Deval, this Library error is not in regard to a client certificate. In fact, if it were, the message would have said so. What you should note in this error >It works fine for few people. When a client sends a certificate it does not work. Our logs indicate this error: >SSL Library Error: 336151570 error:14094412:SSL >routines:SSL3_READ_BYTES:sslv3 alert bad certificate Subject CN in certificate not server name or identical to CA!? is "server name". The error is trying to tell you that your server certificate has a problem. The error probably gets logged whenever you startup Apache. The CN on your server cert should match your ServerName directive. The other part "or identical to CA" may be telling you that it should not be a self-signed cert either. Not sure about that. One thing is for sure, if SSLVerifyClient is commented out, the browser is not sending a cert. This exchange is well-defined by the TLSv1 (SSLv3 defacto) standard handshake, not subject to change by some hokey browser. regards, TT -----Original Message----- From: DEVAL SHAH [mailto:devals9@xxxxxxxxxxx] Sent: Tuesday, January 23, 2007 5:42 PM To: users@xxxxxxxxxxxxxxxx Subject: Does apache check client certificate even if SSLVerifyClient is none? Hello, I have a configuration in Apache file setup for SSL. I am not doing client authentication as SSLVerifyClient is commented ie. #SSLVerifyClient none It works fine for few people. When a client sends a certificate it does not work. Our logs indicate this error: SSL Library Error: 336151570 error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate Subject CN in certificate not server name or identical to CA!? Any idea what I should do to resolve this? Thank you in advance Deval --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|