Hello, I have seen the similar questions posted on the openssl mailing list before, but I have not seen much discussion. One thing that you may want to try to upgrade the version of the openssl itself, but I have no clue that applies to your problem.
Why don't you post this question on the openssl mailing list?, hopoing to get that somebody solves the question since then. -Kiyoshi Kiyoshi Watanabe > Hello, > > I posted this question already some days ago, but did not yet receive any > hint. Does really no-one have any idea what could be the problem? > > ----------------------- > > I'm having a strange problem with Apache 2.0.45, mod_ssl with openssl > 0.9.6i (and possibly a factor also tomcat 4.1.27 server, client IE6 with > Java 1.4 plugin from Sun). > > The web-server should run all applications only over SSL and with client > certificate verification enabled. > > So I set up all the necessary configuration, including server and client > certificates (our company has it's own internal CA), and moved three > different applications from the non-SSL to the SSL virtual-host. > Everything works fine, the applications can access the "environment > variables", where the user-ID coming from the certificate is stored, in > order to authenticate the users and provide user-specific content. One of > the working applications is PHP based, another one is JSP based, so via > Tomcat. (only explaining this so that it is clear the whole server > combination including the SSL setup seems to be right in principal). > > However the 4th application doesn't work. > > The fourth application is not JSP, but a Servlet/Applet combination. > > What happens when accessing the page is that the "index.html" downloads to > the client, but then the applet should be retrieved by the browser > (IE/Java plug-in), but the JAVA Plug-In just says "applet not found", and > in the web-server error file (put in INFO) I see the following: > > [Tue Aug 05 18:56:52 2003] [info] Connection to child 4 established > (server esdsv07.my.com:443, client 115.191.1.8) > [Tue Aug 05 18:56:52 2003] [info] Seeding PRNG with 136 bytes of entropy > [Tue Aug 05 18:56:52 2003] [info] SSL library error 1 in handshake (server > esdsv07.my.com:443, client 115.191.1.8) > [Tue Aug 05 18:56:52 2003] [info] SSL Library Error: 336105671 > error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not > return a certificate No CAs known to server for verification? > [Tue Aug 05 18:56:52 2003] [info] Connection to child 4 closed with > abortive shutdown(server esdsv07.my.com:443, client 115.191.1.8) > [Tue Aug 05 18:56:52 2003] [info] Connection to child 69 established > (server esdsv07.my.com:443, client 115.136.126.30) > [Tue Aug 05 18:56:52 2003] [info] Seeding PRNG with 136 bytes of entropy > [Tue Aug 05 18:56:53 2003] [info] SSL library error 1 in handshake (server > esdsv07.my.com:443, client 115.136.126.30) > [Tue Aug 05 18:56:53 2003] [info] SSL Library Error: 336105671 > error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not > return a certificate No CAs known to server for verification? > [Tue Aug 05 18:56:53 2003] [info] Connection to child 69 closed with > abortive shutdown(server esdsv07.my.com:443, client 115.136.126.30) > > > I know, normally this "peer did not return a certificate" indicates that > either my browser does not have a certificate (which it has) or that the > certificate can not be verified by the server due to a missing CA > certificate (which it has). If one of these or both problems were there, > the other three applications would not work as well, right? But they do! > > Any ideas? > > If I switch on debug level, I get even more info (which does not tell me a > lot more). First there is a verification/handshake on client