dfollens
08-09-2001, 11:01 AM
Usually, when I post to a message board, I try and search the forum and find something that answers my question first. This time I was unable to find my problem exactly :) If there is anyone out there would could help me that would be great.
I've been working several weeks now on getting Client Certificate Authentication working under SSL (apache patched with mod_ssl). Simply put, I have an environment variable cgi script and I want it to just display information about user certificates when I retrieve it via a secure connection.
I started out by just getting the server to accept a connection at https://localhost, then I decided to try and get client certificate authentication to work.
Using SSLeay, I followed some tutorials and created a server certificate, server key and a certificate authority (and installed the authority into the browser using a cgi script). Then, I created a client certificate using pkcs12 based on the server cert. Then, I installed the client cert into the browser.
So it *looks* like everything should be working ok. I set up a part of the httpd.conf to look like this (It may look a little messed up):
##################################
# My ssl host experiement ##################################
<IfDefine SSL>
LoadModule ssl_module libexec/libssl.so
<VirtualHost localhost:5115>
DocumentRoot /usr/local/apache/htdocs
ServerName localhost ServerAdmin dennisf@***.org
ErrorLog /usr/local/apache/logs/error_log
SSLEngine on
SSLCertificateFile /usr/local/ssl/certs/sitecert.pem
SSLCertificateKeyFile /usr/local/ssl/certs/sitekey.pem
SSLCACertificateFile /usr/local/ssl/private/CAcert.pem
SSLCACertificatePath /usr/local/ssl/private/
SSLVerifyClient require
SSLVerifyDepth 1
<Files ~ "\.(cgi|shtml)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/usr/local/apache/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
CustomLog /usr/local/apache/logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
<VirtualHost>
</IfDefine>
##################################
# End of my code ##################################
This is what happens: I connect to my server (it's started and running)-->
1. https://localhost:5115
2. Certificate Check name by netscape
(checks to see if the server is who it
says it is)
3. Then it tells me that there is No Client Certificate
The certificate is installed in the browser and it visibly matches the server certificate (not that that matters, because it's just not getting it :)
This is what shows in the error log (no surprise, I think.):
[Thu Aug 9 09:50:07 2001] [error] mod_ssl: SSL handshake failed (server localhost:5115, client 127.0.0.1) (OpenSSL library error follows) [Thu Aug 9 09:50:07 2001] [error] OpenSSL: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE :peer did not return a certificate [Hint: No CAs known to server for verification?]
Is there something that I am not doing at all? Or something that I am not doing correctly? Should I set up something else that I have totally missed? Any input at all would be greatly appreciated.
--dennis
I've been working several weeks now on getting Client Certificate Authentication working under SSL (apache patched with mod_ssl). Simply put, I have an environment variable cgi script and I want it to just display information about user certificates when I retrieve it via a secure connection.
I started out by just getting the server to accept a connection at https://localhost, then I decided to try and get client certificate authentication to work.
Using SSLeay, I followed some tutorials and created a server certificate, server key and a certificate authority (and installed the authority into the browser using a cgi script). Then, I created a client certificate using pkcs12 based on the server cert. Then, I installed the client cert into the browser.
So it *looks* like everything should be working ok. I set up a part of the httpd.conf to look like this (It may look a little messed up):
##################################
# My ssl host experiement ##################################
<IfDefine SSL>
LoadModule ssl_module libexec/libssl.so
<VirtualHost localhost:5115>
DocumentRoot /usr/local/apache/htdocs
ServerName localhost ServerAdmin dennisf@***.org
ErrorLog /usr/local/apache/logs/error_log
SSLEngine on
SSLCertificateFile /usr/local/ssl/certs/sitecert.pem
SSLCertificateKeyFile /usr/local/ssl/certs/sitekey.pem
SSLCACertificateFile /usr/local/ssl/private/CAcert.pem
SSLCACertificatePath /usr/local/ssl/private/
SSLVerifyClient require
SSLVerifyDepth 1
<Files ~ "\.(cgi|shtml)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/usr/local/apache/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
CustomLog /usr/local/apache/logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
<VirtualHost>
</IfDefine>
##################################
# End of my code ##################################
This is what happens: I connect to my server (it's started and running)-->
1. https://localhost:5115
2. Certificate Check name by netscape
(checks to see if the server is who it
says it is)
3. Then it tells me that there is No Client Certificate
The certificate is installed in the browser and it visibly matches the server certificate (not that that matters, because it's just not getting it :)
This is what shows in the error log (no surprise, I think.):
[Thu Aug 9 09:50:07 2001] [error] mod_ssl: SSL handshake failed (server localhost:5115, client 127.0.0.1) (OpenSSL library error follows) [Thu Aug 9 09:50:07 2001] [error] OpenSSL: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE :peer did not return a certificate [Hint: No CAs known to server for verification?]
Is there something that I am not doing at all? Or something that I am not doing correctly? Should I set up something else that I have totally missed? Any input at all would be greatly appreciated.
--dennis