Re: SSL proxy

2008-07-11 Thread Eckard Wille 

Eckard Wille schrieb:

Cuesta Gilles schrieb:

"*MULTIPLE CN (SAN) SERVER CERTIFICATES*

This type of certificate (also called /Subject Alternative Name/ (SAN) 
) enables to secure not only one website but a large number of sites 
(a list of sites) hosted on a shared infrastructure (server with 
multiple names, reverse proxy). Ideal to secure multiple brands of a 
corporation. One certificate per hardware is required."


This only means that one host can have several names by configuring 
ServerName and ServerAlias, but does not enable virtual hosting.


Hi Cuesta,

with some tricks you could achive your goal by using the preconditions 
of mod_rewrite rules. If your ssl proxy has one single host entry with 
such a multi-named cert, it may be possible to rewrite via proxy after 
a look at the host header:


  RewriteEngine on
  RewriteCond %{HTTP_HOST} www.vhost1.com
  RewriteRule ^/(.*) www.internal.http.vhost1.com/$1 [P]

  RewriteCond %{HTTP_HOST} www.vhost2.com
  RewriteRule ^/(.*) www.internal.http.vhost2.com/$1 [P]

If this works for you depends also on the backend webapps, for example 
if they are capable of running behind a reverse proxy with a different 
http schema (HTTP<->HTTPS, servername references in html, internal 
redirects...).


Good luck

Eckard
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: SSL proxy

2008-07-11 Thread Eckard Wille 

Cuesta Gilles schrieb:

"*MULTIPLE CN (SAN) SERVER CERTIFICATES*

This type of certificate (also called /Subject Alternative Name/ (SAN) ) 
enables to secure not only one website but a large number of sites (a 
list of sites) hosted on a shared infrastructure (server with multiple 
names, reverse proxy). Ideal to secure multiple brands of a corporation. 
One certificate per hardware is required."


This only means that one host can have several names by configuring 
ServerName and ServerAlias, but does not enable virtual hosting.


Eckard
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: SSL proxy

2008-07-11 Thread Eckard Wille 

Cuesta Gilles schrieb:

I thought that using wildcard or multi-cn certificates will work ?


No.


In this case, only one certificate is needeed for a range of Vhost


If you only have one ip this won't make things better because virtual 
hosting is still not possible. Wildcard certs do not enable vHosting 
because the ssl handshake still takes place before the http host 
header can be evaluated. They were offered by CAs to make it easier 
for admins so they wouldn't have to fiddle around with dozens of certs 
and their validity management in a masshosting environment or for 
subdomains.


Eckard
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: SSL proxy

2008-07-11 Thread Eckard Wille 

[EMAIL PROTECTED] schrieb:

I have several web servers currently that all have the same IP, but
different host names, and I have an apache that uses mod_proxy to direct
requests to the correct internal server to process the request.

I would like to use my apache proxy server to provide SSL encryption and
decryption, and not have to have each individual server do that.

Is that possible?

I have worked with virtual host configuration, and I have tried to set up
the ssl stuff so that this will work, but so far I have not been successful.

I have tried to search for this, but the closest I have come is proxy to an
ssl server.  I want to have the proxy server do the ssl stuff for me.


Hi,

you can not use SSL with virtual hosting, see 
http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47


You'll have to get a dedicated ip for every single ssl host. You could 
play around with one ssl proxy on your single ip with a common name 
and do some rewriting according to an url praefix matching the secure 
parts of your backend virtual hosts; decide yourself if this config 
work is worth it.


Regards

Eckard
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: opensll req -new: unkown option -new!?

2007-12-28 Thread Eckard Wille 
Eric Wood schrieb:
> My cert expired so I'm trying to renew.  Because the Organizational
> Unit field is now required, I'm trying to recreate a new CSR from
> my existing key:
> 
> # openssl req -new -key www.xyz.com.key -out www.xyz.com.csr 
> unknown option -new  etc.
> 
> I'm running FC6 with latest openssl-0.9.8b-15.fc6.   I'm totally
> perplexed as to why -new is an unknown option.  Any ideas?


Hi Eric,

perhaps the "-" has not the required ascii code. Did you copy that
command from a website? Some fellows use long minus signs for better
readability, so give it another try by typing the command line by hand.

