Re: SSLVerifyClient

2005-06-28 Thread lingwitt 
This can't be the problem, as I specify the CA using SSLCACertificatePath using the proper HASH names. I've also tried SSLCACertificateFile.using s_client with SSLVerifyClient optional, it shows that the server is correctly identifying which CAs are allowed.I think the problem is with Safari and Keychain. I shall look further into the matter.On Jun 28, 2005, at 10:27 AM, Paul Puschmann wrote:I think that Eckard Wille might be right. So have some experiments with your ca-files and certificates.

Re: SSLVerifyClient

2005-06-28 Thread Paul Puschmann 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

[EMAIL PROTECTED] wrote:
> Offensichtlich verstehe ich, daß alle, die Sie sagen. Arroganter Dummkopf.
> Erklären Sie mir interessierendes etwas.
> 
> Das CA wird durch den Server erkannt.
> 
> Grüße von den US
> 
Sure?
First: this is an english mailing-list, so please write only in english
and not in such a ugly german word-puzzle.

Next: Write below the quote so you don't produce TOFU (Text oben,
Fullqoute unten

Last: Read http://learn.to/quote/

I think that Eckard Wille might be right. So have some experiments with
your ca-files and certificates.

Paul
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (MingW32)

iEYEARECAAYFAkLBXkUACgkQqErKtBWD7VStpQCeN0GB4nmhZcJz5EwCqdXUmno8
3rkAoOx908jbK/YpKH6GKBIs/kSeShPh
=NQne
-END PGP SIGNATURE-

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: change your autoreply configuration!!!!

2005-06-28 Thread Daniel Kimblad 



I'm so sorry, I had no idea that was happening. I'm 
using a
company mail here. 
The only thing I can do about it is
unsubscribe, I'll do that immediately.
 
/Daniel
 

  - Original Message - 
  From: 
  Harald 
  Langaker 
  To: [EMAIL PROTECTED] 
  Cc: modssl-users@modssl.org 
  Sent: Friday, June 24, 2005 11:26 
AM
  Subject: change your autoreply 
  configuration
  
  Hey!
  You autoryply "out 
  of office" to modssl-users@modssl.org
  Can you please 
  STOP that, I DO NOT WANT TO GET A MAIL FROM YOU EVERY TIME SOMEONE SENDS A 
  MAIL TO
  modssl-users@modssl.org!!!
   
  Otherwise there 
  has to be taken action to get you off the list!
   
  
  Harald Langaker Senior Quality 
  Assurance EngineerFon 
  +49.6151.82897-46 Fax 
  +49.6151.82897-26 
  www.secude.com mailto:[EMAIL PROTECTED] 
  SECUDE IT Security GmbH 
  Goebelstraße 21, 64293 Darmstadt, Germany 
  CEO: Dr. Heiner Kromer SECUDE is member of 
  iT_SEC SWiSS AG www.itsec-swiss.com 

  
  
  
  
  
   
   
   

Re: SSLVerifyClient

2005-06-28 Thread lingwitt 
Offensichtlich verstehe ich, daß alle, die Sie sagen. Arroganter Dummkopf.Erklären Sie mir interessierendes etwas.Das CA wird durch den Server erkannt.Grüße von den USOn Jun 28, 2005, at 8:14 AM, Eckard Wille wrote:[EMAIL PROTECTED] schrieb: browser produces errors: [28/Jun/2005 07:20:28 05071] [info]  Connection to child 0  established (server :443, client 127.0.0.1) [28/Jun/2005 07:20:28 05071] [info]  Seeding PRNG with 0 bytes of  entropy [28/Jun/2005 07:20:28 05071] [error] Certificate Verification: Error  (20): unable to get local issuer certificate  Hi lingwitt,  obviously the CA that signed your clients is not known to the server. Take a look at  http://www.modssl.org/docs/2.8/ssl_howto.html#ToC6 http://www.modssl.org/docs/2.8/ssl_reference.html#ToC14  Greetings from Germany, Eckard

Re: SSLVerifyClient

2005-06-28 Thread Eckard Wille 

[EMAIL PROTECTED] schrieb:

browser produces errors:

