Hello,
I'm having a strange problem with Apache 2.0.45 / openssl 0.9.6 (and
possibly tomcat 4.1.27).
The web-server should run all applications only over SSL and with client
certificate verification enabled.
So I set up all the necessary configuration, including server and client
certificates (our company has it's own internal CA), and moved three
different applications from the non-SSL to the SSL virtual-host.
Everything works fine, the applications can access the "environment
variables", where the user-ID coming from the certificate is stored, in
order to authenticate the users and provide user-specific content.
However the 4th application doesn't work. One of the working applications
is PHP, another also working application is JSP based, so using Tomcat.
The fourth application is not JSP, but a Servlet/Applet combination.
What happens when accessing the page is that the "index.html" downloads to
the client, but then the applet should be retrieved by the browser (IE),
but the JAVA Plug-In just says "applet not found", and in the web-server
error file (put in INFO) I see the following errors.:
[Tue Aug 05 18:56:52 2003] [info] Connection to child 4 established
(server esds
v07.bbn.hp.com:443, client 15.191.1.8)
[Tue Aug 05 18:56:52 2003] [info] Seeding PRNG with 136 bytes of entropy
[Tue Aug 05 18:56:52 2003] [info] SSL library error 1 in handshake (server
esdsv
07.bbn.hp.com:443, client 15.191.1.8)
[Tue Aug 05 18:56:52 2003] [info] SSL Library Error: 336105671
error:140890C7:SS
L routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
No CAs
known to server for verification?
[Tue Aug 05 18:56:52 2003] [info] Connection to child 4 closed with
abortive shu
tdown(server esdsv07.bbn.hp.com:443, client 15.191.1.8)
[Tue Aug 05 18:56:52 2003] [info] Connection to child 69 established
(server esd
sv07.bbn.hp.com:443, client 15.136.126.30)
[Tue Aug 05 18:56:52 2003] [info] Seeding PRNG with 136 bytes of entropy
[Tue Aug 05 18:56:53 2003] [info] SSL library error 1 in handshake (server
esdsv
07.bbn.hp.com:443, client 15.136.126.30)
[Tue Aug 05 18:56:53 2003] [info] SSL Library Error: 336105671
error:140890C7:SS
L routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
No CAs
known to server for verification?
[Tue Aug 05 18:56:53 2003] [info] Connection to child 69 closed with
abortive sh
utdown(server esdsv07.bbn.hp.com:443, client 15.136.126.30)
I know, normally this "peer did not return a certificate" indicates that
either my browser does not have a certificate (which it has) or that the
certificate can not be verified by the server due to a missing CA
certificate (which it has). If one of these or both problems were there,
the other three applications would not work as well, but they do!
Now I was wondering if it could be an issue somewhere inbetween mod_ssl,
mod_jk, Tomcat??
In principal the connector between Apache and Tomcat works, otherwise the
JSP application would not work as well. That can be easily verified by
inserting a bug in this configuration and voila, the JSP app stops
working.
Any ideas?
thanks in advance
Herbert
PS: if I switch on debug level, I get even more info, which does not help
me, but it first says something about client certificate A (success) and
then something about a certificate B? what is this about?
[Tue Aug 05 19:14:46 2003] [info] Loading certificate & private key of
SSL-aware
server
[Tue Aug 05 19:14:46 2003] [info] Init: Requesting pass phrase from dialog
filte
r program (/opt/hpws/apache/conf/passPhrase.dialog)
[Tue Aug 05 19:14:46 2003] [debug] ssl_engine_pphrase.c(499): encrypted
RSA priv
ate key - pass phrase requested
[Tue Aug 05 19:14:48 2003] [info] Configuring server for SSL protocol
[Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(436): Creating new
SSL cont
ext (protocols: SSLv2, SSLv3, TLSv1)
[Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(553): Configuring
client au
thentication
[Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(1096): CA
certificate: /O=my.com/OU=IT Infrastructure/C=US/O=MY Company/CN=MY
Primary Class 2 Certification Authority
[Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(611): Configuring
permitted
SSL ciphers [!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL]
[Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(739): Configuring RSA
serve
r certificate
[Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(778): Configuring RSA
serve
r private key
[Tue Aug 05 19:14:49 2003] [info] Loading certificate & private key of
SSL-aware
server
[Tue Aug 05 19:14:49 2003] [info] esdsv07.my.com:443 reusing existing RSA pr
ivate key on restart
[Tue Aug 05 19:14:51 2003] [info] Configuring server for SSL protocol
[Tue Aug 05 19:14:51 2003] [debug] ssl_engine_init.c(436): Creating new
SSL cont
ext (protocols: SSLv2, SSLv3, TLSv1)
[Tue Aug 05 19:14:51 2003] [debug] ssl_engine_init.c(553): Configuring
client au
thentication
[Tue Aug 05 19:14:51 2003] [debug] ssl_engine_ini
