On Sun, May 20, 2001 at 02:24:35PM +1200, Damon Maria wrote:
> > With respect to the error message, mod_ssl can write more messages
> > than that into e.g. an ssl_engine_log. Did you check all possible
> > logfiles?
>
> I've checked, even with SSLLogLevel debug I couldn't get anymore out of
> it.
>
> I've since looked through the mod_ssl source and if there is any kind of
> error while trying to load the ChainFile then the generic "Failed to
> configure CA certificate chain!" messge is produced. Not very helpful
> really since there are many possibilities.
The OpenSSL library should have written additional error messages to
the library's error queue, but it seems mod_ssl does not evaluate
these messages.
> I have also tried using SSLCACertificateFile instead of and in
> conjunction with SSLCertificateChainFile. This was described at
> http://www.verisign.com/support/tlc/class3_install_docs/ssleay/v00g.html
> as the instructions for ApacheSSL rather than mod_ssl. If used instead
> of SSLCertificateChainFile no init errors happen and the following is
> reported in ssl_engine_log:
>
> [20/May/2001 15:10:19 11541] [trace] Init: (www.motorweb.co.nz:443)
> Configuring client authentication
> [20/May/2001 15:10:19 11541] [trace] CA certificate: /O=VeriSign Trust
> Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class
> 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
>
> So it appears there is nothing wrong with my Intermediate Certificate
> (since that's what the trace is outputing) or Apache's ability to read
> it. Why oh why then doesn't it work with SSLCertificateChainFile,
> arrrrgh!
I am afraid that in the case given I would compile the whole thing
with debugger support and set the breakpoint to SSL_CTX_use_certificate_chain()
in ssl_util_ssl.c to see where the failure occurs. No better idea, sorry.
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
