On October 12, 2012 10:41 , Tom Browder <tom.browder@xxxxxxxxx> wrote:
I have successfully generated SSL client certs (generated with openssl 1.0.1c) used by Safari, Firefox, and Chrome on Linux and Windows plus IE 9 on Windows, but I cannot get successful access with either Safari or Firefox on Mac OS X.
I think it is strange that you are having problems with both Safari and Firefox under MacOS X, because Firefox does not use Apple's keychain, as far as I know -- it uses its own, independent keystore.
Is your client certificate directly signed by a root certificate, or are there one or more intermediate CAs involved? If there are intermediate CAs, make sure that the intermediate certs are also imported into Apple's Keychain (Safari) or Firefox's certificate/key database.
If you don't have anything better to try, see if you can reproduce the problem from a terminal window on MacOS X, using the copies of the certificate and private key that you previously imported into Apple Keychain:
openssl s_client -connect site.example.org:443 -verify 10 -cert /path/to/client/certificate.cert -key /path/to/client/key.key -CAfile /path/to/client/cert/CA-certificate.cert -showcerts -debug
If you get an "SSL-session:" block of output ending with the line "Verify return code: 0 (ok)", then issue an HTTP/1.1 request for a resource that *requires* a client certificate (see below for a warning about using "SSLVerifyClient optional"):
GET /path/to/client/cert/required/page.html HTTP/1.1 Host: site.example.comBe sure to press Return twice after the Host header. You should get the protected page as output; if you don't, you might have reproduced the problem, and it's very likely that a clue is in openssl's output somewhere. Press Control-D to exit openssl.
The Apache (2.2.14, Ubuntu) site has this configuration, in server context, that gives the option to present a certificate: SSLVerifyClient optional
I recommend changing this to "SSLVerifyClient required". I've had problems with Safari 6.x when "SSLVerifyClient optional" was set (although this worked just fine with Firefox 15 under MacOS X, so I don't think this is the only source of your problem with Safari client certificates).
Sorry I don't have any better advice. -- Mark Montague mark@xxxxxxxxxxx --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx