[users@httpd] Getting re-negotiation errors with client certificate

Tue, 22 Nov 2011 10:50:27 -0800 

I am getting client certificate errors in the Apache error log:

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
[Tue Nov 22 10:06:49 2011] [error] [client 192.168.145.120] Re-negotiation
handshake failed: Not accepted by client!?
[Tue Nov 22 10:06:49 2011] [error] [client 192.168.145.120] Re-negotiation
request failed
[Tue Nov 22 10:06:49 2011] [error] SSL Library Error: 336126196
error:1408E0F4:SSL routines:SSL3_GET_MESSAGE:unexpected message
Error reading S/MIME message
18150:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
tag:tasn_dec.c:1316:
18150:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1
error:tasn_dec.c:380:Type=PKCS7
Error reading S/MIME message
18153:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
tag:tasn_dec.c:1316:
18153:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1
error:tasn_dec.c:380:Type=PKCS7
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

The relevant portion of the Apache configuration is this:

 SSLCACertificateFile /etc/mdm/client-ca-certs.pem

 SSLOptions +FakeBasicAuth +StrictRequire +StdEnvVars +OptRenegotiate
 SSLInsecureRenegotiation on
 SSLVerifyClient none

 <LocationMatch /device.*/checkin>
   SSLOptions +ExportCertData +OptRenegotiate
   SSLVerifyClient require
   SSLVerifyDepth 5
 </LocationMatch>
I have mobile devices running iOS 5 (iPhones and iPads) that have registered with a mobile-device management (MDM) service I am running. All these devices have client-certificates that were issued when they enrolled in the MDM service.
Even though I see these error messages, Apache *does* allow the devices to access the /checkin URL. But I want to understand what the error messages mean. 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Reply via email to