SSLVerifyClient require

[Hector Vass]

I am having a problem with client authentication getting client certificates to work -   Have installed the client certificate in internet explorer, this also installs the server certificate as a 'trusted root certificate'.  When access basic https area of website all works correctly, when attempt to go into the area where SSLVerifyClient is required, the certificate is prompted for. But when chosen get "The page cannot be displayed" error.   The error in the ssl_error_log is: [Fri Jan 09 11:37:48 2004] [error] Re-negotiation handshake failed: Not accepted by client!?   If certificates are viewed IE says that they are valid etc.   I was after references to good HowTo's or any views on whether this is a IE, modssl, Apache or just a certificates problem.    Thanks in advance     Our server is Apache-AdvancedExtranetServer/2.0.47 (Mandrake Linux/6mdk) mod_perl/1.99_09 Perl/v5.8.1 mod_ssl/2.0.47 OpenSSL/0.9.7b PHP/4.3.2!   And clients are Internet Explorer IE6 and Opera 7.2   ***** SETUP CERTIFICATES AS FOLLOWS in directory /home/test/CA/: ***** CERTIFICATION AUTHORITY Generate New Certification Authority     perl CA.pl -newca (when prompted I set the CN name to the servers ip address)   SERVER CERTIFICATE Generate new certificate request for SERVER (newreq.pem)     perl CA.pl -newreq (when prompted I set the CN name to the servers ip address) Sign it (generates newcert.pem)     perl CA.pl -sign Get Key from it     openssl rsa < newreq.pem > newkey.pem   CLIENT CERTIFICATE Generate Unencrypted Key for CLIENT     openssl genrsa -out client_unsecure.key 1024 Generate new certificate request for CLIENT     openssl req -new -key client_unsecure.key -out client_unsecure.csr (when prompted I set the CN name to the client ip address) Sign it     openssl ca -config /<somepath>/openssl.cnf -policy policy_anything -out client_unsecure.crt -infiles client_unsecure.csr Create format for Internet Explorer     openssl pkcs12 -export -in client_unsecure.crt -inkey client_unsecure.key -name "Client Cert" -certfile ./demoCA/cacert.pem -out clientcert.p12     41_MOD_SSL.DEFAULT-VHOST.CONF SETTINGS AS FOLLOWS: DocumentRoot "/var/www/html/secure" ErrorLog logs/ssl_error_log <IfModule mod_log_config.c> TransferLog logs/ssl_access_log </IfModule> #   SSL Engine Switch: #   Enable/Disable SSL for this virtual host. SSLEngine on   #   SSL Cipher Suite: #   List the ciphers that the client is permitted to negotiate. #   See the mod_ssl documentation for a complete list. SSLProtocol all SSLCipherSuite HIGH:MEDIUM   #   Server Certificate: SSLCertificateFile /home/test/CA/newcert.pem   #   Server Private Key: SSLCertificateKeyFile /home/test/CA/newkey.pem   #   Server Certificate Chain:   #   Certificate Authority (CA): SSLCACertificateFile /home/test/CA/demoCA/cacert.pem   #   Certificate Revocation Lists (CRL):   #   Client Authentication (Type): #SSLVerifyClient require #SSLVerifyDepth  10   <Location /audit>     SSLVerifyClient require     SSLVerifyDepth  1 </Location>