benr,
Following is from a Win32 httpd.conf file that is running
1.3.19 and 2.8.1. I created the certificates using the openssl
tools, and this has worked very well for https: from Netscape.
It has fewer configuration lines than your email, so hopefully
it has some clue to work from. This config still needs some work,
but it does work.
FYI: I tried a Thawte "free" certificate built from the same CSR
file. It worked fine, but failed miserably for Java. Java worked
when I went back to the openssl certificate.
Dave
-----
SSLMutex sem
SSLRandomSeed startup builtin
SSLSessionCache none
SSLProtocol SSLv3
SSLLog logs/SSL.log
SSLLogLevel info
<VirtualHost *:443>
SSLEngine On
DocumentRoot "d:\DocRoot\Files
SSLCertificateFile conf/ssl/www.xyz.com.cer
SSLCertificateKeyFile conf/ssl/www.xyz.com.key
<Directory d:\DocRoot\Files
Options Indexes FollowSymLinks MultiViews
AllowOverride AuthConfig
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
-----
At 03:15 AM 03/13/2001 , you wrote:
>Hello.
>
> I've recently started playing with mod_ssl
>and had done well with it till I descided to switch off
>the test certs (SnakeOil) and onto real certs. I successfully
>created and signed my own cert as documented in the mod_ssl
>users guide, but ran into trouble when trying to connect with
>a browser.
>
> I'm testing with Netscape and Mozilla. When I hit
>the server (https://) I get the normal "This is a secure page
>blah, blah", and then another window "No User Certificate: The
>server may not let you connect without one". I click "Next"
>there and get a window saying "An IO Error Occured. Try Connecting
>Again". This happens over and over again each time I try. I've
>tried several diffrent machines and the same result. I tried
>IE on NT, and essentially the same thing happened, except that
>instead of an IO error I just got a error page. (effectively
>the same result) After inspecting my ssl_engine_log I find this
>line, which seems to corrispond to the IO error:
>
>[12/Mar/2001 21:08:15 09014] [info] Connection to child 2 established
>(server xxx.blah.com:443, client xxx.xxx.xxx.xxx)
>[12/Mar/2001 21:08:15 09014] [info] Seeding PRNG with 1160 bytes of entropy
>[12/Mar/2001 21:08:19 09014] [error] SSL handshake failed (server
>xxx.blah.com:443, client xxx.xxx.xxx.xxx) (OpenSSL library error follows)
>[12/Mar/2001 21:08:19 09014] [error] OpenSSL: error:140890C7:SSL
>routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
>[Hint: No CAs known to server for verification?]
>
> (Note: I did infact block out the hostname and IP for security
> reasons,
>it's not a misconfiged system in that regard <grin>)
>
>So my problem, as mentioned by the log is that I don't have a CA server.
>I've looked through the docs for OpenSSL and mod_ssl and can't find anything
>about building/config'ing a CA Server, theres plenty on signing certs AS a
>CA, but not actually serving as a CA for requests. So how do I? Or is this
>in the docs and I simply missed it. Part of my confusion is in whether the
>CA "Server" is a daemon or not. Do I need to launch a OpenSSL session that
>stays open on a given port for requests or does Apache with mod_ssl take
>care of the magic? This is really driving me nuts, and SSL is really
>kool... I'm totally thrilled that there is such a good open source SSL tool
>kit avalible that everyone can play with it.
>
>Just for kicks, heres some lines from my httpd.conf, all under the default
>virtual host on port 443 (ie: modified lines from the origonally placed.
>I've excluded lines that I didn't think were interesting or applied):
>
><VirtualHost _default_:443>
>DocumentRoot "/usr/local/apache/htdocs"
>ServerName xxx.blah.com
>SSLEngine on
>SSLCipherSuite HIGH:MEDIUM:LOW:RC4+RSA:+SSLv2
>SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt
>SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key
>SSLCertificateChainFile /usr/local/apache/conf/ssl.crt/ca.crt
>SSLCACertificatePath /usr/local/apache/conf/ssl.crt
>SSLCACertificateFile /usr/local/apache/conf/ssl.crt/ca-bundle.crt
>SSLCARevocationPath /usr/local/apache/conf/ssl.crl
>SSLVerifyClient optional_no_ca
>SSLVerifyDepth 10
></VirtualHost>
>
>The directives that I'm not 100% clear about (even after reading the docs,
>which were really great) are SSLCipherSuite and SSLVerifyClient. I've tried
>other varients for SSLVerifyClient, but they didn't really help. It seems
>like I can only get this thing to work well when I specify that
>no-encryption is an option.... which is exactly against the point.
>
> So, ultimately the question is, do I have a config problem, a client
>problem, a psychological problem, or do I simply lack a CA Server? Any help
>if GREATLY appreciated. Sorry for being so wordy, but I figured I'd just be
>complete the first time.
>
> benr.
>
>______________________________________________________________________
>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>User Support Mailing List [EMAIL PROTECTED]
>Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
