Help - were should I turn - Netscape and Client Certificates

Thu, 29 Jul 1999 00:23:59 -0700 

I am using mod_ssl_2.3.6_1.3.6.  I generated a client certificate and
converted to PKCS#12 format.  I Ioaded it into both IE5 and Netscape 4.5.
Under IE5 everything worked perfectly.  In Netscape I had to trust
certificate first.  When I access a link on the secure sever I first get
prompted for a certificate.  After a long delay I then get an error stating
"Netscape has encountered bad data from the server".  When I check the error
log I see an error stating SSL handshake timed out.  If I try the link
again, I get prompted for the certificate again and a user name and password
and then everything works for the rest of the session!!??

What have I done wrong to trip up Netscape ?  Following is a list of how I
configured the certificates.

Thanks in advance,
Arend van der Veen

1.    Installed mod_ssl as instructed.
2.    Generated a CA certificate using CA.sh -newca with out modifying
openssl.cnf.
3.    Extended the expiration date to 5 years
4.    Converted cacert.pem to der format and copied cacert.pem to
/usr/local/apache_1.3.6/config and cacert.der to apache root.
5.    Edited openssl.cnf and set nsCertType = server.  This was previously
commented out.
6.    Generated and signed Server Certificate.  Copied Server Certificate
and Key to /usr/local/apache_1.3.6/config.
7.    Edited openssl.cnf and set nsCertType = client, mail.  This was
previously commented out. Commented out nsCertType = server.
8.    Updated httpd.conf

SSLProtocol -all +SSLv3
SSLCipherSuite HIGH:MEDIUM
SSLCertificateFile /usr/local/apache_1.3.6/conf/BassAleCert.pem
SSLCertificateKeyFile /usr/local/apache_1.3.6/conf/BassAleKey.pem
SSLCACertificateFile /usr/local/apache_1.3.6/conf/cacert.pem
SSLVerifyClient require
SSLVerifyDepth  1
<Directory /home/dpserver/securehome>
AuthType Basic
AuthName Test
AuthUserFile /home/dpserver/users/testusers
AuthGroupFile /home/dpserver/users/testgroups
<Limit GET POST>
require valid-user
</Limit>
</Directory>
<Location /servlet>
AuthType Basic
AuthName Test
AuthUserFile /home/dpserver/users/testusers
AuthGroupFile /home/dpserver/users/testgroups
<Limit GET POST>
require valid-user
</Limit>
</Location>

9.    Generated a client certificate and converted to PKCS#12 format

CA.sh -newreq
CA.sh -sign
openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -name "Test User" \
-certfile demoCA/cacert.pem -out newcert.p12


______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]

Reply via email to