Re: Client Authentication with Openssl - Apache - errror -12227
My mozilla browser (version 1.6) returns the error. When I install the client certificate in iexplorer (version 6.0) I get a pop-up window asking me to select a client certificate from an empty list. By the way I just tried to make the certificates as explained in the ssl cookbook on http://www.pseudonym.org/ssl/ssl_apache.html It results in the same error. I created all the certificates on an gentoo server which is fully up to date. This machine is also used as the apache2 server and openssl 0.9.7c. --- Peter Sylvester [EMAIL PROTECTED] wrote: ATTACHMENT part TEXT x-sun-attachment/ __ Do you Yahoo!? Yahoo! Mail SpamGuard - Read only the mail you want. http://antispam.yahoo.com/tools __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Client Authentication with Openssl - Apache - errror -12227
On Tue, Feb 24, 2004, Bo Boe wrote: My mozilla browser (version 1.6) returns the error. When I install the client certificate in iexplorer (version 6.0) I get a pop-up window asking me to select a client certificate from an empty list. By the way I just tried to make the certificates as explained in the ssl cookbook on http://www.pseudonym.org/ssl/ssl_apache.html It results in the same error. I created all the certificates on an gentoo server which is fully up to date. This machine is also used as the apache2 server and openssl 0.9.7c. http://www.openssl.org/support/faq.html#USER10 Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Client Authentication with Openssl - Apache - errror -12227
Oeps there we do have some kind of a problem the response to: openssl s_client -connect www.bliek.org:443 -prexit Looks like: CONNECTED(0003) depth=0 /C=UK/ST=MyTown/L=Mylocation/O=mydomain.com/OU=Security/CN=www.mydomain.com/[EMAIL PROTECTED] verify error:num=18:self signed certificate verify return:1 depth=0 /C=UK/ST=MyTown/L=Mylocation/O=mydomain.com/OU=Security/CN=www.mydomain.com/[EMAIL PROTECTED] verify return:1 9493:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1052:SSL alert number 40 9493:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:226: ... depth=0 /C=UK/ST=MyTown/L=Mylocation/O=mydomain.com/OU=Security/CN=www.mydomain.com/[EMAIL PROTECTED] ... So alright something does go wrong but its yet still unclear to me why. This is how I created the key that resulted in these errors: Create direcroties mkdir /opt/ssl/Server mkdir /opt/ssl/CA mkdir /opt/ssl/Client Create server keys cd /opt/ssl/server openssl req -new server.cert.csr openssl rsa -in privkey.pem -out server.cert.key openssl x509 -in server.cert.csr -out server.cert.cert -req -signkey server.cert.key -days 365 note: I use CN = www.mydomain.com for all keys Create CA keys cd /opt/ssl/CA openssl req -new CA.cert.csr openssl rsa -in privkey.pem -out cA.cert.key openssl x509 -in CA.cert.csr -out CA.cert.cert -req -signkey CA.cert.key -days 365 Create Client keys cd /opt/ssl/client openssl req -new client.cert.csr openssl rsa -in privkey.pem -out client.cert.key openssl x509 -in client.cert.csr -out client.cert.cert -req -signkey client.cert.key -days 365 Sign the client request with the CA.cert.key openssl x509 -req -in client.cert.csr -out client.cert.cert -signkey ../CA/CA.cert.key -CA \ ../CA/CA.cert.cert -CAkey ../CA/CA.cert.key -CAcreateserial -days365 Export cert/keys to server cp /opt/ssl/server/server.cert.cert /etc/apache/conf/ssl/. cp /opt/ssl/server/server.cert.key /etc/apache/conf/ssl/. cp /opt/ssl/CA/CA.cert.cert /etc/apache/conf/ssl/. Edit apache configuration nano -w /etc/apache2/conf/modules.d/41_mod_ssl.default-vhost.conf SSLCertificateFile /path/to/certs/server.cert.cert SSLCertificateKeyFile /path/to/certs/server.cert.key SSLCACertificateFile /path/to/certs/CA.cert.cert SSLVerifyClient require Restart apache server /etc/init.d/apache2 restart note: I do have several vhosts on my machine Export cert to client cp /opt/ssl/client/client.cert/cert - client machine Import key into browser: start mozilla - edit - preferences - privacy security - certificates - manage certificates - authorities - import browse to my www.mydomain.org (not to any of the others vhosts) --- Dr. Stephen Henson [EMAIL PROTECTED] wrote: On Tue, Feb 24, 2004, Bo Boe wrote: My mozilla browser (version 1.6) returns the error. When I install the client certificate in iexplorer (version 6.0) I get a pop-up window asking me to select a client certificate from an empty list. By the way I just tried to make the certificates as explained in the ssl cookbook on http://www.pseudonym.org/ssl/ssl_apache.html It results in the same error. I created all the certificates on an gentoo server which is fully up to date. This machine is also used as the apache2 server and openssl 0.9.7c. http://www.openssl.org/support/faq.html#USER10 Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Do you Yahoo!? Yahoo! Mail SpamGuard - Read only the mail you want. http://antispam.yahoo.com/tools __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]