I'm running apache and mod_ssl for a long time now. Now I wanted to add support for client-auth and got in big troubles at the beginning.
As soon as any client wants to connect to a folder that (I tested netscape7, opera6, konqueror and lynx2.8) the client gets an unspecified error (or crashes like opera6) and the server (apache2) has the following in its logs: [Fri Nov 15 03:05:06 2002] [error] Re-negotiation handshake failed: Not accepted by client!? [Fri Nov 15 03:05:06 2002] [error] SSL handshake failed (server c2.goldfisch.at:443, client 62.99.146.117) [Fri Nov 15 03:05:06 2002] [error] SSL Library Error: 336105671 error:140890C7:lib(20):func(137):reason(199) The config is very simple: SSLPassPhraseDialog builtin SSLSessionCache none SSLSessionCacheTimeout 300 SSLMutex file:logs/ssl_mutex SSLRandomSeed startup builtin SSLRandomSeed connect builtin SSLCertificateFile /data/ssl/peter/www.goldfisch.at.crt SSLCertificateKeyFile /data/ssl/peter/www.goldfisch.at.key <Directory /data/apache/dav.goldfisch.at:443> SSLCACertificateFile /data/ssl/peter/ca.crt SSLVerifyClient require SSLVerifyDepth 1 </Directory> I didnt install any client-certs by now (cause I still dont know how to do this : I was hoped to get asked for it by the client when connecting) Now I fear that my ca.crt has wrong format. This is my own selfsigned CertificateAuthority that I used to sign www.goldfisch.at.crt too. I also tried to create a new client-cert and put the crt-part there instead with the same result. By now I dont know if a client-cert is the crt-part that is signed by my CA and the ca-crt must be put to the SSLCACertificateFile-directive or if I should just create a new certificate (signed by my CA) and the crt-part should be put in the SLCACertificateFile-directive and the keyfile is the part that I need to install somehow at my client. I really searched the mod_ssl-docs but I couldnt find the answer. For the Re-negotiation-problem I found frequent entries dealing with the same problem, but all seems to be related to problems with MSIE-browsers that have a ssl-keep-alive bug or something. My problem seems to be different, cause I dont use MSIE at all and the problem occures with all clients I tried. thnx, peter -- mag. peter pilsl IT-Consulting tel: +43-699-1-3574035 fax: +43-699-4-3574035 [EMAIL PROTECTED] ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
