On Tue, Oct 27, 2009 at 10:21 AM, Berube, Steve (HP Software) <steve.ber...@hp.com> wrote: > My test originally was this > <Location /> > SSLVerifyClient require > > SSLVerifyDepth 10 > > SSLOptions +StdEnvVars > </location> > > Same issue whether based on a directory or using the root location. > I'm still trying to figure out why one and only IE works, but no others. > I've tried HTTP Analyzer plugin for IE which only shows a single error > (nothing else) > > ERROR_INTERNET_SECURITY_CHANNEL_ERROR > > Nothing else at all in the trace. > > If I go to the root url (which is SSL Enabled, but no client verify) > > I will try your suggestion of wireshark.
Putting it in <Location /> is still the more complicated case of: handshake without request for client authentication read request server-driven renegotiation of the handshake with client authentication request *hope IE prompts* SSLVerifyClient is accepted in <VirtualHost> context, which should cause the initial handshake to ask for a client cert. > > > -----Original Message----- > From: Eric Covener [mailto:cove...@gmail.com] > Sent: Tuesday, October 27, 2009 10:17 AM > To: users@httpd.apache.org > Subject: Re: [us...@httpd] Requesting help with Smart Card Client Certificate > Authentication issue. > > On Mon, Oct 26, 2009 at 10:36 PM, Berube, Steve (HP Software) > <steve.ber...@hp.com> wrote: >> <Directory "C:/Program Files/Apache Software Foundation/Apache2.2/cgi-bin"> >> >> SSLVerifyClient require >> >> SSLVerifyDepth 10 >> >> SSLOptions +StdEnvVars >> >> </Directory> > > > Can you simplify your testing by setting this outside of per-directory > config? Have you used wireshark to see if Apache is sending the > proper list of trusted certificates that line up with whoever signed > your certs in your HW device? > > Perhaps > http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcertificatechainfile > or http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcacertificatepath > might help? > > -- > Eric Covener > cove...@gmail.com > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > " from the digest: users-digest-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > " from the digest: users-digest-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > > -- Eric Covener cove...@gmail.com --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org