| ï
Not sure if this is the cause of your problem but
the phrase 'works until I add: SSLVerifyClient require' reminds me of a similar
problem I encountered recently with SSL client certificates. In Apache
documentation on SSL (or in Apache Cookbook) it doesn't mention that a client
certificate must contain a private key as well as the actual cert
itself.
Thus a composite file in a standard format
called PKCS#12 (.p12 file extension) is needed, which you can create with
the OpenSSL command :-
openssl pkcs12 -export -out client_a.p12 -in client_a.crt -inkey
client_a.key
where
client_a.crt
is the client cert and client_a.key is the private key file.
This file
can then be imported to a browser as a 'Personal Certificate'.
Without the private key on the client side SSL
Handshake will not work.
HTH.
----- Original Message -----
Sent: Tuesday, January 18, 2011 3:36
PM
Subject: Re: SSL library
error 1 in handshake
Hello Martin,
thanks for the reply.
I have those
directives already and it all works until I add:
SSLVerifyClient
require
I changed this directive to optional
and it seems to work now, though I am not so confidant in this
configuration.
I wonder if there is a way to pass the client cert through
to the python proxy?
Thanks,
G40
On Tue, Jan 18, 2011 at 9:30 AM, Martin Kuba <makub@xxxxxxxxxxx> wrote:
Hi G40,
the "SSLVerifyClient require" requires that
the client presents a certificate.
You have to configure also the list of
Certification Authorities that
the server accepts by the following
directives:
SSLCACertificatePath
/etc/ssl/certs/
or
SSLCACertificateFile
/etc/apache2/ssl.crt/ca-bundle.crt
If the client certificate is not
signed by a root CA, but by some intermediate CA,
which may be in turn
signed by another intermediate CA, etc., you need also
to set the value
for SSLVerifyDepth to the highest length of the certificate chain
that
the client may provide.
The "Allow" directives play no role in this,
because the error you have got
happened during the SSL handshake, which
is sooner than the Allow directives are applied.
Martin
Dne
18.1.2011 16:16, g f napsal(a):
Hello all,
I have a debian os running Apache
2.2.16(debian) along with tomcat 6.0.29. I use mod_jk as well as
mod_auth_kerb module for apache. Apache and the modules are debian
repository packages.
I recently attempted to activate common access
cards and if I just activate them but do not force them it works
great.
Once I force access cards, I get the following error and my
web-apps break.
Force access cards via:
|SSLVerifyClient
require
SSLVerifyDepth 2|
info level logging error.log:
[Tue
Jan 18 14:47:07 2011] [info] [client 127.0.1.1] SSL library error 1 in
handshake (server myserver.xxx.xxx.xxx:443)
[Tue Jan 18 14:47:07 2011]
[info] SSL Library Error: 336105671 error:140890C7:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate No
CAs known to server for verification?
The web-app that throws this
message uses a python proxy to make an ajax call to a different web
context (we do this to avoid the cross site error).
I believe what is
happening is that the python script [client 127.0.1.1] is making the
request to apache without valid client certs and hence is getting
denied.
I have a directive in apache2_home/sites-enabled/default-ssl
conf file that I had hoped would solve this issue(however it does
not).
directive in default-ssl conf file
|Allow from
localhost
Allow from 127.0.1.1
Allow from 127.0.0.1
|Is there
a solution to this issue?
Perhaps a way to not require client cert from
localhost?
Thanks for any advice, much
appreciated!
Cheers,
G40
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Supercomputing
Center Brno Martin
Kuba
Institute of Computer Science email: makub@xxxxxxxxxxx
Masaryk University
http://www.ics.muni.cz/~makub/
Botanicka 68a, 60200
Brno, CZ mobil:
+420-603-533775
--------------------------------------------------------------
|
