Hi all.
I have a problem with certificate chains in apache_1.3.19 with mod_ssl
I have configure httpd.conf as follow:
**********************************************************
httpd.conf:
SSLCertificateFile /path/to/cert/server_certificate.pem
SSLCertificateKeyFile /path/to/cert/server_key.pem
SSLCACertificatePath /path/to/cert
SSLCertificateChainFile /path/to/cert/cas_certificates.p7c (PEM format)
SSLCACertificateFile /path/to/cert/subCA_certificate.pem
SSLVerifyClient optional
SSLVerifyDepth 3
***********************************************************
cas_certificates.p7c is a certificate chain contains two CAs, subCA
at index 0 and rootCA at index 1
server_certificate.pem is signed by subCA
subCA_certificate.pem contains the subCA certificate
SSLCACertificatePath contains the cert directory with all
certificates (I think it is optional)
I can access througth a netscape browser because VerifyClient is
optional.
I want to access througth a Java servlet which want to retrieve the
client certificate.
When I try this I get the following exception:
in /path/to/apache/logs/error.log:
[Wed Jul 10 10:59:58 2002] [error] mod_ssl: Certificate Verification:
Error (19): self signed certificate in certificate chain
[Wed Jul 10 10:59:58 2002] [error] mod_ssl: SSL handshake failed (server
bree.dif.um.es:443, client 155.54.95.12) (OpenSSL library error follows)
[Wed Jul 10 10:59:58 2002] [error] OpenSSL: error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
in /path/to/apache/logs/ssl_engine:
[10/Jul/2002 10:59:50 02548] [info] Server: Apache/1.3.19, Interface:
mod_ssl/2.8.3, Library: OpenSSL/0.9.6c
[10/Jul/2002 10:59:50 02548] [info] Init: 1st startup round (still not
detached)
[10/Jul/2002 10:59:50 02548] [info] Init: Initializing OpenSSL library
[10/Jul/2002 10:59:50 02548] [info] Init: Loading certificate & private
key of SSL-aware server bree.dif.um.es:443
[10/Jul/2002 10:59:50 02548] [info] Init: Seeding PRNG with 136 bytes
of entropy
[10/Jul/2002 10:59:50 02548] [info] Init: Generating temporary RSA
private keys (512/1024 bits)
[10/Jul/2002 10:59:50 02548] [info] Init: Configuring temporary DH
parameters (512/1024 bits)
[10/Jul/2002 10:59:50 02549] [info] Init: 2nd startup round (already
detached)
[10/Jul/2002 10:59:50 02549] [info] Init: Reinitializing OpenSSL library
[10/Jul/2002 10:59:50 02549] [info] Init: Seeding PRNG with 136 bytes
of entropy
[10/Jul/2002 10:59:50 02549] [info] Init: Configuring temporary RSA
private keys (512/1024 bits)
[10/Jul/2002 10:59:50 02549] [info] Init: Configuring temporary DH
parameters (512/1024 bits)
[10/Jul/2002 10:59:50 02549] [info] Init: Initializing (virtual)
servers for SSL
[10/Jul/2002 10:59:50 02549] [info] Init: Configuring server
bree.dif.um.es:443 for SSL protocol
[10/Jul/2002 10:59:58 02552] [info] Connection to child 0 established
(server bree.dif.um.es:443, client 155.54.95.12)
[10/Jul/2002 10:59:58 02552] [info] Seeding PRNG with 1160 bytes of entropy
[10/Jul/2002 10:59:58 02552] [error] Certificate Verification: Error
(19): self signed certificate in certificate chain
[10/Jul/2002 10:59:58 02552] [error] SSL handshake failed (server
bree.dif.um.es:443, client 155.54.95.12) (OpenSSL library error follows)
[10/Jul/2002 10:59:58 02552] [error] OpenSSL: error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
I think it's a problem of Apache ssl configuration but I'm not sure.
Any idea?
Thanks a lot, Gabi.
--
-------------------------------------------------
Gabriel Lopez Millan - Grupo ANTS-CIRCuS
Facultad de Informática
Universidad de Murcia (España) Tfo: +34 968367645
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
