Hello Martin, thanks for the reply. I have those directives already and it all works until I add: *SSLVerifyClient require*
I changed this directive to *optional* and it seems to work now, though I am not so confidant in this configuration. I wonder if there is a way to pass the client cert through to the python proxy? Thanks, G40 On Tue, Jan 18, 2011 at 9:30 AM, Martin Kuba <ma...@ics.muni.cz> wrote: > Hi G40, > > the "SSLVerifyClient require" requires that the client presents a > certificate. > You have to configure also the list of Certification Authorities that > the server accepts by the following directives: > > SSLCACertificatePath /etc/ssl/certs/ > or > SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt > > If the client certificate is not signed by a root CA, but by some > intermediate CA, > which may be in turn signed by another intermediate CA, etc., you need also > to set the value for SSLVerifyDepth to the highest length of the > certificate chain > that the client may provide. > > The "Allow" directives play no role in this, because the error you have got > happened during the SSL handshake, which is sooner than the Allow > directives are applied. > > Martin > > Dne 18.1.2011 16:16, g f napsal(a): > > Hello all, >> I have a debian os running Apache 2.2.16(debian) along with tomcat 6.0.29. >> I use mod_jk as well as mod_auth_kerb module for apache. Apache and the >> modules are debian repository packages. >> >> I recently attempted to activate common access cards and if I just >> activate them but do not force them it works great. >> Once I force access cards, I get the following error and my web-apps >> break. >> >> Force access cards via: >> |SSLVerifyClient require >> SSLVerifyDepth 2| >> >> info level logging error.log: >> [Tue Jan 18 14:47:07 2011] [info] [client 127.0.1.1] SSL library error 1 >> in handshake (server myserver.xxx.xxx.xxx:443) >> [Tue Jan 18 14:47:07 2011] [info] SSL Library Error: 336105671 >> error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return >> a certificate No CAs known to server for verification? >> >> The web-app that throws this message uses a python proxy to make an ajax >> call to a different web context (we do this to avoid the cross site error). >> I believe what is happening is that the python script [client 127.0.1.1] >> is making the request to apache without valid client certs and hence is >> getting denied. >> I have a directive in apache2_home/sites-enabled/default-ssl conf file >> that I had hoped would solve this issue(however it does not). >> directive in default-ssl conf file >> |Allow from localhost >> Allow from 127.0.1.1 >> Allow from 127.0.0.1 >> >> |Is there a solution to this issue? >> Perhaps a way to not require client cert from localhost? >> Thanks for any advice, much appreciated! >> >> Cheers, >> G40 >> > > > -- > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > Supercomputing Center Brno Martin Kuba > Institute of Computer Science email: ma...@ics.muni.cz > Masaryk University > http://www.ics.muni.cz/~makub/<http://www.ics.muni.cz/%7Emakub/> > Botanicka 68a, 60200 Brno, CZ mobil: +420-603-533775 > -------------------------------------------------------------- > >
