----- "Alan Brown" <em745219@xxxxxxxxxxxxxxxx> wrote: > Hi all, > > I am working in a test environment with Apache v2.2.14 on XP Pro SP3 > and I > have experienced difficulties setting up SSL Client Authentication. > > > > I have used the openssl command line tool to set up my private key, > server > certificate, and a certificate authority, and I have configured the > httpd-ssl.conf file. All works as expected, except when I try to > configure > SSL Client Authentication. All browsers report an error and are unable > to > establish an SSL session, eg with Firefox :- > > > > Secure Connection Failed > > An error occurred during a connection to myhost_1. > > SSL peer was unable to negotiate an acceptable set of security > parameters. > > (Error code: ssl_error_handshake_failure_alert) > > > > (myhost_1 is configured as 127.0.0.1 in hosts file) > > > > In the config which works I have :- > > > > <VirtualHost _default_:443> > > SSLEngine on > > SSLCipherSuite > ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL > > SSLCertificateFile "/xampp/xampp/apache/conf/test/server.crt" > > SSLCertificateKeyFile "/xampp/xampp/apache/conf/test/server.key" > > #SSLCACertificateFile "/xampp/xampp/apache/conf/test/ca/ca.crt" > > #SSLVerifyClient require > > #SSLVerifyDepth 10 > > </VirtualHost> > > > > When I uncomment the lines to configure SSL Client Authentication then > I get > the above errors. The browser is supposed to request which client > certificate the user wants to use, then I can select the one I created > and > signed with ca.crt, which I have set as a trusted CA in the browser. > > > > My Apache server has the following identifier (from HTTP Response > header) :- > > Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l > mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 > > Perl/v5.10.1 > > > > The openssl version I am using is also 0.9.8l (l for 'link'). No. OpenSSL 0.9.8l is a version regularily released: http://www.openssl.org/source/ > Here are the openssl commands I used :- > > > > openssl genrsa -out ca.key 1024 > > openssl req -new -key ca.key -x509 -days 60 -out ca.crt > > openssl genrsa -out server.key 1024 > > openssl req -new -key server.key -days 90 -out server.csr > > openssl x509 -req -in server.csr -set_serial 451470 -CA ca\ca.crt > -CAkey > ca\ca.key -out server.crt > > openssl genrsa -out client_a.key 1024 > > openssl req -new -key client_a.key -days 90 -out client_a.csr > > openssl x509 -req -in client_a.csr -set_serial 451470 -CA > ..\ca\ca.crt -CAkey ..\ca\ca.key -out client_a.crt > > > > I have carefully studied all documentation and I just wonder why this > is not > working - have I misunderstood something or is there possibly a bug? > > > > Thanks in advance for any advice. Instead of involving a browser, which is a big, complex and opaque thing, can you please test with openssl s_client? > Alan. So long, i -- Igor GaliÄ Tel: +43 (0) 664 886 22 883 Mail: i.galic@xxxxxxxxxxxxxx URL: http://brainsware.org/ --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|