certificate A > (successful) and then there is something about a certificate B????? what > is this about? What is certificate A and B? > > Thanks in advance > > Herbert > > Debugging info: > > [Tue Aug 05 19:14:46 2003] [info] Loading certificate & private key of > SSL-aware server > [Tue Aug 05 19:14:46 2003] [info] Init: Requesting pass phrase from dialog > filter program (/opt/hpws/apache/conf/passPhrase.dialog) > [Tue Aug 05 19:14:46 2003] [debug] ssl_engine_pphrase.c(499): encrypted > RSA private key - pass phrase requested > [Tue Aug 05 19:14:48 2003] [info] Configuring server for SSL protocol [Tue > Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(436): Creating new SSL > context (protocols: SSLv2, SSLv3, TLSv1) > [Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(553): Configuring > client authentication > [Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(1096): CA > certificate: /O=my.com/OU=IT Infrastructure/C=US/O=MY Company/CN=MY > Primary Class 2 Certification Authority > [Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(611): Configuring > permitted SSL ciphers > [!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL] > [Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(739): Configuring RSA > server certificate > [Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(778): Configuring RSA > server private key > [Tue Aug 05 19:14:49 2003] [info] Loading certificate & private key of > SSL-aware server > [Tue Aug 05 19:14:49 2003] [info] esdsv07.my.com:443 reusing existing RSA > private key on restart > [Tue Aug 05 19:14:51 2003] [info] Configuring server for SSL protocol [Tue > Aug 05 19:14:51 2003] [debug] ssl_engine_init.c(436): Creating new SSL > context (protocols: SSLv2, SSLv3, TLSv1) > [Tue Aug 05 19:14:51 2003] [debug] ssl_engine_init.c(553): Configuring > client authentication > [Tue Aug 05 19:14:51 2003] [debug] ssl_engine_init.c(1096): CA > certificate: /O=my.com/OU=IT Infrastructure/C=US/O=MY Company/CN=MY > Primary Class 2 Certification Authority > [Tue Aug 05 19:14:51 2003] [debug] ssl_engine_init.c(611): Configuring > permitted SSL ciphers > [!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL] > [Tue Aug 05 19:14:51 2003] [debug] ssl_engine_init.c(739): Configuring RSA > server certificate > [Tue Aug 05 19:14:51 2003] [debug] ssl_engine_init.c(778): Configuring RSA > server private key > [Tue Aug 05 19:15:02 2003] [info] Connection to child 64 established > (server esdsv07.my.com:443, client 115.136.126.30) > [Tue Aug 05 19:15:02 2003] [info] Seeding PRNG with 136 bytes of entropy > [Tue Aug 05 19:15:02 2003] [debug] ssl_engine_kernel.c(1764): > OpenSSL:Handshake: start > [Tue Aug 05 19:15:02 2003] [debug] ssl_engine_kernel.c(1772): OpenSSL: > Loop: before/accept initialization > > > [---lots of stuff/binary dump omitted---] > > > [Tue Aug 05 19:15:06 2003] [debug] ssl_engine_kernel.c(1772): OpenSSL: > Loop: SSLv3 read finished A > [Tue Aug 05 19:15:06 2003] [debug] ssl_engine_kernel.c(1772): OpenSSL: > Loop: SSLv3 write change cipher spec A > [Tue Aug 05 19:15:06 2003] [debug] ssl_engine_kernel.c(1772): OpenSSL: > Loop: SSLv3 write finished A > [Tue Aug 05 19:15:06 2003] [debug] ssl_engine_kernel.c(1772): OpenSSL: > Loop: SSLv3 flush data > [Tue Aug 05 19:15:06 2003] [debug] ssl_scache_shmcb.c(708): inside > shmcb_store_session > [Tue Aug 05 19:15:06 2003] [debug] ssl_scache_shmcb.c(714): > session_id[0]=106, masked index=10 > [Tue Aug 05 19:15:06 2003] [debug] ssl_scache_shmcb.c(1089): entering > shmcb_insert_encoded_session, *queue->pos_count = 0 > [Tue Aug 05 19:15:06 2003] [debug] ssl_scache_shmcb.c(1013): entering > shmcb_expire_division > [Tue Aug 05 19:15:06 2003] [debug] ssl_scache_shmcb.c(1145): we have 14386 > bytes and 133 indexes