Date: Thu, 28 Aug 1997 20:24:43 -0400 From: Chris Shenton <cshenton@it.hq.nasa.gov> To: questions@freebsd.org Subject: apache-ssl -- can't verify client cert Message-ID: <199708290024.AAA28131@wirehead.it.hq.nasa.gov>
next in thread | raw e-mail | index | archive | help
I'm running FreeBSD-2.2-STABLE and have last night's ports stubs.
I just built apache-ssl from the ports. Nice and clean finally,
thanks. Generated myself a temporary server cert, renamed it to
httpsd.pem, and fiddled httpd.conf for SSL and the server cert
location:
SSLCACertificatePath /usr/local/certs
SSLCertificateFile httpsd.pem
SSLVerifyClient 3
SSLVerifyDepth 10
The server finds its cert OK at startup; the binary has
/usr/local/certs wired into it as the cert path.
When I run NetScape against it (3.0 or 4.0, on an Irix box) it says
The server cannot verify your certificate
In the server errors log:
SSL_Accept failed
error:140890AC:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
My client has one of the free Verisign Class 1 browser certs, so the
server should be able to verify it. I updated it recently and it is
understood by the Verisign demo sites, so the client cert is OK.
I realized that the server probably didn't know how to walk up the
tree. I found a bunch of CA certs in the ports/security/SSLeay
distribution which apache-ssl thoughtfully built. They're in the certs
subdirectory:
/usr/ports/security/SSLeay/work/SSLeay-0.8.1/certs:
total 44
drwxr-x--- 2 51 51 1024 Jul 18 14:16 .
drwxr-xr-x 20 51 51 1024 Aug 27 09:47 ..
lrwxrwxrwx 1 root wheel 12 Aug 27 09:30 0fc98611.0 -> rsa-ssca.pem
lrwxrwxrwx 1 root wheel 12 Aug 27 09:30 262dba34.0 -> pca-cert.pem
lrwxrwxrwx 1 root wheel 12 Aug 27 09:30 2d522621.0 -> nortelCA.pem
lrwxrwxrwx 1 root wheel 12 Aug 27 09:30 32f177c0.0 -> thawteCp.pem
lrwxrwxrwx 1 root wheel 12 Aug 27 09:30 657c156d.0 -> thawteCb.pem
lrwxrwxrwx 1 root wheel 11 Aug 27 09:30 779a7e9f.0 -> rsa-cca.pem
lrwxrwxrwx 1 root wheel 11 Aug 27 09:30 7d5db863.0 -> factory.pem
lrwxrwxrwx 1 root wheel 11 Aug 27 09:30 7fdcac87.0 -> ca-cert.pem
lrwxrwxrwx 1 root wheel 10 Aug 27 09:30 9143a782.0 -> vsign2.pem
lrwxrwxrwx 1 root wheel 11 Aug 27 09:30 a5f1682b.0 -> dsa-pca.pem
lrwxrwxrwx 1 root wheel 9 Aug 27 09:30 a842d837.0 -> timCA.pem
lrwxrwxrwx 1 root wheel 10 Aug 27 09:30 aec3f040.0 -> dsa-ca.pem
lrwxrwxrwx 1 root wheel 9 Aug 27 09:30 c605ac92.0 -> tjhCA.pem
lrwxrwxrwx 1 root wheel 10 Aug 27 09:30 c807b642.0 -> vsign1.pem
-rw-r----- 1 51 51 1834 Jul 18 14:15 ca-cert.pem
-rw-r----- 1 51 51 2264 Jul 18 14:15 dsa-ca.pem
-rw-r----- 1 51 51 2674 Jul 18 14:15 dsa-pca.pem
lrwxrwxrwx 1 root wheel 10 Aug 27 09:30 e449a22e.0 -> vsign3.pem
-rw-r----- 1 51 51 859 Jul 18 14:15 factory.pem
lrwxrwxrwx 1 root wheel 10 Aug 27 09:30 fe151db4.0 -> vsign4.pem
-rw-r----- 1 51 51 900 Jul 18 14:15 nortelCA.pem
-rw-r----- 1 51 51 1835 Jul 18 14:15 pca-cert.pem
-rw-r----- 1 51 51 1017 Jul 18 14:15 rsa-cca.pem
-rw-r----- 1 51 51 1031 Jul 18 14:15 rsa-ssca.pem
-rw-r----- 1 51 51 1127 Jul 18 14:15 thawteCb.pem
-rw-r----- 1 51 51 1155 Jul 18 14:15 thawteCp.pem
-rw-r----- 1 51 51 753 Jul 18 14:15 timCA.pem
-rw-r----- 1 51 51 871 Jul 18 14:15 tjhCA.pem
-rw-r----- 1 51 51 831 Jul 18 14:15 vsign1.pem
-rw-r----- 1 51 51 1819 Jul 18 14:15 vsign2.pem
-rw-r----- 1 51 51 986 Jul 18 14:15 vsign3.pem
-rw-r----- 1 51 51 986 Jul 18 14:15 vsign4.pem
So I copied them to /usr/local/certs and made them world readable so
the daemon can look at them. The "vsign1.pem" looks like it is
probably the right one for me, but still no joy.
What am I missing? Do I need to concatenate the CA certs and put them
in a file, as possibly implied by another line in the httpd.conf file:
# Set the CA certificate verification file (must be PEM encoded).
# (in addition to getenv("SSL_CERT_FILE"), I think).
#SSLCACertificateFile /some/where/somefile
#SSLCACertificateFile /u/ben/apache/apache_1.2.0-ssl/SSLconf/conf/httpsd.pem
Any help would be most welcome.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199708290024.AAA28131>