I am using mod_ssl_2.3.6_1.3.6. I generated a client certificate and
converted to PKCS#12 format. I Ioaded it into both IE5 and Netscape 4.5.
Under IE5 everything worked perfectly. In Netscape I had to trust
certificate first. When I access a link on the secure sever I first get
prompted for a certificate. After a long delay I then get an error stating
"Netscape has encountered bad data from the server". When I check the error
log I see an error stating SSL handshake timed out. If I try the link
again, I get prompted for the certificate again and a user name and password
and then everything works for the rest of the session!!??
What have I done wrong to trip up Netscape ? Following is a list of how I
configured the certificates.
Thanks in advance,
Arend van der Veen
1. Installed mod_ssl as instructed.
2. Generated a CA certificate using CA.sh -newca with out modifying
openssl.cnf.
3. Extended the expiration date to 5 years
4. Converted cacert.pem to der format and copied cacert.pem to
/usr/local/apache_1.3.6/config and cacert.der to apache root.
5. Edited openssl.cnf and set nsCertType = server. This was previously
commented out.
6. Generated and signed Server Certificate. Copied Server Certificate
and Key to /usr/local/apache_1.3.6/config.
7. Edited openssl.cnf and set nsCertType = client, mail. This was
previously commented out. Commented out nsCertType = server.
8. Updated httpd.conf
SSLProtocol -all +SSLv3
SSLCipherSuite HIGH:MEDIUM
SSLCertificateFile /usr/local/apache_1.3.6/conf/BassAleCert.pem
SSLCertificateKeyFile /usr/local/apache_1.3.6/conf/BassAleKey.pem
SSLCACertificateFile /usr/local/apache_1.3.6/conf/cacert.pem
SSLVerifyClient require
SSLVerifyDepth 1
<Directory /home/dpserver/securehome>
AuthType Basic
AuthName Test
AuthUserFile /home/dpserver/users/testusers
AuthGroupFile /home/dpserver/users/testgroups
<Limit GET POST>
require valid-user
</Limit>
</Directory>
<Location /servlet>
AuthType Basic
AuthName Test
AuthUserFile /home/dpserver/users/testusers
AuthGroupFile /home/dpserver/users/testgroups
<Limit GET POST>
require valid-user
</Limit>
</Location>
9. Generated a client certificate and converted to PKCS#12 format
CA.sh -newreq
CA.sh -sign
openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -name "Test User" \
-certfile demoCA/cacert.pem -out newcert.p12
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]