RE: SSLVerifyClient fails
Ok, a friend of mine sent me a working ca-cert with a working client certbut it's not working for me. I guess I will set up an Apache 1.x, and delete the Apache2, because it makes a lot of trouble in working correctly e.g. with openssl. I tried a lot of versions, but always errors (OpenSSL 0.9.7f - 0.9.8, Apache 2.0.48, 2.0.54, 2.0.55-dev) Sven __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: SSLVerifyClient fails
Sven Löschner schrieb: >>Try using "openssl s_client " to connect(? arg for >>options). It'll give alot of debug info. > > > Okay, I tried "openssl s_client -connect www.test.de:443 -CAfile > /etc/ssl/UserCA/UserCAchaincert.pem -verify 3 -cert > /etc/ssl/UserCA/svencert.pem -key /etc/ssl/UserCA/svenkey.pem -reconnect > -showcerts -state -bugs" > > The output is the following: > > CONNECTED(0003) > SSL_connect:before/connect initialization > SSL_connect:SSLv2/v3 write client hello A > SSL_connect:SSLv3 read server hello A > depth=0 /C=DE/ST=NRW/L=Hattingen/O=MX/OU=Demo > Server/CN=www.test.de/[EMAIL PROTECTED] > verify error:num=20:unable to get local issuer certificate Seems you don't have the required Root-CA-Certificates installed on your webserver. (you need the root-certificate of your client-certificates) anyone correct me if I'm wrong. Paul -- Linux-User #271918 with the Linux Counter, http://counter.li.org/ signature.asc Description: OpenPGP digital signature
RE: SSLVerifyClient fails
> Try using "openssl s_client " to connect(? arg for > options). It'll give alot of debug info. Okay, I tried "openssl s_client -connect www.test.de:443 -CAfile /etc/ssl/UserCA/UserCAchaincert.pem -verify 3 -cert /etc/ssl/UserCA/svencert.pem -key /etc/ssl/UserCA/svenkey.pem -reconnect -showcerts -state -bugs" The output is the following: CONNECTED(0003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A depth=0 /C=DE/ST=NRW/L=Hattingen/O=MX/OU=Demo Server/CN=www.test.de/[EMAIL PROTECTED] verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=DE/ST=NRW/L=Hattingen/O=MX/OU=Demo Server/CN=www.test.de/[EMAIL PROTECTED] verify error:num=27:certificate not trusted verify return:1 depth=0 /C=DE/ST=NRW/L=Hattingen/O=MX/OU=Demo Server/CN=www.test.de/[EMAIL PROTECTED] verify error:num=21:unable to verify the first certificate verify return:1 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server key exchange A SSL_connect:SSLv3 read server certificate request A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client certificate A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write certificate verify A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:failed in SSLv3 read finished A 22430:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:226: Sven __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
RE: SSLVerifyClient fails
Try using "openssl s_client " to connect(? arg for options). It'll give alot of debug info. --- Sven Löschner <[EMAIL PROTECTED]> wrote: > > SSLVerifyDepth equal to 2. > > Thx, i tried Depth from 1 to 10but no effect. I > think my certificates > are wrongEspecially the concated one. Is there a > way to proof these > certificates? > > Sven > > __ > Apache Interface to OpenSSL (mod_ssl) >www.modssl.org > User Support Mailing List > modssl-users@modssl.org > Automated List Manager > [EMAIL PROTECTED] > Start your day with Yahoo! - make it your home page http://www.yahoo.com/r/hs __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
RE: SSLVerifyClient fails
> SSLVerifyDepth equal to 2. Thx, i tried Depth from 1 to 10but no effect. I think my certificates are wrongEspecially the concated one. Is there a way to proof these certificates? Sven __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: SSLVerifyClient fails
