I think that the generation/configuration of certificates should be OK.
Anyway, I attached below an extract of the httpd.conf that I am using for
SSL
The "verify error" that I get on "openssl s_client" should not stop the
handshake. It seems a decrypt error
The certificate that I am using is self-signed with openssl x509 utility
The certificate is on /opt/apache/ssl/certs
IPAHU016 > ll /opt/apache/ssl/certs
total 32
-rw-rw-rw- 1 root sys 1237 Dec 3 15:06 ca.crt
drwxrwxrwx 2 root sys 96 Dec 3 15:36 ca.db.certs
-rw-rw-rw- 1 root sys 0 Dec 3 15:36 ca.db.index
-rw-rw-rw- 1 root sys 3 Dec 3 15:36 ca.db.serial
-rw-rw-rw- 1 root sys 1066 Nov 30 19:19 server.crt
-rw-rw-rw- 1 root sys 542 Nov 30 19:18 server.csr
-rw-rw-rw- 1 root sys 2607 Dec 3 15:43 server2.crt
-rw-rw-rw- 1 root sys 720 Dec 3 15:00 server2.csr
-rw-rw-rw- 1 root sys 2608 Dec 3 16:15 server3.crt
-rw-rw-rw- 1 root sys 720 Dec 3 16:14 server3.csr
-rwxrwxrwx 1 root sys 1784 Dec 3 15:35 sign.sh
The private key file is on /opt/apache/ssl/private
IPAHU016 > ll /opt/apache/ssl/private
total 8
-rw-rw-rw- 1 root sys 512 Nov 30 19:06 a.rand
-rw------- 1 root sys 1024 Dec 4 10:49 random.rnd
-rw-rw-rw- 1 root sys 573 Nov 30 19:08 server.key
-rw-rw-rw- 1 root sys 963 Dec 3 14:58 server2.key
The server doesn't verify the client
Extract from httpd.conf
<IfModule mod_ssl.c>
SSLPassPhraseDialog builtin
SSLSessionCache dbm:/opt/apache/logs/ssl_scache
SSLSessionCacheTimeout 300
SSLMutex file:/opt/apache/logs/ssl_mutex
SLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLLog /opt/apache/logs/ssl_engine_log
SSLLogLevel trace
</IfModule>
<IfDefine SSL>
<VirtualHost _default_:443>
DocumentRoot "/opt/apache/htdocs"
ServerName IPAHU016
ServerAdmin www@IPAHU016
ErrorLog /opt/apache/logs/error_log
TransferLog /opt/apache/logs/access_log
SSLEngine on
SSLCipherSuite !ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /opt/apache/ssl/certs/server3.crt
SSLCertificateKeyFile /opt/apache/ssl/private/server2.key
SSLCertificateChainFile /opt/apache/ssl/certs/ca.crt
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/opt/apache/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog /opt/apache/logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
</IfDefine>
Thanks for your help
Dario
----- Original Message -----
From: Owen Boyle <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, December 04, 2001 10:30 AM
Subject: Re: Apache SSL doesn't work
> > Dario Prester wrote:
> >
> > Hello,
> > I have installed the Apache server SSL-enabled and I've got errors in
> > handshake
>
> > verify error:num=20:unable to get local issuer certificate
> > verify error:num=27:certificate not trusted
> > verify error:num=21:unable to verify the first certificate
>
> Please post in plain text - it makes it much easier to respond...
>
> It looks like a problem of certificate generation/configuration. So how
> have you set up your certificates? Are they correct? Are they in the
> correct place? Are they accessible? Do you require client
> authentication?
>
> Rgds,
>
> Owen Boyle.
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
>
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