Greetings from Germany,
Eckard
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: TLS 1.0 Backing Down to SSL 3.0

2007-06-21 Thread Eckard Wille 
Fought, Richard schrieb:
> I'm trying to configure my Apache 2.0.59 server w/ mod_ssl to use TLS
> 1.0 only.  I have set the SSLCipherSuite accordingly, however when I
> connect with IE6 with SSLv3 enabled and TLSv1 disabled, I still get
> through because of the TLS ability to back down to SSL 3.0.  Is there a
> way to disable this behavior in the configuration?

Hi Richard,

if no config rules work maybe the fastest way to achive your goal are
redirects depending on the current client protocol spoken. For
example, redirecting every browser not communicating via TLS to an
extra error page:

SSLOptions +StdEnvVars
RewriteEngine on
RewriteCond %{SSL:SSL_PROTOCOL} !TLSv1
RewriteCond %{REQUEST_URI} !^/error/.*$
RewriteRule .* /error/no_tls_encryption.html [R,L]

Did not test this myself, see further details on
http://www.modssl.org/docs/2.8/ssl_reference.html#ToC25 and
http://httpd.apache.org/docs/2.2/de/mod/mod_rewrite.html#rewritecond

Greetings from Germany,
Eckard
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: Compression in SSL

2007-02-13 Thread Eckard Wille 
devel schrieb:
> In mod_ssl I can not see any option to enable compression.
> It's posible to enable compression in SSL or
> mod_deflate made it before?

Hi,

if you are using Apache 2 you should be fine with mod_deflate. Test
your site with the firefox plugin "LiveHttpHeaders"; the header info
"Content-Encoding=gzip" means your listener delivers compressed content.

If you are using Apache 1.3, follow the steps from the mini howto at
http://marc.theaimsgroup.com/?l=apache-modgzip&m=103056813417250&w=2.
In short terms, set up two vhosts: one hidden only compressing with
mod_gzip, the other public one with ssl which is proxying the content
from the first one.

Hope that helps,
Eckard
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: Encrypted page would not load into IE

2006-10-13 Thread Eckard Wille 
Patrick Patterson schrieb:
> If you re-gen your CA Certificate with those usages, and then re-sign your 
> Server certificate (which itself, should have the Key Usage extension set to 
> digital Signature and key Encipherment), your issue should go away :)

There is also nice bundle of scripts from Yeak Nai Siew which
simplifies these steps a lot; especially for quick setups a nice
speedup: see http://www.openssl.org/contrib/ssl.ca-0.1.tar.gz

Greetings from Germany,
Eckard


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: Newbie Question regarding mod_ssl

2006-10-11 Thread Eckard Wille 
Erol Yalaz schrieb:
> I have a WIN2003 box with the latest Apache on it (2.2.3) and it is
> working great.  I need to get mod_ssl working.  Unfortunately, I can’t
> 
> Any suggestions?  Shouldn’t there be some pre-compiled binaries out there?

http://www.apachelounge.com/download/

If you trust them :-)

Greetings
Eckard
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: ensure 128 bit encryption [update]

2006-03-10 Thread Eckard Wille 
Thomas Binder schrieb:
>>> SSLRequire ( %{SSL_CIPHER_USEKEYSIZE} >= 128 )
>> with this option, the user gets no https connection if he has <
>> 128 bit. but the user should get a error page. so it must be
>> possible to establish a connection with <128 bit but redirected
>> to the error page.
> 
> Try the following (inside ... 
> SSLOptions +StdEnvVars
> RewriteBase absolute-filesystem-path-to-directory
> RewriteCond %{ENV:SSL_CIPHER_EXPORT} "^true$"
> RewriteRule ".*" /noexport.html
> 
> Now, when someone accesses your directory with an export browser,
> (s)he will be redirected to the page /noexport.html, which may
> then explain what's wrong.

Hi all,

just wanted to set up the described configuration with Apache 2.0.54
and OpenSSL 0.9.7.g, but stumbled over the environment changes which
did not jump in my face while reading the docs. Seems like the SSL
environment isn't reachable for mod_rewrite via ENV: or LA-U: prefix,
instead the prefix SSL: has to be used, described in the change report
> http://mail-archives.apache.org/mod_mbox/httpd-bugs/200408.mbox/[EMAIL 
> PROTECTED]
Maybe Ralf could add this SSL:-prefix regarding mod_rewrite to his
excellent docs somewhere around the environment references, because
most of the existing howtos on the net do not include that new syntax.
The following lines in the global ssl environment did the trick
for our ssl hosts:

