Hi all;
I was able to resolve this.
The issue apparently was in the CAstore on the apache server. I'm not sure if there was a corrupt entry in there, or a duplicate. But something was causing the issue. I created a fresh CA store with one cert, the one matching the root of the client cert and all worked!
-----Original Message-----
From: Berube, Steve (HP Software)
Sent: Tuesday, October 27, 2009 7:27 AM
To: users@xxxxxxxxxxxxxxxx
Subject: RE: Requesting help with Smart Card Client Certificate Authentication issue.
Hi there, thank you for the reply. Yes I have that in there. In fact apache 2.2 ships with that by default.
Here is mine directly from httpd-ssl.conf
I pasted a good portion of the file so you can see its context.
<Directory "C:/Program Files/Apache Software Foundation/Apache2.2/cgi-bin">
SSLRequire %{SSL_CLIENT_S_DN_O} eq "Hewlett-Packard Company"
SSLVerifyClient require
SSLVerifyDepth 10
SSLOptions +StdEnvVars +OptRenegotiate
</Directory>
# SSL Protocol Adjustments:
# The safe and default but still SSL/TLS standard compliant shutdown
# approach is that mod_ssl sends the close notify alert but doesn't wait for
# the close notify alert from client. When you need a different shutdown
# approach you can use one of the following variables:
# o ssl-unclean-shutdown:
# This forces an unclean shutdown when the connection is closed, i.e. no
# SSL close notify alert is send or allowed to received. This violates
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
# this when you receive I/O errors because of the standard approach where
# mod_ssl sends the close notify alert.
# o ssl-accurate-shutdown:
# This forces an accurate shutdown when the connection is closed, i.e. a
# SSL close notify alert is send and mod_ssl waits for the close notify
# alert of the client. This is 100% SSL/TLS standard compliant, but in
# practice often causes hanging connections with brain-dead browsers. Use
# this only for browsers where you know that their SSL implementation
# works correctly.
# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
CustomLog "C:/Program Files/Apache Software Foundation/Apache2.2/logs/ssl_request.log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
-----Original Message-----
From: Toomas Aas [mailto:toomas.aas@xxxxxxxxxxxxx]
Sent: Tuesday, October 27, 2009 1:44 AM
To: users@xxxxxxxxxxxxxxxx
Subject: Re: Requesting help with Smart Card Client Certificate Authentication issue.
Berube, Steve (HP Software) wrote:
> Now, here is where gets interesting. What should happen is the client
> should prompt for a client certificate from the smart card reader and
> ask the user for their pin.
>
> On firefox 3.5.3 it prompts the user for their smartcard pin as long as
> the Security Device for ActivClient is installed. Works great!
>
> IE 8.0 on Windows 7 didn't work, after rebuilding the system it works now.
>
> All the other systems (tested 10) running IE will not work.
This may be a SSL handshake issue. Do you have something like this in your
SSL virtualhost:
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
If not, try adding it.
It seems to me that something in this area was changed recently in Apache,
because after upgrading from 2.2.9 to 2.2.13 I had to add similar
directive even for Firefox, which worked fine before.
--
Toomas Aas
... The truth is out there. Does anyone know the URL?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|