Date: Thu, 28 Aug 1997 20:24:43 -0400 From: Chris Shenton <cshenton@it.hq.nasa.gov> To: questions@freebsd.org Subject: apache-ssl -- can't verify client cert Message-ID: <199708290024.AAA28131@wirehead.it.hq.nasa.gov>
next in thread | raw e-mail | index | archive | help
I'm running FreeBSD-2.2-STABLE and have last night's ports stubs. I just built apache-ssl from the ports. Nice and clean finally, thanks. Generated myself a temporary server cert, renamed it to httpsd.pem, and fiddled httpd.conf for SSL and the server cert location: SSLCACertificatePath /usr/local/certs SSLCertificateFile httpsd.pem SSLVerifyClient 3 SSLVerifyDepth 10 The server finds its cert OK at startup; the binary has /usr/local/certs wired into it as the cert path. When I run NetScape against it (3.0 or 4.0, on an Irix box) it says The server cannot verify your certificate In the server errors log: SSL_Accept failed error:140890AC:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned My client has one of the free Verisign Class 1 browser certs, so the server should be able to verify it. I updated it recently and it is understood by the Verisign demo sites, so the client cert is OK. I realized that the server probably didn't know how to walk up the tree. I found a bunch of CA certs in the ports/security/SSLeay distribution which apache-ssl thoughtfully built. They're in the certs subdirectory: /usr/ports/security/SSLeay/work/SSLeay-0.8.1/certs: total 44 drwxr-x--- 2 51 51 1024 Jul 18 14:16 . drwxr-xr-x 20 51 51 1024 Aug 27 09:47 .. lrwxrwxrwx 1 root wheel 12 Aug 27 09:30 0fc98611.0 -> rsa-ssca.pem lrwxrwxrwx 1 root wheel 12 Aug 27 09:30 262dba34.0 -> pca-cert.pem lrwxrwxrwx 1 root wheel 12 Aug 27 09:30 2d522621.0 -> nortelCA.pem lrwxrwxrwx 1 root wheel 12 Aug 27 09:30 32f177c0.0 -> thawteCp.pem lrwxrwxrwx 1 root wheel 12 Aug 27 09:30 657c156d.0 -> thawteCb.pem lrwxrwxrwx 1 root wheel 11 Aug 27 09:30 779a7e9f.0 -> rsa-cca.pem lrwxrwxrwx 1 root wheel 11 Aug 27 09:30 7d5db863.0 -> factory.pem lrwxrwxrwx 1 root wheel 11 Aug 27 09:30 7fdcac87.0 -> ca-cert.pem lrwxrwxrwx 1 root wheel 10 Aug 27 09:30 9143a782.0 -> vsign2.pem lrwxrwxrwx 1 root wheel 11 Aug 27 09:30 a5f1682b.0 -> dsa-pca.pem lrwxrwxrwx 1 root wheel 9 Aug 27 09:30 a842d837.0 -> timCA.pem lrwxrwxrwx 1 root wheel 10 Aug 27 09:30 aec3f040.0 -> dsa-ca.pem lrwxrwxrwx 1 root wheel 9 Aug 27 09:30 c605ac92.0 -> tjhCA.pem lrwxrwxrwx 1 root wheel 10 Aug 27 09:30 c807b642.0 -> vsign1.pem -rw-r----- 1 51 51 1834 Jul 18 14:15 ca-cert.pem -rw-r----- 1 51 51 2264 Jul 18 14:15 dsa-ca.pem -rw-r----- 1 51 51 2674 Jul 18 14:15 dsa-pca.pem lrwxrwxrwx 1 root wheel 10 Aug 27 09:30 e449a22e.0 -> vsign3.pem -rw-r----- 1 51 51 859 Jul 18 14:15 factory.pem lrwxrwxrwx 1 root wheel 10 Aug 27 09:30 fe151db4.0 -> vsign4.pem -rw-r----- 1 51 51 900 Jul 18 14:15 nortelCA.pem -rw-r----- 1 51 51 1835 Jul 18 14:15 pca-cert.pem -rw-r----- 1 51 51 1017 Jul 18 14:15 rsa-cca.pem -rw-r----- 1 51 51 1031 Jul 18 14:15 rsa-ssca.pem -rw-r----- 1 51 51 1127 Jul 18 14:15 thawteCb.pem -rw-r----- 1 51 51 1155 Jul 18 14:15 thawteCp.pem -rw-r----- 1 51 51 753 Jul 18 14:15 timCA.pem -rw-r----- 1 51 51 871 Jul 18 14:15 tjhCA.pem -rw-r----- 1 51 51 831 Jul 18 14:15 vsign1.pem -rw-r----- 1 51 51 1819 Jul 18 14:15 vsign2.pem -rw-r----- 1 51 51 986 Jul 18 14:15 vsign3.pem -rw-r----- 1 51 51 986 Jul 18 14:15 vsign4.pem So I copied them to /usr/local/certs and made them world readable so the daemon can look at them. The "vsign1.pem" looks like it is probably the right one for me, but still no joy. What am I missing? Do I need to concatenate the CA certs and put them in a file, as possibly implied by another line in the httpd.conf file: # Set the CA certificate verification file (must be PEM encoded). # (in addition to getenv("SSL_CERT_FILE"), I think). #SSLCACertificateFile /some/where/somefile #SSLCACertificateFile /u/ben/apache/apache_1.2.0-ssl/SSLconf/conf/httpsd.pem Any help would be most welcome.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199708290024.AAA28131>