Hi, Situation: We received 2 certificates from a client communicating trying to communicat with our server: 1) the client certificate - Issued by VeriSign Class 1 individual Subscriber CA - G2 2) the VeriSign Class 1 CA Certificate - Issued by Class 1 Public Primary Certification Authority I generated hashed symlinks for both these certificates in the folder specified by SSLCACertificatePath. I restarted my Apache server and my server fails to authenticate my client. What bothers me is that I have never encountered this issue whenever I've had to import in Class 3 VeriSign client certificates into Apache. Am I missing something in my Apache/mod_ssl configuration? Below are the details of our server setup as well as the error_log file of what is failing in mod_ssl. Machine Setup: Apache/1.3.37 (Linux) mod_jk/1.2.20 mod_ssl/2.8.28 OpenSSL/0.9.8d Our server performs client authentication with the following settings in our httpd.conf file: SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+TLSv1:+SSLv2:+EXP:+eNULL <Location /> SSLOptions +StdEnvVars +ExportCertData SSLVerifyClient require SSLVerifyDepth 4 </Location> SSLCACertificatePath -> path to a folder containing hashed symlinks of our client CA certs SSLCARevocationPath -> path to a folder containing hashed symlinks of our client CA CRLs Apache error_log: [Fri Oct 12 17:42:04 2007] [error] mod_ssl: Certificate Verification: Error (20): unable to get local issuer certificate [Fri Oct 12 17:42:04 2007] [error] mod_ssl: Re-negotiation handshake failed: Not accepted by client!? [Fri Oct 12 17:42:04 2007] [error] mod_ssl: Certificate Verification: Error (20): unable to get local issuer certificate [Fri Oct 12 17:42:04 2007] [error] mod_ssl: SSL error on writing data (OpenSSL library error follows) [Fri Oct 12 17:42:04 2007] [error] OpenSSL: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned Thanks in advance for any help that can be provided. Howard Wong Intermediate Software Developer The SPi Group Inc. Enabling Energy Markets howard.wong@xxxxxxxxxxxxxxx Tel: 416.408.1395 ext. 264 Fax: 416.408.1396 154 University Avenue, Suite 300, Toronto, ON, Canada, M5H 3Y9 www.thespigroup.com ___________________________________________________________ This e-mail message is intended only for the person(s) named above and may contain confidential or privileged information. If you are not the person named or have received this message in error, please notify the sender immediately and delete this e-mail and any attachments without reading, saving, or forwarding. ___________________________________________________________ --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|