proxy SSLVerifyClient require

Krzysztof Kraska Thu, 05 Oct 2000 06:30:48 -0700
Hi,
I have the following situation:
Client <==SSL==> Proxy <==SSL==> Website
Proxy httpd.conf:
...
SSLCACertificateFile=cacert.pem
SSLVerifyClient require
SSLVerifyDepth 1
...
Website httpd.conf:
...
SSLCACertificateFile=cacert.pem
SSLVerifyClient require
SSLVerifyDepth 1
...
Website (ssl.private.com) and Proxy (ssl.public.com) work on Apache
1.3.12/mod_ssl2.6.6/openssl0.96 under Linux Slackware7.0.
Mod_ssl was compiled with --enable-rule=SSL_EXPERIMENTAL. Files cacert.pem
are the same in both cases. And it doesn't work!!! The log files are shown
below:
Proxy SSL_LOG file:
[trace] OpenSSL: Loop: SSLv3 read client certificate A
[trace] OpenSSL: Loop: SSLv3 read client key exchange A
[trace] OpenSSL: Loop: SSLv3 read certificate verify A
...
[trace] OpenSSL: Loop: SSLv3 read finished A
[trace] OpenSSL: Loop: SSLv3 write change cipher spec A
[trace] OpenSSL: Loop: SSLv3 write finished A
[trace] OpenSSL: Loop: SSLv3 flush data
[trace] OpenSSL: Handshake: done
[info]  Connection: Client IP: 192.168.0.2, Protocol: TLSv1, Cipher: RC4-MD5
(128/128 bits)
...
[info]  Subsequent (No.9) HTTPS request received for child 3 (server
ssl.public.com:443)
[error] SSL proxy connect failed (ssl.public.com:443): peer
ssl.private.com:4443: sslv3 alert
 handshake failure
Website SSL_LOG file:
[trace] OpenSSL: Loop: SSLv3 read client hello A
[trace] OpenSSL: Loop: SSLv3 write server hello A
[trace] OpenSSL: Loop: SSLv3 write certificate A
[trace] OpenSSL: Loop: SSLv3 write key exchange A
[trace] OpenSSL: Loop: SSLv3 write certificate request A
[trace] OpenSSL: Read: SSLv3 read client certificate A
[trace] OpenSSL: Write: SSLv3 read client certificate B
[trace] OpenSSL: Exit: error in SSLv3 read client certificate B
[trace] OpenSSL: Exit: error in SSLv3 read client certificate B
[error] SSL handshake failed (server ssl.private.com:4443, client
ssl.public.com) (OpenSSL library error follows)
[error] OpenSSL: error:140890C7:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
 [Hint: No CAs known to server for verification?]
When I enter 'SSLVerifyClient none' in Website httpd.conf it works
correctly. But Website should use CA certificate authentication.
Any ideas???

 Krzysztof Kraska
 Technical University of Szczecin
 Computer Science Department
 ul.Zolnierska 49
 71-210 Szczecin
 Poland
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]
proxy SSLVerifyClient require

Reply via email to
