Looks to me that client authentication failed. And this is most likely due to client cert processing on the server side:
[notice] child pid 9192 exit signal Segmentation fault (11) The above indicates that. Make sure client cert processing is done correctly on the server side. If it is a program failure, then you need to get the programmer to debug the program. Regards, Dr. Wu --- Gaël Lams <[EMAIL PROTECTED]> wrote: > Hi all, > > I'm trying to configure client authentication for > one of my sites > (SuSe 9.0, apache 2.0.48, openssl-0.9.7b-133 > distribution's rpm). > You will find below the steps I'm following, the > problem I have is > that, when I go to the page, it first asks me to > accept the server's > certificate, then ask me to select one of the client > certificate > imported in the browser, and then: > - on IE, it gives me the error "Cannot find server > or DNS Error" > - on Firefox, it gives me a blank page > > In the apache log file > [Tue Jul 12 15:03:41 2005] [error] Re-negotiation > handshake failed: > Not accepted by client!? > [Tue Jul 12 15:03:43 2005] [notice] child pid 9192 > exit signal > Segmentation fault (11) > > If I remove "SSLVerifyCLient require" and > authenticate only the > server, I can see the right web page. > > After several unsuccessful test, I'm wondering > whether I'm missing something > > Here are the steps I follow: > > 1 Generate my own Certificate Authority: > > openssl genrsa -out itcilo-ca.key 2048 > openssl req -new -x509 -days 3650 -key itcilo-ca.key > -out itcilo-ca.crt > > 2 Generate the server key and request for signing > > openssl genrsa -out tomcat-server.key 1024 > openssl req -new -key tomcat-server.key -out > tomcat-server.csr > > 3 Sign the certificate signing request with the > self-created > certificate authority > > openssl x509 -req -in tomcat-server.csr -out > tomcat-server.crt -sha1 > -CA itcilo-ca.crt -CAkey itcilo-ca.key -days 3650 > > I had to create an itcilo-ca.srl file (echo "01" > >itcilo-ca.srl) > > 4 Create a new private key and a certificate request > for the user: > openssl genrsa -out lams.key 1024 > openssl req -new -key lams.key -out lams.csr > > 5 Sign the certificate request, thereby creating the > client certificate: > openssl x509 -req -in lams.csr -out lams.crt -sha1 > -CA itcilo-ca.crt > -CAkey itcilo-ca.key -days 3650 > > 6 Generate the PKCS#12 certificate: > openssl pkcs12 -export -in lams.crt -inkey lams.key > -name "Lams Gael > Cert" -out lams.p12 > > 7 Import the certificate into the browser > > And here is my virtual host configuration: > <VirtualHost *:443> > ServerAdmin myemailaddress > DocumentRoot /srv/www/vhosts/myfqdn > ServerName myfqdn > SSLEngine on > SSLCertificateFile > /etc/apache2/ssl.crt/tomcat-server.crt > SSLCertificateKeyFile > /etc/apache2/ssl.key/tomcat-server.key > SSLCACertificateFile > /etc/apache2/ssl.crt/itcilo-ca.crt > > </VirtualHost> > > <Directory /srv/www/vhosts/myfqdn> > > SSLRequireSSL > SSLVerifyCLient require > SSLVerifyDepth 1 > > Options Indexes > AllowOverride None > Order allow,deny > Allow from all > > </Directory> > > Any help, pointer would be greatly appreciated > > Regards, > > gaël > ______________________________________________________________________ > OpenSSL Project > http://www.openssl.org > User Support Mailing List > openssl-users@openssl.org > Automated List Manager > [EMAIL PROTECTED] > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]