Hi Again., This is what I found from the "log" file you sent..is this pointing to the same CA cert "itcilo-ca.crt, I put it in ssl.crt" ?
debug] ssl_engine_init.c(1112): CA certificate: /C=IT/ST=Piemonte/L=Turin/O=ITCILO/OU=MIS/CN=ITCILO CA/[EMAIL PROTECTED] [Wed Jul 13 11:48:34 2005] [debug] ssl_engine_init.c(703): Configuring server certificate chain (1 CA certificate) You will not find that option "SSL_VERIFY_FAIL_IF_NO_PEER_CERT" thats openssl macro..I thought you had written your own server.. found this link http://httpd.apache.org/docs-2.0/mod/mod_ssl.html perhaps your already aware of this..but sorry no idea abt apache mod ssl :) Thanks Gayathri > Hi. Hi, Thanks for the reply > Have you imported the CA of the client cert on the server side? Yes, it's the itcilo-ca.crt, I put it in ssl.crt (self-signed) > A verify depth of 1 has been set, which could mean that the client > cert is self signed? Can you set it to some higher value and try? Yes, it's a self signed certificate, I tried with a higher values (5) without any success > Also can you check whether the option "SSL_VERIFY_FAIL_IF_NO_PEER_CERT"? I searched for the string on my server but can not find it. In which should I find it? > Can you retry the same thing from Mozilla or something. I tried with firefox with the same result > is your server mod_ssl? Yes, apache 2 on suse includes it by default. I turned the loglevel to debug and attached the log file below, just in case There are a lot of Wed Jul 13 11:48:34 2005] [debug] ssl_engine_kernel.c(1793): OpenSSL: Handshake: start [Wed Jul 13 11:48:34 2005] [debug] ssl_engine_kernel.c(1801): OpenSSL: Loop: before/accept initialization [Wed Jul 13 11:48:34 2005] [debug] ssl_engine_io.c(1518): OpenSSL: I/O error, 11 bytes expected to read on BIO#836ffc8 [mem: 8377648] [Wed Jul 13 11:48:34 2005] [debug] ssl_engine_kernel.c(1830): OpenSSL: Exit: error in SSLv2/v3 read client hello A [Wed Jul 13 11:48:34 2005] [info] (70014)End of file found: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!] [Wed Jul 13 11:48:34 2005] [info] Connection to child 9 closed with abortive shutdown(server tomcat-ssl.itcilo.org:443, client ::1) [Wed Jul 13 11:48:34 2005] [info] Connection to child 9 established (server tomcat-ssl.itcilo.org:443, client ::1) [Wed Jul 13 11:48:34 2005] [info] Seeding PRNG with 136 bytes of entropy and then [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_kernel.c(1793): OpenSSL: Handshake: start [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_kernel.c(1801): OpenSSL: Loop: before/accept initialization [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1507): OpenSSL: read 11/11 bytes from BIO#8372060 [mem: 83776d8] (BIO dump follows) [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1454): +-------------------------------------------------------------------------+ [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1479): | 0000: 80 67 01 03 00 00 4e 00-00 00 10 .g....N.... | [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1485): +-------------------------------------------------------------------------+ [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1507): OpenSSL: read 94/94 bytes from BIO#8372060 [mem: 83776e3] (BIO dump follows) [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1454): +-------------------------------------------------------------------------+ [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1479): | 0000: 01 00 80 03 00 80 07 00-c0 06 00 40 02 00 80 04 [EMAIL PROTECTED] | [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1479): | 0010: 00 80 00 00 39 00 00 38-00 00 35 00 00 33 00 00 ....9..8..5..3.. | [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1479): | 0020: 32 00 00 04 00 00 05 00-00 2f 00 00 16 00 00 13 2......../...... | [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1479): | 0030: 00 fe ff 00 00 0a 00 00-15 00 00 12 00 fe fe 00 ................ | [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1479): | 0040: 00 09 00 00 64 00 00 62-00 00 03 00 00 06 69 13 ....d..b......i. | [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1479): | 0050: 73 ff 86 72 4e 7d 52 4a-fe 9a b9 38 b9 1e s..rN}RJ...8.. | [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1485): +-------------------------------------------------------------------------+ [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_kernel.c(1801): OpenSSL: Loop: SSLv3 read client hello A [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_kernel.c(1801): OpenSSL: Loop: SSLv3 write server hello A [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_kernel.c(1801): OpenSSL: Loop: SSLv3 write certificate A [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_kernel.c(1185): handing out temporary 1024 bit DH key [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_kernel.c(1801): OpenSSL: Loop: SSLv3 write key exchange A [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_kernel.c(1801): OpenSSL: Loop: SSLv3 write certificate request A [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_kernel.c(1801): OpenSSL: Loop: SSLv3 flush data [Wed Jul 13 11:48:47 2005] [debug] ssl_engine_io.c(1507): OpenSSL: read 5/5 bytes from BIO#8372060 [mem: 83776d8] (BIO dump follows) [Wed Jul 13 11:48:47 2005] [debug] ssl_engine_io.c(1454): +-------------------------------------------------------------------------+ [Wed Jul 13 11:48:47 2005] [debug] ssl_engine_io.c(1479): | 0000: 16 03 00 04 16 ..... | [Wed Jul 13 11:48:47 2005] [debug] ssl_engine_io.c(1485): +-------------------------------------------------------------------------+ [Wed Jul 13 11:48:47 2005] [debug] ssl_engine_io.c(1507): OpenSSL: read 1046/1046 bytes from BIO#8372060 [mem: 83776dd] (BIO dump follows) [Wed Jul 13 11:48:47 2005] [debug] ssl_engine_io.c(1454): +-------------------------------------------------------------------------+ [Wed Jul 13 11:48:47 2005] [debug] ssl_engine_io.c(1479): | 0000: 0b 00 03 06 00 03 03 00-03 00 30 82 02 fc 30 82 ..........0...0. | [Wed Jul 13 11:48:47 2005] [debug] ssl_engine_io.c(1479): | 0010: 01 e4 02 01 02 30 0d 06-09 2a 86 48 86 f7 0d 01 .....0...*.H.... | [Wed Jul 13 11 Regards Gaƫl ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