SSLOptions +StdEnvVars
RewriteEngine on
RewriteCond %{SSL:SSL_CIPHER_USEKEYSIZE} <128
RewriteCond %{REQUEST_URI} !^/error/.*$
RewriteRule .* /error/weak_encryption.html [R,L]

Greetings from Germany,
Eckard




__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: Apache with SSL Issue

2006-03-08 Thread Eckard Wille 
Kevin Smith schrieb:
> Probably the best think to do is add the absolute path to the files as:
> 
> SSLCertificateFile C:/Program Files/Apache2/conf/ssl/servername.cert
> SSLCertificateKeyFile C:/Program Files/Apache2/conf/ssl/servername.key

If this still does not work try to surround the path with " ", like this:

> SSLCertificateFile "C:/Program Files/Apache2/conf/ssl/servername.cert"  
> SSLCertificateKeyFile "C:/Program Files/Apache2/conf/ssl/servername.key"

Or, even better, put the Apache on a spare unix/linux box. Configuring
apache/tomcat/mod_jk/whatever is more straightforward there than on a
windows box.

Greetings from Germany,
Eckard
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: SSLVerifyClient

2005-06-28 Thread Eckard Wille 

[EMAIL PROTECTED] schrieb:

browser produces errors:

[28/Jun/2005 07:20:28 05071] [info]  Connection to child 0  established 
(server :443, client 127.0.0.1)

[28/Jun/2005 07:20:28 05071] [info]  Seeding PRNG with 0 bytes of  entropy
[28/Jun/2005 07:20:28 05071] [error] Certificate Verification: Error  
(20): unable to get local issuer certificate


Hi lingwitt,

obviously the CA that signed your clients is not known to the server. 
Take a look at


http://www.modssl.org/docs/2.8/ssl_howto.html#ToC6
http://www.modssl.org/docs/2.8/ssl_reference.html#ToC14

Greetings from Germany,
Eckard
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: SSL Client Auth with Virtual Hosts

2005-06-24 Thread Eckard Wille 

Hoda Nadeem schrieb:

A team member was able to find a working solution (issue: single IP, two
domains, one domain requires client auth, the other domain plain SSL,
both functional with same apache instance using virtual hosts):


Hi Hoda,

test the following:

Close all browsers to get a new clean session (start new IE). Use a 
browser with definitely no included user cert (sometimes free 
email-certs are also enabled for client authentification, backup and 
remove). Visit your second defined . Asking for an user cert?


According to your setup all request can go to only one of the 
configured vhost, do some more test with clean browsers (=> close your 
browsers after each test to ensure the session is really closed). To 
ensure you are on the right vhost it would make sense to use different 
docroots with different content showing right away where you are hitting.


Eckard
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: SSL Client Auth with Virtual Hosts

2005-06-14 Thread Eckard Wille 

Hoda Nadeem schrieb:
Eckard and All, 


Does anybody know if there is any work around to get the following
scenario to work?

1 IP Address
2 domain names attached to the same server IP address
2 SSL virtual hosts: 1 with client authentication, 1 without client
authentication

I need to try to avoid using a second IP address for the same server.
Some folks are insisting that there must be a way to get the scenario to
work.


Hi,

maybe you should reach your goal with some mod_rewrite tricks. The 
points mentioned at http://www.modssl.org/docs/2.8/ssl_faq.html#vhosts 
are still valid, only one vhost per ip. You could give mod_rewrite a 
try to push clients to different directories which are configured for 
secure and public ssl access.


Try something like this:

  ServerName www.vhost1.com
  ServerAlias www.vhost2.com

  SSLEngine on
  SSLVerifyClient none
  SSLCACertificateFile conf/ssl.crt/ca.crt

  
SSLVerifyClient require
SSLVerifyDepth 1
  

  RewriteEngine on
  #RewriteLogLevel 7
  #RewriteLog  logs/RewriteLog
  #RewriteCond %{SERVER_NAME}
  RewriteCond %{HTTP_HOST}   www.vhost1.com
  RewriteRule ^(/index.htm)|(/)|()$  /ssl/securedir [R,L]

  RewriteCond %{HTTP_HOST}   www.vhost2.com
  RewriteRule ^(/index.htm)|(/)|()$  /ssl/public [R,L]

This would just be a starting switch, modify the regexp to push all 
desired content into the matching secure location (see 
http://www.modssl.org/docs/2.8/ssl_howto.html#ToC6). I personally did 
not try this, but if this does not work maybe mod_setenvif can be used 
to distinguish the different names.


