On October 12, 2012 10:41 , Tom Browder <tom.brow...@gmail.com> wrote:
I have successfully generated SSL client certs (generated with openssl
1.0.1c) used by Safari, Firefox, and Chrome on Linux and Windows plus
IE 9 on Windows, but I cannot get successful access with either Safari
or Firefox on Mac OS X.
I think it is strange that you are having problems with both Safari and
Firefox under MacOS X, because Firefox does not use Apple's keychain, as
far as I know -- it uses its own, independent keystore.
Is your client certificate directly signed by a root certificate, or are
there one or more intermediate CAs involved? If there are intermediate
CAs, make sure that the intermediate certs are also imported into
Apple's Keychain (Safari) or Firefox's certificate/key database.
If you don't have anything better to try, see if you can reproduce the
problem from a terminal window on MacOS X, using the copies of the
certificate and private key that you previously imported into Apple
Keychain:
openssl s_client -connect site.example.org:443 -verify 10 -cert
/path/to/client/certificate.cert -key /path/to/client/key.key -CAfile
/path/to/client/cert/CA-certificate.cert -showcerts -debug
If you get an "SSL-session:" block of output ending with the line
"Verify return code: 0 (ok)", then issue an HTTP/1.1 request for a
resource that *requires* a client certificate (see below for a warning
about using "SSLVerifyClient optional"):
GET /path/to/client/cert/required/page.html HTTP/1.1
Host: site.example.com
Be sure to press Return twice after the Host header. You should get the
protected page as output; if you don't, you might have reproduced the
problem, and it's very likely that a clue is in openssl's output
somewhere. Press Control-D to exit openssl.
The Apache (2.2.14, Ubuntu) site has this configuration, in server
context, that gives the option to present a certificate:
SSLVerifyClient optional
I recommend changing this to "SSLVerifyClient required". I've had
problems with Safari 6.x when "SSLVerifyClient optional" was set
(although this worked just fine with Firefox 15 under MacOS X, so I
don't think this is the only source of your problem with Safari client
certificates).
Sorry I don't have any better advice.
--
Mark Montague
m...@catseye.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org