problem with server type x509 certificates installed on client side
For last few years we succesfully used both client or server type x509 certificates (specified purpose of 'SSL Server' or 'SSL Client') on our application client side to communicates with Apache web server versions 1.3.22 up to 1.3.33 until openssl_0.9.7g and mod_ssl-2.8.22-1.3.33. The only change I had to make was to edit source file mod_ssl-2.8.22-1.3.33/pkg.sslmod/ssl_engine_init.c
and replace line SSL_set_purpose(ssl, X509_PURPOSE_SSL_SERVER); with SSL_CTX_set_purpose(ctx, X509_PURPOSE_ANY);
just before code for /* * Configure Client Authentication details */
But since openssl_0.9.7h and mod_ssl-2.8.22-1.3.33 this change does not work anymore. The code for SSL_set_purpose(ssl, X509_PURPOSE_SSL_SERVER) in file ssl_engine_init.c is not present and adding line SSL_CTX_set_purpose(ctx, X509_PURPOSE_ANY) does not help.
I still need to verify client certificate and retrive the CN value from it which means I have set parameter as SSLVerifyClient require
This is the error message I see in error_log: [error] mod_ssl: Certificate Verification: Error (26): unsupported certificate purpose [error] mod_ssl: SSL handshake failed (server zcarh0uj.ca.nortel.com:443, client 184.108.40.206) (OpenSSL library error follows) [error] OpenSSL: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Please, any suggestions how to solve this issue with latest apache_1.3.34 openssl-0.9.7i mod_ssl-2.8.25-1.3.34