RE: Help - were should I turn - Netscape and Client Certificates

Tue, 3 Aug 1999 09:29:43 -0700 

This is a workaround, not a solution....  We are still getting double
prompted when there are .gifs or .jpgs on the page with the HTML....

-H

~
Howard Uman - [EMAIL PROTECTED]
Netegrity, Inc., 245 Winter St., Waltham, MA  02451
TEL: (781) 890-1700 x225 FAX: (781) 487-7791

                                LET'S GO CAPS!



> -----Original Message-----
> From: Arend van der Veen [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, July 29, 1999 2:54 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Help - were should I turn - Netscape and Client
> Certificates
> 
> 
> I have found a solution to this problem.
> 
> This seem to almost work.  I removed certificate database password
> protection in Netscape and then added SSLOptions +OptRenegotiate to
> httpd.conf.  Now I only get a certificate request when I 
> first enter the
> site.  However, it still asks me for a password even though 
> the client has
> already enter one for the domain.
> 
> Arend van der Veen
> 
> -----Original Message-----
> From: Arend van der Veen <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
> Date: Thursday, July 29, 1999 7:57 AM
> Subject: Help - were should I turn - Netscape and Client Certificates
> 
> 
> >I am using mod_ssl_2.3.6_1.3.6.  I generated a client certificate and
> >converted to PKCS#12 format.  I Ioaded it into both IE5 and 
> Netscape 4.5.
> >Under IE5 everything worked perfectly.  In Netscape I had to trust
> >certificate first.  When I access a link on the secure sever 
> I first get
> >prompted for a certificate.  After a long delay I then get 
> an error stating
> >"Netscape has encountered bad data from the server".  When I 
> check the
> error
> >log I see an error stating SSL handshake timed out.  If I 
> try the link
> >again, I get prompted for the certificate again and a user name and
> password
> >and then everything works for the rest of the session!!??
> >
> >What have I done wrong to trip up Netscape ?  Following is a 
> list of how I
> >configured the certificates.
> >
> >Thanks in advance,
> >Arend van der Veen
> >
> >1.    Installed mod_ssl as instructed.
> >2.    Generated a CA certificate using CA.sh -newca with out 
> modifying
> >openssl.cnf.
> >3.    Extended the expiration date to 5 years
> >4.    Converted cacert.pem to der format and copied cacert.pem to
> >/usr/local/apache_1.3.6/config and cacert.der to apache root.
> >5.    Edited openssl.cnf and set nsCertType = server.  This 
> was previously
> >commented out.
> >6.    Generated and signed Server Certificate.  Copied 
> Server Certificate
> >and Key to /usr/local/apache_1.3.6/config.
> >7.    Edited openssl.cnf and set nsCertType = client, mail.  This was
> >previously commented out. Commented out nsCertType = server.
> >8.    Updated httpd.conf
> >
> >SSLProtocol -all +SSLv3
> >SSLCipherSuite HIGH:MEDIUM
> >SSLCertificateFile /usr/local/apache_1.3.6/conf/BassAleCert.pem
> >SSLCertificateKeyFile /usr/local/apache_1.3.6/conf/BassAleKey.pem
> >SSLCACertificateFile /usr/local/apache_1.3.6/conf/cacert.pem
> >SSLVerifyClient require
> >SSLVerifyDepth  1
> ><Directory /home/dpserver/securehome>
> >AuthType Basic
> >AuthName Test
> >AuthUserFile /home/dpserver/users/testusers
> >AuthGroupFile /home/dpserver/users/testgroups
> ><Limit GET POST>
> >require valid-user
> ></Limit>
> ></Directory>
> ><Location /servlet>
> >AuthType Basic
> >AuthName Test
> >AuthUserFile /home/dpserver/users/testusers
> >AuthGroupFile /home/dpserver/users/testgroups
> ><Limit GET POST>
> >require valid-user
> ></Limit>
> ></Location>
> >
> >9.    Generated a client certificate and converted to PKCS#12 format
> >
> >CA.sh -newreq
> >CA.sh -sign
> >openssl pkcs12 -export -in newcert.pem -inkey newreq.pem 
> -name "Test User"
> \
> >-certfile demoCA/cacert.pem -out newcert.p12
> >
> >
> >_____________________________________________________________
> _________
> >Apache Interface to OpenSSL (mod_ssl)                   
> www.modssl.org
> >User Support Mailing List                      
> [EMAIL PROTECTED]
> >Automated List Manager                            
> [EMAIL PROTECTED]
> >
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
> User Support Mailing List                      [EMAIL PROTECTED]
> Automated List Manager                            [EMAIL PROTECTED]
> 
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]

Reply via email to