free - enough > [Tue Aug 05 19:15:06 2003] [debug] ssl_scache_shmcb.c(1174): storing in > index 0, at offset 0 > [Tue Aug 05 19:15:06 2003] [debug] ssl_scache_shmcb.c(1189): > session_id[0]=106, idx->s_id2=63 > [Tue Aug 05 19:15:06 2003] [debug] ssl_scache_shmcb.c(1200): leaving now > with 11 28 bytes in the cache and 1 indexes > [Tue Aug 05 19:15:06 2003] [debug] ssl_scache_shmcb.c(1204): leaving > shmcb_insert_encoded_session > [Tue Aug 05 19:15:06 2003] [debug] ssl_scache_shmcb.c(742): leaving > shmcb_store successfully > [Tue Aug 05 19:15:06 2003] [debug] ssl_scache_shmcb.c(437): shmcb_store > successful > [Tue Aug 05 19:15:06 2003] [debug] ssl_engine_kernel.c(1610): > Inter-Process Session Cache: request=SET status=OK > id=6A3F782DD6F051D3FFBFDFC9AD3197731D1008BF6C16089DB3EF2B1875772849 > timeout=296s (session caching) > [Tue Aug 05 19:15:06 2003] [debug] ssl_engine_kernel.c(1768): OpenSSL: > Handshake > > > [--- another and another successful handshake following ---] > > [--- even more stuff omitted, then something strange: ---] > > [Tue Aug 05 19:15:13 2003] [info] Connection to child 1 established > (server esdsv07.my.com:443, client 15.191.1.8) > [Tue Aug 05 19:15:13 2003] [info] Seeding PRNG with 136 bytes of entropy > [Tue Aug 05 19:15:13 2003] [debug] ssl_engine_kernel.c(1764): OpenSSL: > Handshake : start > [Tue Aug 05 19:15:13 2003] [debug] ssl_engine_kernel.c(1772): OpenSSL: > Loop: before/accept initialization > [Tue Aug 05 19:15:13 2003] [debug] ssl_engine_io.c(1478): OpenSSL: read > 11/11 by tes from BIO#40239088 [mem: 403f1568] (BIO dump follows) > > [--bio dump left out--] > > [Tue Aug 05 19:15:13 2003] [debug] ssl_engine_kernel.c(1772): OpenSSL: > Loop: SSLv3 read client hello A > [Tue Aug 05 19:15:13 2003] [debug] ssl_engine_kernel.c(1772): OpenSSL: > Loop: SSLv3 write server hello A > [Tue Aug 05 19:15:13 2003] [debug] ssl_engine_kernel.c(1772): OpenSSL: > Loop: SSLv3 write certificate A > [Tue Aug 05 19:15:13 2003] [debug] ssl_engine_kernel.c(1772): OpenSSL: > Loop: SSLv3 write certificate request A > [Tue Aug 05 19:15:13 2003] [debug] ssl_engine_kernel.c(1772): OpenSSL: > Loop: SSLv3 flush data > [Tue Aug 05 19:15:14 2003] [debug] ssl_engine_io.c(1478): OpenSSL: read > 5/5 bytes from BIO#40239088 [mem: 403f1568] (BIO dump follows) > > [--another bio dump left out-- so far the usuall success, but now....] > > [Tue Aug 05 19:15:14 2003] [debug] ssl_engine_kernel.c(1782): OpenSSL: > Write: SSLv3 read client certificate B > [Tue Aug 05 19:15:14 2003] [debug] ssl_engine_kernel.c(1801): OpenSSL: > Exit: error in SSLv3 read client certificate B > [Tue Aug 05 19:15:14 2003] [debug] ssl_engine_kernel.c(1801): OpenSSL: > Exit: error in SSLv3 read client certificate B > [Tue Aug 05 19:15:14 2003] [info] SSL library error 1 in handshake (server > esdsv07.my.com:443, client 115.191.1.8) > [Tue Aug 05 19:15:14 2003] [info] SSL Library Error: 336105671 > error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not > return a certificate No CAs known to server for verification? > [Tue Aug 05 19:15:14 2003] [info] Connection to child 1 closed with > abortive shutdown(server esdsv07.my.com:443, client 115.191.1.8) > [Tue Aug 05 19:15:14 2003] [info] Connection to child 66 established > (server esdsv07.my.com:443, client 115.136.126.30) > > > > It started with read/writen client certificate A, no error, then suddenly > says something about client certificate B, which fails. What is client > certificate B? > > > > -- > Herbert Neugebauer > [EMAIL PROTECTED] > 71088 Holzgerlingen Germany > ***** > War does not decide who's right, only who's left > -- unknown quote > > ______________________________________________________________________ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]