Hey list, I've been struggling with this error for weeks now, and still havent even got close to a solution. I have the following setup Server Linux gdshu2.XXX 2.6.18-92.el5 #1 SMP Tue Apr 29 13:16:12 EDT 2008 i686 i686 i386 GNU/Linux /usr/local/apache2/bin/httpd -v Server version: Apache/2.0.63 Server built: Feb 18 2009 12:21:06 Log level is set to debug. Server cert openssl verify /usr/local/apache2/certs/server.crt /usr/local/apache2/certs/server.crt: /C=HU/ST=Budapest/L=Budapest/O=XXX/OU=GPS UNIX/CN=gdshu2.XXX/emailAddress=XXX (XXX is where I've applied some censorship :-) Clients A: - desktop, firefox B: - desktop, internet explorer C: - an enterprise service bus client A complains about how the cert is not signed by a trusted CA. That's ok. I add an exception on the client. This is what I see on the apache error log [Wed Feb 18 15:18:50 2009] [debug] ssl_engine_kernel.c(1744): OpenSSL: Read: SSLv3 read client certificate A [Wed Feb 18 15:18:50 2009] [debug] ssl_engine_kernel.c(1763): OpenSSL: Exit: failed in SSLv3 read client certificate A [Wed Feb 18 15:18:50 2009] [info] SSL library error 1 in handshake (server gdshu2.XXX:443, client 169.XXX) [Wed Feb 18 15:18:50 2009] [info] SSL Library Error: 336151576 error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca [Wed Feb 18 15:18:50 2009] [info] Connection to child 4 closed with abortive shutdown(server gdshu2.XXX:443, client 169.XXX) B complains about the same, halts the connection with a dialog box. (I think handshake goes well here) debug on server side is [Wed Feb 18 15:20:43 2009] [debug] ssl_engine_kernel.c(1739): OpenSSL: Loop: SSLv3 read finished A [Wed Feb 18 15:20:43 2009] [debug] ssl_engine_kernel.c(1739): OpenSSL: Loop: SSLv3 write change cipher spec A [Wed Feb 18 15:20:43 2009] [debug] ssl_engine_kernel.c(1739): OpenSSL: Loop: SSLv3 write finished A [Wed Feb 18 15:20:43 2009] [debug] ssl_engine_kernel.c(1739): OpenSSL: Loop: SSLv3 flush data [Wed Feb 18 15:20:43 2009] [debug] ssl_engine_kernel.c(1735): OpenSSL: Handshake: done [Wed Feb 18 15:20:43 2009] [info] Connection: Client IP: 169.162.137.225, Protocol: SSLv3, Cipher: RC4-MD5 (128/128 bits) [Wed Feb 18 15:20:43 2009] [debug] ssl_engine_io.c(1708): OpenSSL: I/O error, 5 bytes expected to read on BIO#9c50768 [mem: 9c62398] [Wed Feb 18 15:20:43 2009] [info] (70014)End of file found: SSL input filter read failed. [Wed Feb 18 15:20:43 2009] [debug] ssl_engine_kernel.c(1749): OpenSSL: Write: SSL negotiation finished successfully [Wed Feb 18 15:20:43 2009] [info] Connection to child 2 closed with standard shutdown(server gdshu2.XXX:443, client 169.XXX) C fails miserably at handshake, and this is my problem. Debug log says [Wed Feb 18 15:03:36 2009] [debug] ssl_engine_kernel.c(1744): OpenSSL: Read: SSLv3 read client certificate A [Wed Feb 18 15:03:36 2009] [debug] ssl_engine_kernel.c(1763): OpenSSL: Exit: failed in SSLv3 read client certificate A [Wed Feb 18 15:03:36 2009] [info] SSL library error 1 in handshake (server gdshu2.XXX:443, client 169.XXX) [Wed Feb 18 15:03:36 2009] [info] SSL Library Error: 336151570 error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate Subject CN in certificate not server name or identical to CA!? [Wed Feb 18 15:03:36 2009] [info] Connection to child 3 closed with abortive shutdown(server gdshu2.XXX:443, client 169.XXX) Now, you would assume I have different CN on the cert and ServerName in Apache. I don't ! Besides checking the cert and the config files manually, Apache never complains about this at startup [Wed Feb 18 15:23:28 2009] [info] Configuring server for SSL protocol [Wed Feb 18 15:23:28 2009] [debug] ssl_engine_init.c(385): Creating new SSL context (protocols: SSLv2, SSLv3, TLSv1) [Wed Feb 18 15:23:28 2009] [debug] ssl_engine_init.c(696): Configuring RSA server certificate [Wed Feb 18 15:23:28 2009] [debug] ssl_engine_init.c(735): Configuring RSA server private key [Wed Feb 18 15:23:28 2009] [info] Loading certificate & private key of SSL-aware server [Wed Feb 18 15:23:28 2009] [debug] ssl_engine_pphrase.c(469): unencrypted RSA private key - pass phrase not required [Wed Feb 18 15:23:29 2009] [info] Configuring server for SSL protocol [Wed Feb 18 15:23:29 2009] [debug] ssl_engine_init.c(385): Creating new SSL context (protocols: SSLv2, SSLv3, TLSv1) [Wed Feb 18 15:23:29 2009] [debug] ssl_engine_init.c(696): Configuring RSA server certificate [Wed Feb 18 15:23:29 2009] [debug] ssl_engine_init.c(735): Configuring RSA server private key My question is: how is this error invoked when my server cert is valid? [Wed Feb 18 15:03:36 2009] [info] SSL Library Error: 336151570 error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate Subject CN in certificate not server name or identical to CA!? Also, SSLVerifyCertificate is not enabled (it is not in any of the loaded config files and it client certificate verification is disabled by default, right?) Thanks much & regards, Andrew --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx