0.9.7i
mod_ssl-2.8.25-1.3.34

 

and also with
apache_2.0.55
openssl-0.9.8a


Thanks a lot for any suggestions.

John Chmelicek

 




Yahoo! FareChase - Search multiple travel sites in one click.