Xiaping Lin wrote:
>
> Hi,all
>
> I installed apache1.3.3 with mod_ssl_2.1.1 on my SUN sparc 10 machine. I created my
>own CA and signed own server cert.
> To create client certicficate, I downloaded PKCS12 from Dr. Henson's FAQ page,
>patched CA certificate (with ca-fix) and compiled PKCS12.exe. Everything went well
>except I run into error with SSL handshake when I tried to use the client cert to
>access the secure server (both client cert and server cert were created by same
>self-created CA). In the error_log file, it lists:
>
> SSL handshake failed (SSLeay error follows)
> SSLeay: error:140890B1:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certifgicate
>returned
> Certificate Verification:Error (20):unable to get local issuer certificate
>
> Any hint what I have done wrong? I have re-do the links in ssl.crt directory (set by
>SSLCACertificatePath) by make, and still does not work, with same errors.
>
This looks like what I've run into. Complete understanding of the
handshake
helps :). In my case, using mod_ssl 2.0.13, adding the root CA to
ssl.crt and
updating the hash symlynks is not enough.
Adding the issuing cert to the file pointed to with SSLCACertificatePath
solved the
problem. On the client verification request, the server sends out
information
regarding which certificates are accepted for authentication.
I recall having read, in newer versions of mod_ssl there is a
SSLCAReqCertificate...
set of directives to acquire this.
> Also, another question:
> I am trying to sent certificate to remote client for them to access our secure wed
> site. They do not have existing certificate. Is it appropriate to set
> SSLVerifyClient directive in httpd.conf file to none for a short time, so remote
> client can get their certs from the secure web site without a certificate
> initially? If doing so, will the information still encrypted during transmission
> although client does not have a cert himself?
One possibility would be to set up a virtual server on another port,
with
SSLRequireSSL and SSLVerifyClient none, only to serve certificates to
new
clients. Encryption will take place (unless this 'NULL-CIPHER' option is
enabled in SSLeay [i think] which is disabled by default).
> if yes, how the encryption and decryption works? Can anyone point to any
> documentation regarding this? or Can I send the encrypted message (certificate)
> to a client who does not have a certificate himself?
>
For an example, see
http://developer.netscape.com/docs/manuals/security/sslin/index.htm
--
S/MIME Cryptographic Signature
