Hmm, OpenSSL not forcing the two lists to be the same is encouraging. I will look further into Apache.
Root CA in a separate file (SSLCACertificateFile) did not exclude. This does not surprise me since Apache states *File and *Path can be used interchangeably. Sounds like Apache should have an SSLCACertificateAnchorPath/File directive added to specifically define self-signed the trust anchors only. Stabbing in the dark: Trust anchors must be self-signed right? :-( regards, tt -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dr. Stephen Henson Sent: Monday, October 25, 2004 1:57 PM To: [EMAIL PROTECTED] Subject: Re: Certificate Request Control On Mon, Oct 25, 2004, TAYLOR, TIM (CONTRACTOR) wrote: > Thanks for the response, Dr Henson. I have tried taking the Root CA hash link out of > my SSLCACertificatePath and do get the correct prompt for the identity cert only, > however SSL seems to then use this list of certs for finding the trusted Root. Here > is my error: > > [Mon Oct 25 13:08:56 2004] [debug] ssl_engine_kernel.c(1183): Certificate > Verification: depth: 1, subject: /C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD CLASS > 3 CA-6, issuer: /C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD CLASS 3 Root CA > [Mon Oct 25 13:08:56 2004] [error] Certificate Verification: Error (20): unable to > get local issuer certificate > [Mon Oct 25 13:08:56 2004] [debug] ssl_engine_kernel.c(1763): OpenSSL: Write: SSLv3 > read client certificate B > [Mon Oct 25 13:08:56 2004] [debug] ssl_engine_kernel.c(1782): OpenSSL: Exit: error > in SSLv3 read client certificate B > [Mon Oct 25 13:08:56 2004] [debug] ssl_engine_kernel.c(1782): OpenSSL: Exit: error > in SSLv3 read client certificate B > [Mon Oct 25 13:08:56 2004] [info] SSL library error 1 in handshake (server > fin-ss17.dfas.mil:8443, client 158.18.236.217) > [Mon Oct 25 13:08:56 2004] [info] SSL Library Error: 336105650 error:140890B2:SSL > routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned > [Mon Oct 25 13:08:56 2004] [info] Connection to child 88 closed with abortive > shutdown(server fin-ss17.dfas.mil:8443, client 158.18.236.217) > > It seems the nub of my problem is the fact(?) that my acceptable client CA > certificate list operates as "equal to" my trusted roots list. I suppose there is no > way to discretely define the two lists? > The OpenSSL API doesn't force the two sets of certificates to be the same. So if you can't use different sets it could be an Apache configuration issue. You could try adding the root CA in a separate file and using the relevant configuration option for that to see if it is excluded. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
