Ok. I believe that the problem in in the proxy. Client certificates AREN'T proxied. As far as I remember, you have you server configured with "SSLVerifyClient Required", that means that client MUST provide a certificate to get access, but their proxy doesn't ask for it and doesn't peresnt it tou your server. So you have that error because there is no client certificate in SSL handshake. One of the solution is to configure their proxy to use a certificate to connect to your server (Apache mod_proxy can do that) but itr breaks a whole idea of access control, because in this case all users of their proxy will be authenticated with one common cert. Hope that was clear. On 1/22/07, DEVAL SHAH <devals9@xxxxxxxxxxx> wrote:
Hello, I have posted this question earlier but got no response. I am stating it again. Please help with some ideas. I have a certificate installed for my domain from Thawte. Now if anyone tries to access the webpage using a browser it works perfect. One of our clients has a proxy server. When they access to our website using their proxy they cannot access it. They get 500 Internal Server Error. Our logs indicates the following error: [debug] ssl_engine_kernel.c(1762): OpenSSL: Read: SSLv3 read client certificate A [debug] ssl_engine_kernel.c(1781): OpenSSL: Exit: failed in SSLv3 read client certificate A SSL library error 1 in handshake (server abc.com:443) SSL Library Error: 336151570 error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate Subject CN in certificate not server name or identical to CA!? Connection closed to child 1 with abortive shutdown (server abc.com:443) Now according to them they are doing everything perfect as they can access another of our SSL server perfectly well. What am I missing - I am sure our SSL certificate is valid as browser does not give any error. I am not using Client certificate authentication as I have SSLVerifyClient none Any help is appreciated. Thanks Deval --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
--------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|