Was wondering if anyone else had ideas here. I have a strace (Microsoft tool) of the trace, but my expertise in analyzing that is lacking. -----Original Message----- From: Berube, Steve (HP Software) Sent: Tuesday, October 27, 2009 10:31 AM To: users@xxxxxxxxxxxxxxxx Subject: RE: Requesting help with Smart Card Client Certificate Authentication issue. Ok quick update, I did that test and unfortunately no change in behavior. I can't access / now (as expected) but still no prompt for certificate. Other systems that work continue to work. Firefox no issue, one windows 7 IE system, no issue. I am installing wireshark now. -----Original Message----- From: Berube, Steve (HP Software) Sent: Tuesday, October 27, 2009 10:28 AM To: users@xxxxxxxxxxxxxxxx Subject: RE: Requesting help with Smart Card Client Certificate Authentication issue. So for testing, are you asking I move SSLVerifyClient + SSLVerifyDepth to the entire virtual host directive? e.g. <VirtualHost _default_:443> # General setup for the virtual host DocumentRoot "C:/Program Files/Apache Software Foundation/Apache2.2/htdocs" ServerName rd-db.cnd.hp.com:443 ServerAdmin admin@xxxxxxxxxxxx ErrorLog "C:/Program Files/Apache Software Foundation/Apache2.2/logs/error.log" TransferLog "C:/Program Files/Apache Software Foundation/Apache2.2/logs/access.log" # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on SSLVerifyClient require SSLVerifyDepth 10 <Location /> SSLOptions +StdEnvVars </location> -----Original Message----- From: Eric Covener [mailto:covener@xxxxxxxxx] Sent: Tuesday, October 27, 2009 10:26 AM To: users@xxxxxxxxxxxxxxxx Subject: Re: Requesting help with Smart Card Client Certificate Authentication issue. On Tue, Oct 27, 2009 at 10:21 AM, Berube, Steve (HP Software) <steve.berube@xxxxxx> wrote: > My test originally was this > <Location /> > SSLVerifyClient require > > SSLVerifyDepth 10 > > SSLOptions +StdEnvVars > </location> > > Same issue whether based on a directory or using the root location. > I'm still trying to figure out why one and only IE works, but no others. > I've tried HTTP Analyzer plugin for IE which only shows a single error (nothing else) > > ERROR_INTERNET_SECURITY_CHANNEL_ERROR > > Nothing else at all in the trace. > > If I go to the root url (which is SSL Enabled, but no client verify) > > I will try your suggestion of wireshark. Putting it in <Location /> is still the more complicated case of: handshake without request for client authentication read request server-driven renegotiation of the handshake with client authentication request *hope IE prompts* SSLVerifyClient is accepted in <VirtualHost> context, which should cause the initial handshake to ask for a client cert. > > > -----Original Message----- > From: Eric Covener [mailto:covener@xxxxxxxxx] > Sent: Tuesday, October 27, 2009 10:17 AM > To: users@xxxxxxxxxxxxxxxx > Subject: Re: Requesting help with Smart Card Client Certificate Authentication issue. > > On Mon, Oct 26, 2009 at 10:36 PM, Berube, Steve (HP Software) > <steve.berube@xxxxxx> wrote: >> <Directory "C:/Program Files/Apache Software Foundation/Apache2.2/cgi-bin"> >> >> SSLVerifyClient require >> >> SSLVerifyDepth 10 >> >> SSLOptions +StdEnvVars >> >> </Directory> > > > Can you simplify your testing by setting this outside of per-directory > config? Have you used wireshark to see if Apache is sending the > proper list of trusted certificates that line up with whoever signed > your certs in your HW device? > > Perhaps http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcertificatechainfile > or http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcacertificatepath > might help? > > -- > Eric Covener > covener@xxxxxxxxx > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > > -- Eric Covener covener@xxxxxxxxx --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|