Hello, Thanks for the reply but this is my config: #SSLVerifyClient require SSLVerifyDepth 10 so it is commented out and the default is SSLVerifyClient none. Also I tried using SSLVerifyClient none but that didnt work either. Any other idea? Can this be related to machine configuration. Thank you. Deval
From: "Serge Dubrouski" <sergeyfd@xxxxxxxxx> Reply-To: users@xxxxxxxxxxxxxxxx To: users@xxxxxxxxxxxxxxxxSubject: Re: Apache gives SSL Library error complaining about common name - HelpDate: Mon, 22 Jan 2007 19:01:24 -0700 Ok. I believe that the problem in in the proxy. Client certificates AREN'T proxied. As far as I remember, you have you server configured with "SSLVerifyClient Required", that means that client MUST provide a certificate to get access, but their proxy doesn't ask for it and doesn't peresnt it tou your server. So you have that error because there is no client certificate in SSL handshake. One of the solution is to configure their proxy to use a certificate to connect to your server (Apache mod_proxy can do that) but itr breaks a whole idea of access control, because in this case all users of their proxy will be authenticated with one common cert. Hope that was clear. On 1/22/07, DEVAL SHAH <devals9@xxxxxxxxxxx> wrote:Hello, I have posted this question earlier but got no response. I am stating it again. Please help with some ideas. I have a certificate installed for my domain from Thawte. Now if anyone tries to access the webpage using a browser it works perfect.One of our clients has a proxy server. When they access to our website usingtheir proxy they cannot access it. They get 500 Internal Server Error. Our logs indicates the following error: [debug] ssl_engine_kernel.c(1762): OpenSSL: Read: SSLv3 read client certificate A [debug] ssl_engine_kernel.c(1781): OpenSSL: Exit: failed in SSLv3 read client certificate A SSL library error 1 in handshake (server abc.com:443) SSL Library Error: 336151570 error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate Subject CN in certificate not server name or identical to CA!? Connection closed to child 1 with abortive shutdown (server abc.com:443) Now according to them they are doing everything perfect as they can accessanother of our SSL server perfectly well. What am I missing - I am sure ourSSL certificate is valid as browser does not give any error. I am not using Client certificate authentication as I have SSLVerifyClient none Any help is appreciated. Thanks Deval --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx--------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
--------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|