Hi, You have a intermediate and RootCA, try setting SSLVerifyDepth equal to 2. Regards Matt --- Sven Löschner <[EMAIL PROTECTED]> wrote: > I got a big problem with SSLVerifyClient. I had a > similar problem before, > but now the error(s?) is really more strange (in my > point of view). I used > this tutorial: > http://fra.nksteidl.de/Erinnerungen/OpenSSL.php > > I hae got two sections. One with only > server-side-SSL (works), and a folder > (called 'demo', with a file 'index.php') with > client-side-SSL. When I call > the site my browser askes me to choose a cert i want > to uns to enter the > site. I choose the right one (exportedvia pkcs), and > then IE says "cannot > find server or dns ", and firebird doesn't do > anything (it stays on my > startpage, but with the "lock"-symbol in Task). > > > > So I have got a Root_CA, a Server_CA and a User_CA. > > The Root_CA verifys the other 2 CAs. Server_CA > verifys Server-Certificates > (no problem). User_CA verifys Client-Certificates. > > I concated the Certificates from Root and User_CA > "cat /RootCA.cert.pem > /UserCA.cert.pem > UserCAchaincert.pem" > > My integration in apache: > > NameVirtualHost xxx.xxx.xxx.xxx:443 > >ServerName test.de >DocumentRoot /srv/www/htdocs/web3/html/test > php_admin_value open_basedir > /srv/www/htdocs/web3/html/test > > SSLEngine on > SSLCipherSuite > ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL > SSLProtocol all > > AddType application/x-x509-ca-cert .crt > AddType application/x-pkcs7-crl.crl > > SSLOptions +StdEnvVars +ExportCertData > ErrorLog "/var/log/apache2/test/ssl.log" > LogLevel debug > SSLVerifyClient none > SSLCertificateFile > /etc/ssl/ServerCA/testcert.pem > SSLCertificateKeyFile > /etc/ssl/ServerCA/testkey.pem > SSLCACertificateFile > /etc/ssl/UserCA/UserCAchaincert.pem > SetEnvIf User-Agent ".*MSIE.*" nokeepalive > ssl-unclean-shutdown > > > > SSLRequireSSL > SSLVerifyClient require > SSLVerifyDepth 1 > > > If you need something more, just let me know. And > thank you very much in > advance for every helping idea, because i try to get > this to work since > weeks. > > Sven > > P.S: I use Suse Linux 9.0 with mod_ssl and openssl > 0.9.7b (would like to > update) > > __ > Apache Interface to OpenSSL (mod_ssl) >www.modssl.org > User Support Mailing List > modssl-users@modssl.org > Automated List Manager > [EMAIL PROTECTED] > Start your day with Yahoo! - make it your home page http://www.yahoo.com/r/hs __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
SSLVerifyClient fails
I got a big problem with SSLVerifyClient. I had a similar problem before, but now the error(s?) is really more strange (in my point of view). I used this tutorial: http://fra.nksteidl.de/Erinnerungen/OpenSSL.php I hae got two sections. One with only server-side-SSL (works), and a folder (called 'demo', with a file 'index.php') with client-side-SSL. When I call the site my browser askes me to choose a cert i want to uns to enter the site. I choose the right one (exportedvia pkcs), and then IE says "cannot find server or dns ", and firebird doesn't do anything (it stays on my startpage, but with the "lock"-symbol in Task). So I have got a Root_CA, a Server_CA and a User_CA. The Root_CA verifys the other 2 CAs. Server_CA verifys Server-Certificates (no problem). User_CA verifys Client-Certificates. I concated the Certificates from Root and User_CA "cat /RootCA.cert.pem /UserCA.cert.pem > UserCAchaincert.pem" My integration in apache: NameVirtualHost xxx.xxx.xxx.xxx:443 ServerName test.de DocumentRoot /srv/www/htdocs/web3/html/test php_admin_value open_basedir /srv/www/htdocs/web3/html/test SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLProtocol all AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl.crl SSLOptions +StdEnvVars +ExportCertData ErrorLog "/var/log/apache2/test/ssl.log" LogLevel debug SSLVerifyClient none SSLCertificateFile /etc/ssl/ServerCA/testcert.pem SSLCertificateKeyFile /etc/ssl/ServerCA/testkey.pem SSLCACertificateFile /etc/ssl/UserCA/UserCAchaincert.pem SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown SSLRequireSSL SSLVerifyClient require SSLVerifyDepth 1 If you need something more, just let me know. And thank you very much in advance for every helping idea, because i try to get this to work since weeks. Sven P.S: I use Suse Linux 9.0 with mod_ssl and openssl 0.9.7b (would like to update) __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