Greetings from Germany,
Eckard
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: SSL Client Auth with Virtual Hosts

2005-06-02 Thread Eckard Wille 

Hoda Nadeem schrieb:

On my setup, client authentication is either on or off globally. I can't
seem to isolate it at the virtual host level.


Exactly.

Take a look at http://www.modssl.org/docs/2.8/ssl_faq.html#vhosts,
use a different IP for your second host and it will work.

Greetings from Germany,
Eckard
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: Private Tunnel/Key With Apache and IE?

2004-09-24 Thread Eckard Wille 
David T. Ashley wrote:
Hi,
Is there a way to load Apache and Internet Explorer with keys so that a
"private tunnel" is created automatically?
What I'm looking for is an arrangement where only a user who has keys that
I've given him can use a browser to connect to my server on Port 443.
(I'm aware of STUNNEL and similar solutions, but I'm looking for a solution
where only the browser and the server are involved.)
You are looking for client cert authentification, take another look at 
the good docs at

http://www.modssl.org/docs/2.8/ssl_howto.html#ToC6
Generate your own CA and user certs, import them into IE by using the 
pkcs12 cert format. Google for ssl.ca-0.1 from Yeak Nai Siew, these 
scripts will take you through all neccessary steps. Finally configure 
apache and you're done.

Greets from Germany,
Eckard
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: certificate signature failure

2001-06-01 Thread Eckard Wille 

[EMAIL PROTECTED] schrieb:
> 
> When I try to connect (using IE5) I am asked which personal certificate I'd
> like to use, but then I get "Page cannot be displayed" with the following in
> the error log: ...

Do the other parts of the SSL-enabled host fine? If only the
client-enabled directory does not work, then maybe your
SSLCACertificateFile does not contain the issuer of your client cert.
Try to use the ca-bundle.crt from the newer distribution within your
old server if the included CAs differ.

# httpd.conf of old server
# SSLCACertificateFile /path/to/my/ca-bundle.crt
SSLCACertificateFile /path/to/my/newer-distrib-ca-bundle.crt

Eckard
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Questions about X509 certificate extension

2000-12-14 Thread Eckard Wille 

James Xie schrieb:
> 
> After more reading and playing around with mod_ssl, Now I was able to
> retrieve a standard client certificate using mod_perl script on the server.
> The question I have now is how to add a private extension (and how to define
> one) to a client certificate or can it be done using openssl?

http://www.mail-archive.com/openssl-users@openssl.org/msg13492.html

Please make sure you look at the right places next time. If I can find
this answer in one minute, you can, too. Sure.

Eckard

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: getting self-signed CA trusted by browsers

2000-08-31 Thread Eckard Wille 

Lynn Winebarger schrieb:
> 
> I'm aware there's a potential man-in-the-middle problem, but I think
> we can afford to get an external certificate for our "canonical" server,
> then give the self-signed CA certificate from there (so they know they're
> getting it from us).

You are searching a perl CGI script for loading a CA certificate?

src/mod_ssl-2.6.6-1.3.12/pkg.contrib/loadcacert.cgi =

snip --->
#!/usr/bin/perl
##
##  loadcacert.cgi -- Load a CA certificate into Communicator
##  Copyright (c) 1998-2000 Ralf S. Engelschall, All Rights Reserved. 
##
$|++;
open(FP, ");
close(FP);
$len = length($cert);
print "Content-type: application/x-x509-ca-cert\n";
print "Content-length: $len\n";
print "\n";
print $cert;
<--- snip

Use the DER-encoded certfile to ensure the script will work for all
browsers (openssl x509 -in cacert.crt -out cacert.der -outform DER).

best regards,
Eckard

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: migrating from netscape

2000-04-14 Thread Eckard Wille 

"Shields, Dorwin T." wrote:
> 
> Hi, I'm trying to migrate
> from netscape and I already have a
> private key and cert.  The key and cert
> are combined in a netscape file.  I'm
> moving the server to apache...can anyone
> tell me how to migrate?

Look at Dr Stephen Hensons Homepage,
http://www.drh-consultancy.demon.co.uk/nskey.html

mfg

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: mod_ssl errors

2000-01-29 Thread Eckard Wille 

jay wrote:
>
> [28/Jan/2000 15:54:06 12886] [error] OpenSSL: error:140890C7:SSL 
>routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate [Hint: No CAs 
>known to server for verification?]

