Hi all!
I have an https server with apache/2.2.12+mod_ssl/2.2.14 and OpenSSL/0.9.8g.
I want to perform authentication based on client S/MIME certificates.
Clients have certificates with only the following purposes:
- S/MIME signing
- S/MIME encryption
But no SSL client or SSL server.
So I'm getting the following error while authentication:
...
[Wed Feb 10 11:36:59 2010] [error] [client 127.0.0.1] Certificate
Verification: Error (26): unsupported certificate purpose
[Wed Feb 10 11:36:59 2010] [debug] ssl_engine_kernel.c(1893): OpenSSL:
Write: SSLv3 read client certificate B
[Wed Feb 10 11:36:59 2010] [debug] ssl_engine_kernel.c(1912): OpenSSL:
Exit: error in SSLv3 read client certificate B
[Wed Feb 10 11:36:59 2010] [debug] ssl_engine_kernel.c(1912): OpenSSL:
Exit: error in SSLv3 read client certificate B
[Wed Feb 10 11:36:59 2010] [info] [client 127.0.0.1] SSL library error 1
in handshake (server 127.0.1.1:443)
[Wed Feb 10 11:36:59 2010] [info] SSL Library Error: 336105650
error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate
returned
...
I tried to solve this by customizing 'ssl_engine_init.c' from mod_ssl.
I added the following lines in ssl_init_ctx_verify function:
/*
* Configure CTX purpose
*/
if (SSL_CTX_set_purpose(ctx, X509_PURPOSE_ANY) {
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
"Purpose successfully set");
} else {
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, "Purpose set failed");
}
/*
* Configure Client Authentication details
*/
But it doesn't work. Seems like it's all ok with SSL_CTX_set_purpose
function and there is "Purpose successfully set" line in apache log file
but I'm still getting "unsupported certificate purpose" error.
I haven't found any certificate purpose configuration code in
mod_ssl source.
I will be grateful for any help.
Yaroslav
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majord...@modssl.org