[28/Jun/2005 07:20:28 05071] [info]  Connection to child 0  established 
(server :443, client 127.0.0.1)

[28/Jun/2005 07:20:28 05071] [info]  Seeding PRNG with 0 bytes of  entropy
[28/Jun/2005 07:20:28 05071] [error] Certificate Verification: Error  
(20): unable to get local issuer certificate


Hi lingwitt,

obviously the CA that signed your clients is not known to the server. 
Take a look at


http://www.modssl.org/docs/2.8/ssl_howto.html#ToC6
http://www.modssl.org/docs/2.8/ssl_reference.html#ToC14

Greetings from Germany,
Eckard
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

SSLVerifyClient

2005-06-28 Thread lingwitt 

Please please help me get this stuff working.
I want client authentication. Currently, I am trying
to get authentication work with my own CA, but that is foobar.
I have an intranet where the people already have certificates.
I want to use the CA that signed those as well.
When s_client does work, it shows that the server
is requesting certificates signed by the allowed CAs, so I am
content with that.

It seems as if the browser is not sending the certificates to Apache.

I'm running Mac OS X Tiger, I've tried importing my own certificates
into Keychain, but that makes no difference, and besides, I already
have a certificate for my intranet in there that should work.
Moreover, my own signed certificates don't have purposes like "client  
authentication,"

which is perhaps the cause of some of the trouble.

Any advice will be appreciated.

When I have SSLVerifyClient none

I can log into the SSL enabled server just fine.


When it is SSLVerifyClient optional

s_client without a certificate works

s_client with a certificate produces:

CONNECTED(0003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1 /C=US/ST=/L=/O=/OU=/CN=/ 
Email=

verify return:1
depth=0 /C=US/ST=/L=/O=/OU=Server/ 
CN=/Email=

verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client certificate A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write certificate verify A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL3 alert read:fatal:unknown CA
SSL_connect:failed in SSLv3 read finished A
5100:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown  
ca:s3_pkt.c:1046:SSL alert number 48
5100:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake  
failure:s23_lib.c:226:


and a browser causes:

[28/Jun/2005 07:20:28 05071] [info]  Connection to child 0  
established (server :443, client 127.0.0.1)
[28/Jun/2005 07:20:28 05071] [info]  Seeding PRNG with 0 bytes of  
entropy
[28/Jun/2005 07:20:28 05071] [error] Certificate Verification: Error  
(20): unable to get local issuer certificate
[28/Jun/2005 07:20:28 05071] [error] SSL handshake failed (server  
:443, client 127.0.0.1) (OpenSSL library error follows)
[28/Jun/2005 07:20:28 05071] [error] OpenSSL: error:140890B2:lib 
(20):func(137):reason(178)



When it is SSLVerifyClient require

s_client without certificate: same as with cert above

s_client with certificate:

CONNECTED(0003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1 /C=US/ST=/L=/O=/OU=/CN=/ 
Email=

verify return:1
depth=0 /C=US/ST=/L=/O=/OU=/CN=/ 
Email=

verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client certificate A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write certificate verify A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL3 alert read:fatal:unknown CA
SSL_connect:failed in SSLv3 read finished A
5111:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown  
ca:s3_pkt.c:1046:SSL alert number 48
5111:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake  
failure:s23_lib.c:226:


browser produces errors:

[28/Jun/2005 07:20:28 05071] [info]  Connection to child 0  
established (server :443, client 127.0.0.1)
[28/Jun/2005 07:20:28 05071] [info]  Seeding PRNG with 0 bytes of  
entropy
[28/Jun/2005 07:20:28 05071] [error] Certificate Verification: Error  
(20): unable to get local issuer certificate
[28/Jun/2005 07:20:28 05071] [error] SSL handshake failed (server  
:443, client 127.0.0.1) (OpenSSL library error follows)
[28/Jun/2005 07:20:28 05071] [error] OpenSSL: error:140890B2:lib 
(20):func(137):reason(178)




Running s_server always works, and the client certificate from the  
browser is loaded up.

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]