Your browser does not present a client cert (at least no cert issued
by a CA your server knows), but you enabled client verification. If
you set "SSLVerifyClient none" in your httpd.conf, everything should
work fine. If you really need client cert verification, you have to
get||install a client cert in your browser.

Eckard
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Netscape Problem

1999-09-16 Thread Eckard Wille 

Newton wrote:
> 
> I've encountered a very similar error.  With communicator 4.61 it works
> when connecting from one machine and not aonther, though they are very
> similar.  I don't have an answer yet...let me know if you figure
> something out.

Seems like a local machine problem. It's some time ago, but I remember
I often solved these kind of problems by deleting all cert databases &
keys (export/backup personal certs before, close browser & mail
notification, delete cert?.db & key?.db, restart -> default CAs are
regenerated). "Resetting" the cert parts of the browser often helps by
problems related to prior tests with demo certs e.t.c., so you can see
if this error occurs even with a communicator out of the box.

Eckard
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: invalid signature

1999-07-28 Thread Eckard Wille 

[EMAIL PROTECTED] wrote:
> 
> what I found out (maybe others are interested, too):
> 
> It seems that Netscape 3.x cannot handle CA-Certificates with more than
> 1024 bits. Can anyone ACK this? And... is there a patch (no, not upgrade :-)?

Yes, I experienced the same problems. No, I found no patch, even
fortifying did no trick (http://www.fortify.net), seems like high
numbers are a general problem for navigator.

I recommend you to drop support for generation-3.x-browsers. It is a
pain to suite your environment to enable the use of this browsers...
if you get them to work with your own (weak) CA and all your server
certs, you will get into bad trouble when you start distributing
client certs. Better spend this time to make things work with MSIE ;-)

Eckard
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: correction -- problem with SSL, NS 3.04 (and other?) browsers

1999-04-27 Thread Eckard Wille 

Phil Tracy wrote:
> I'm running apache 1.3.6, mod_ssl 2.2.8 and openssl 0.9.2b.  I have at least
> one user with a Netscape 3.04 browser who cannot connect to this server via SSL
> ("The security library has experienced a database error.  You will probably be
> unable to connect to the site securely.")  It works fine for me with Netscape
> 4.5 and 4.51.  The user can get to the site fine with Internet Explorer 4.0,
> but Netscape 3.04 fails consistently.

Does your CA or server cert got a key larger than 1024 bit? The
3.xx-browsers are unable to recognize signatures produced by large
keys, I remember I got the "invalid signature"-error the time I
initially tested a 2048 bit CA.

If not, try for test purpose to recreate the security databases of the
Navigator by closing, renaming cert?.db and key?.db to *.old, remove
the sec*.db and sign*.db, and restart.  these files contain
not only public keys from servers and CA's, they also contain the user
certs, and it is pretty painfull/impossible to export/import them with
3.xx .

Eckard
__
Apache Interface to OpenSSL (mod_ssl)  www.engelschall.com/sw/mod_ssl/
Official Support Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: How to import CA cert to Netscape

1998-12-23 Thread Eckard Wille 

Xiaping Lin wrote:
> 
> Hi,
> 
> can anyone tell me how can I load CA cert (created myself) into 
> Netscape Communicator? I think that was the reason that I can not
> get my client Cert (also created by my CA) to work.

You have to import it by downloading it from a server, running through
several confirmation dialogs. Take a look in your mod-ssl-distribution,
find "loadcacert.cgi" and adjust it for your needs. I suggest to use the
DER-encoded file format of your CA because this one is more common to
the MSIE-%&?.

Eckard
__
Apache Interface to SSLeay (mod_ssl)   www.engelschall.com/sw/mod_ssl/
Official Support Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: client certificates (again)

1998-10-27 Thread Eckard Wille 

Jesus A. Alonso schrieb:
> 
> Hi,
> 
> is there any way for making CLIENT certificates using SSLeay & mod-ssl?
> 
> if not, is there any CA which offers free client certificates or the
> only way to get one is selling it? (I need it just with testing
> purpuses)
> 
> Thanks in advance.
> 
> Jesus Alonso

If you can't get Ralfs solution to work, try a free client cert from
Thawte at , that
site also contains some info on certificate handling in common.

Eckard
__
Apache Interface to SSLeay (mod_ssl)   www.engelschall.com/sw/mod_ssl/
Official Support Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]