分类: 系统运维
2005-05-24 20:10:38
Mario Truyens wrote:
>
> Hi,
>
> I have a problem using SSLCACertificatePath.
>
> I have a PEM encoded CA certificate in directory /certs, called class1.pem.
> When I use 'SSLCACertificateFile /certs/class1.pem' everything works fine
> and client authentication is possible.
>
> However, when I do the following:
> $ cd /certs
> $ ssleay x509 -noout -hash < class1.pem
> 12345678
> $ ln -s class1.pem 12345678.0
> and remove 'SSLCACertificateFile ...' and add
> 'SSLCACertificatePath /certs', client authentication fails?
>
> I get this message in the error_log:
> [Tue Nov 10 16:28:31 1998] [error] verify error:num=19:self signed certificate in certificate chain
> [Tue Nov 10 16:28:31 1998] [error] SSL_accept failed
> [Tue Nov 10 16:28:31 1998] [error] error:140890B1:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
>
> I use both Server and Client authentication. Note that the server certificate is self signed
> which may explain the first message. The CA certificate though is a valid one.
> The same for the client certificate.
> Versions are apache_1.3.3+ssl_1.28 and SSLeay-0.9.0b. Platform is Solaris 2.5.1.
>
> Has anyone a clue what's going on?
Yes - we've looked into this and it appears to be related to the way the
newer browsers handle client certificate passing - Ben is currently
working on a fix which should take care of it.
Apologies for not replying to all the postings on this subject direct,
as I know there have been a couple - this is just the one that came to
hand...
> P.S.: I know I can concatenate multiple CA certificates into one file,
> but I prefer the hash method.
This is the workaround for now.
Cheers,
Adam
--
Adam Laurie Tel: +44 (181) 742 0755
A.L. Digital Ltd. Fax: +44 (181) 742 5995
Voysey House
Barley Mow Passage
London W4 4GB
UNITED KINGDOM PGP key on keyservers
