Problems configuring CA on Win32

Fri, 25 Feb 2000 11:29:15 -0800 


Help!

I'm trying to set up Apache+modssl 1.3.6 using the Win32 
binary in the contrib area.  Everything pretty much works,
except for one thing.

I can't get the server to ask the client for a certificate.

Reading through the logs, it looks like there is probably an
error in configuring the certifying authority.  The error is:

mod_ssl: SSL handshake failed (client X.X.X.X, 
         server Y.Y.Y.Y:443) (OpenSSL error follows)

OpenSSL: error:140890C7:SSL Routines:SSL_GET_CLIENT_CERTIFICATE:
         peer did not return a certificate [Hint: No CAs known to
         server for verification?]

Now, my browser (Netscape) does have a client cert; I use it all
the time.  I have copied a CA pem file over from another Unix-based
server I maintain, so that file should also be fine, and it is for
the CA that generated my client cert.  The only thing I can think
of is that I'm not configuring modssl properly (previously I've 
used apache+ssl, so I'm in the midst of learning the differences 
between the two, plus whatever differences are created by installing
on NT versus Solaris).

Here is the relevant portion of httpd.conf:

  SSLMutex sem
  SSLRandomSeed startup builtin
  SSLSessionCache none
  SSLLog logs/SSL.log
  SSLOptions +ExportCertData
  SSLVerifyClient require
  SSLVerifyDepth 10

  <VirtualHost Y.Y.Y.Y:443>
    SSLEngine On
    SSLCertificateFile conf/ssl/Y.cert
    SSLCertificateKeyFile conf/ssl/Y.key
    SSLCACertificateFile conf/ssl/CA.pem
  </VirtualHost>

Explanation:
  I read the modssl user manual, and it indicated that you can't
  use SSLCACertificatePath without the magic hash value symbolic
  link.  Symbolic links of course mean squat on NT, and since I
  only have the one CA, I used SSLCACertificateFile instead.  Was
  that the right thing to do?

Hopefully someone out there will have some idea of what I'm
missing.  Unfortunately I'm stuck with trying to set up an NT
version of this because of a Win32-only cgi-bin program I need
to run.


====================================================
= Reid M. Pinchback                                =
= I/T Delivery, MIT                                =
=                                                  =
= Email:   [EMAIL PROTECTED]                          =
= URL:     http://mit.edu/reidmp/www/home.html     =
====================================================

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]

Reply via email to