On Mon, 02 Nov 1998 03:30:06 GMT, you wrote:
>On Sun, 01 Nov 1998 01:39:13 +0100, you wrote:
>
>>
>>
>>Ralf S. Engelschall wrote:
>>
>>>
>>> > As a result I never succeeded in making an SSL connection using client
>>> > certificate with MSIE.
>>>
>>> Just to inform you that your request is not ignored: I've no clue what's going
>>> wrong with MSIE and I currently cannot test it myself (the MSIE installation
>>> on my NT box totally screwed up just before ApacheCon). When I find time I'll
>>> reinstall MSIE and try it out myself. In the meantime I hope someone other
>>> shares his experiences with MSIE and mod_ssl. Is there anything to say? Has
>>> nobody success in using MSIE? Or only problems when client certs are used?
>>> Please share your experience.
>>> Ralf S. Engelschall
>>> [EMAIL PROTECTED]
>>> www.engelschall.com
>>>
>>
>>As i mentioned some postings ago (concerning a mini CA with mod_ssl and PHP) i
>>succeeded accessing my test site with MSIE 4.01 export edition and a test cert. I
>>made a pkcs12 cert for IE following closely the steps outlined in Stephen Hensons
>>FAQ:
>>
>>http://www.drh-consultancy.demon.co.uk/pkcs12faq.html
>>
>>
>>Greetings
>>
>>Michael
>
>I too followed the excellent pkcs#12 FAQ by Stephen Henson.
>My results:
>
>- When accessing my Apache-modSSL web site requiring a valid and
>trusted client cert (SSLVerifyClient=2), I cannot select my
>certificate, instead it says:
>"An error occurred in the secure channel support".
>The Apache error_log says:
>[Mon Nov 2 02:05:06 1998] [error] mod_ssl: SSL_accept failed
>[Mon Nov 2 02:05:06 1998] [error] SSLeay: error:140890C4:SSL
>routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
>I included the client certs CA cert in the ca-bundle.pem file.
>
>- When accessing my Apache-modSSL web site requiring a valid client
>cert (SSLVerifyClient=3), I am not prompted to select a certificate,
>but a connection is made anyhow.
>The Apache ssl_misc_log says:
>[02/Nov/1998:02:25:50 +0100] Cipher: EXP-RC4-MD5
>i.e. no client certificate is used. (no errors)
>
>- When accessing Ralph Engelschall's HTTPS test-page, I am not
>prompted for a certificate and consequently do not see my certificate
>data shown in the CGI variables. I do of course get an HTTPS
>connection.
>
>- Using Netscape Communicator 4.04 I have no problems entering the
>https site, and I'm not allowed in when I don't select a certificate
>to authenticate myself.
Where this one came from I don't know, I think I used
SSLVerifyClient=3 then. I just tested it again and I couldn't get in.
I then tried setting SSLVerifyDepth=2 (see recent postings) and now it
works for both NS and MS. Depth must be 2, the default setting of 0
doesn't work for me. The CA is my own, and it is in the ca-bundle.pem
file. I guess the depth is calculated as follows:
CA cert -> 0
CA signs own key -> 1
CA signs client cert -> 2
This may somehow be logical, but SSLVerifyDepth=0 (default) is never
gonna work this way? ;-)
Hmm, at least my problem is solved now. Next is trying to build a mini
CA and implementing some kind of authorization scheme using
certificate lookups in an LDAP database like Netscape does.
The certificate delivers a DN, so with some mapping of components /
attributes I should be able to do a search on an LDAP db.
Has this been implemented by the way? Anyone?
>
>- In all cases I can send and receive signed and crypted email with
>the certificate, which has nsCertType=0xa0 (smime&client auth).
>
>I'll try some of our netscape certificate server certificates tomorrow
>at work. We used to have problems getting them into IE, but maybe with
>the ca-fix and pkcs12 progs ;-)
>Still hope its one of those MS bugs. I really need to support both NS
>and MS clients.
>
>BTW: Just a small question:
>- How do I set the (IE4) 'Certificate Properties'->'Fine
>Print...'->'Policy Statement' in a certificate? Its not the same as
>the nsComment field, though it probably has the same meaning/use.
This one still stands though!
>
>Grtz, Joost.
>>
>>______________________________________________________________________
>>Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
>>Official Support Mailing List [EMAIL PROTECTED]
>>Automated List Manager [EMAIL PROTECTED]
>>
>
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
