Problems with Thawte freemail certificate and Apache

Mon, 19 Aug 2002 04:40:22 -0700 

Hello,

I would appreciate any help on this please.

I am using Apache 1.3.23 on RedHat 7.3 with mod_ssl 2.8.7 and openssl 
0.9.6b-28.
This web server provides access to our internal Bugzilla database.

I have set up a CA on my server using /usr/share/ssl/misc/CA.pl and I 
issue browser certificates from it.

I have copied the CA certificate and appended it to 
/etc/httpd/conf/ssl.crt/ca-bundle.crt.

I have the following configuration in httpd.conf:

<Directory /var/www/html/bugzilla>
        Options ExecCGI FollowSymLinks
        SSLVerifyClient require
        SSLVerifyDepth  1
        SSLRequireSSL
        SSLRequire %{SSL_CLIENT_S_DN_OU} in {"Support", "Bugzilla"}
</Directory>

I have also uncommented:

SSLCACertificatePath /etc/httpd/conf/ssl.crt
SSLCACertificateFile /etc/httpd/conf/ssl.crt/ca-bundle.crt

in httpd.conf.

I generated an Apache server certificate using

make testcert

in /etc/httpd/conf so that the correct machine name was in the CN attribute.

This is all working fine. However, my colleague and I both have Thawte 
freemail certificates installed and that's when we get a problem.

Using Mozilla with the configuration set to prompt for a certificate, 
both the browser certificate and the Thawte certificate are displayed 
with the Thawte certificate being listed first. If the configuration is 
set to automatically select a certificate, the Thawte certificate is 
chosen.
The behaviour is similar using IE.

The symptoms we see in Bugzilla is that we seem to be circulating 
through the same of 3-4 pages (depending upon what we choose).

The ssl_engine_log file shows:

[19/Aug/2002 12:35:23 01206] [error] Re-negotiation handshake failed: 
Not accepted by client!?
[19/Aug/2002 12:35:23 01206] [error] SSL error on writing data (OpenSSL 
library error follows)
[19/Aug/2002 12:35:23 01206] [error] OpenSSL: 
error:1409E0E5:lib(20):func(158):reason(229)


When we remove the Thawte certificate, everything works.

The Thawte certificate has no O or OU specified so why do the browsers 
find a match with it ?

Cheers

Dave.

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]

Reply via email to