Client Certificate Problem

2002-06-06 Thread Jochen Vogel 

hi,

i created a CA and a ClientKey witch i imported in my Client.
in httpd.conf i configured

Alias /test/ /opt/www/test/
Directory /opt/www/test/
Options Indexes 
Order allow,deny
Allow from 192.168.0.142
SSLVerifyClient require
SSLVerifyDepth 1
/Directory

if i try to connect i get the following error.

== ./logs/ssl_engine_log ==
[06/Jun/2002 13:04:06 01186] [info]  Connection to child 5 established
(server suse:443, client 192.168.0.142)
[06/Jun/2002 13:04:06 01186] [info]  Seeding PRNG with 23177 bytes of
entropy
[06/Jun/2002 13:04:06 01186] [info]  Connection: Client IP: 192.168.0.142,
Protocol: SSLv3, Cipher: EXP-RC4-MD5 (40/128 bits)
[06/Jun/2002 13:04:06 01186] [info]  Connection to child 5 closed with
standard shutdown (server suse:443, client 192.168.0.142)

== ./logs/access_log ==
192.168.0.142 - - [06/Jun/2002:13:04:07 +0200] GET /test/ HTTP/1.1 403 265

== ./logs/error_log ==
[Thu Jun  6 13:04:07 2002] [error] mod_ssl: Re-negotiation handshake failed:
Not accepted by client!?
[Thu Jun  6 13:04:07 2002] [error] mod_ssl: SSL error on writing data
(OpenSSL library error follows)
[Thu Jun  6 13:04:07 2002] [error] OpenSSL: error:1409E0E5:SSL
routines:SSL3_WRITE_BYTES:ssl handshake failure

== ./logs/ssl_engine_log ==
[06/Jun/2002 13:04:07 01187] [info]  Connection to child 6 established
(server suse:443, client 192.168.0.142)
[06/Jun/2002 13:04:07 01187] [info]  Seeding PRNG with 23177 bytes of
entropy
[06/Jun/2002 13:04:07 01187] [info]  Connection: Client IP: 192.168.0.142,
Protocol: SSLv3, Cipher: EXP-RC4-MD5 (40/128 bits)
[06/Jun/2002 13:04:07 01187] [info]  Initial (No.1) HTTPS request received
for child 6 (server suse:443)
[06/Jun/2002 13:04:07 01187] [info]  Requesting connection re-negotiation
[06/Jun/2002 13:04:07 01187] [info]  Awaiting re-negotiation handshake
[06/Jun/2002 13:04:07 01187] [error] Re-negotiation handshake failed: Not
accepted by client!?
[06/Jun/2002 13:04:07 01187] [error] SSL error on writing data (OpenSSL
library error follows)
[06/Jun/2002 13:04:07 01187] [error] OpenSSL: error:1409E0E5:SSL
routines:SSL3_WRITE_BYTES:ssl handshake failure
[06/Jun/2002 13:04:07 01187] [info]  Connection to child 6 closed with
unclean shutdown (server suse:443, client 192.168.0.142)

== ./logs/ssl_request_log ==
[06/Jun/2002:13:04:07 +0200] 192.168.0.142 SSLv3 (NONE) GET /test/
HTTP/1.1 265

== ./logs/access_log ==
192.168.0.142 - - [06/Jun/2002:13:04:09 +0200] GET /test/ HTTP/1.1 403 265

== ./logs/error_log ==
[Thu Jun  6 13:04:09 2002] [error] mod_ssl: Certificate Verification: Error
(20): unable to get local issuer certificate
[Thu Jun  6 13:04:09 2002] [error] mod_ssl: Re-negotiation handshake failed:
Not accepted by client!?
[Thu Jun  6 13:04:09 2002] [error] mod_ssl: Certificate Verification: Error
(20): unable to get local issuer certificate
[Thu Jun  6 13:04:09 2002] [error] mod_ssl: SSL error on writing data
(OpenSSL library error follows)
[Thu Jun  6 13:04:09 2002] [error] OpenSSL: error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned

== ./logs/ssl_engine_log ==
[06/Jun/2002 13:04:09 01188] [info]  Connection to child 7 established
(server suse:443, client 192.168.0.142)
[06/Jun/2002 13:04:09 01188] [info]  Seeding PRNG with 23177 bytes of
entropy
[06/Jun/2002 13:04:09 01188] [info]  Connection: Client IP: 192.168.0.142,
Protocol: SSLv3, Cipher: EXP-RC4-MD5 (40/128 bits)
[06/Jun/2002 13:04:09 01188] [info]  Initial (No.1) HTTPS request received
for child 7 (server suse:443)
[06/Jun/2002 13:04:09 01188] [info]  Requesting connection re-negotiation
[06/Jun/2002 13:04:09 01188] [info]  Awaiting re-negotiation handshake
[06/Jun/2002 13:04:09 01188] [error] Certificate Verification: Error (20):
unable to get local issuer certificate
[06/Jun/2002 13:04:09 01188] [error] Re-negotiation handshake failed: Not
accepted by client!?
[06/Jun/2002 13:04:09 01188] [error] Certificate Verification: Error (20):
unable to get local issuer certificate
[06/Jun/2002 13:04:09 01188] [error] SSL error on writing data (OpenSSL
library error follows)
[06/Jun/2002 13:04:09 01188] [error] OpenSSL: error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
[06/Jun/2002 13:04:09 01188] [info]  Connection to child 7 closed with
unclean shutdown (server suse:443, client 192.168.0.142)

== ./logs/ssl_request_log ==
[06/Jun/2002:13:04:09 +0200] 192.168.0.142 SSLv3 (NONE) GET /test/
HTTP/1.1 265

thx for help
Jochen
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Client certificate-problem

1999-12-15 Thread P.K.B. Hari Gopal 

Hi,
I have created a client certificate with my CA using openssl as
openssl ca -in client.csr
Then converted it into DER encoded format and trying to import it into
browser. But it is not listing the certificate in any catagory of
certificates. Even it is not listing it in certificates list when I
tried
to connect to Apache SSL server with client authentication option
enabled.
How to solve this? Is it the correct procedure of creating client
certificates? I just uncommented the SSLVerifyClient require line in
httpd.conf file.
In which section I have to specify if I want different access
permissions
for a particular directory or URL? (I am working on WindowsNT 4.0).
Thanks and Regards,
Hari.

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Client Certificate Problem

1999-05-27 Thread Chris H. Jensen 
Running Linux 2.0.36 Apache 1.3.6 Openssl 0.9.3 Mod_ssl 2.3.0 My server is up and running and seems to work fine in secure mode without a clientcert. But every time I create and install a client cert. in netscape 4.06 I getrecieved bad data from server messagethe server log has the following.[Thu May 27 08:33:25 1999] [error] mod_ssl: SSL handshake failed (client 100.100.100.6, server 100.100.100.11:443) (OpenSSL library error follows)[Thu May 27 08:33:25 1999] [error] OpenSSL: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure From reading the openssl.cnf file it says that nsCertType can beleft alone except for object signing. If I am creating a self sign cert.to sign my server.crt. Should I change the openssl.cnf file to allowsigning ca.crt and then change it back before I create my server.crt And do I do the same thing while creating client cert's with CA.shAlso, if anyone has another idea I'd like to hear it.Chris Jensen[EMAIL PROTECTED]