[prev in list] [next in list] [prev in thread] [next in thread]
List: apache-ssl
Subject: [apache-ssl] Client Certification Problem
From: "gary" <gary () niceshipping ! com>
Date: 2001-03-14 11:17:24
[Download RAW message or body]
Hi all,
I got a strange problem about Client Certification, could you plz help me?
My situation is described as following:
I am mutiple CAs user, and I have created hash and set SSLCACertificatePath.
I connect to my server with IE is no problem but not with s_client.
When I use "openssl s_client -connect Host:443 -cert client.cert",
I got this message
verify error:num=19:self signed certificate in certificate chain
verify return:0
2011:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake \
failure:s3_pkt.c:767:SSL alert number 40 2011:error:140940E5:SSL \
routines:SSL3_READ_BYTES:ssl handshake failure:s3_pkt.c:712: " and error log
[error] mod_ssl: Certificate Verification: Error (20): unable to get local issuer \
certificate [error] mod_ssl: Re-negotiation handshake failed: Not accepted by \
client!? [error] mod_ssl: SSL error on writing data (OpenSSL library error follows)
[error] OpenSSL: error:140D2081:SSL routines:TLS1_ENC:block cipher pad is wrong
When I use "openssl s_client -connect Host:443 -cert client.cert -CApath PATH -CAfile \
CA.pem", I got this message
CONNECTED(00000003)
depth=1 /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
verify error:num=10:Certificate has expired
notAfter=Dec 31 23:54:17 1999 GMT
verify return:0
2049:error:0B07C065:x509 certificate routines:X509_STORE_add_cert:cert already in \
hash table:x509_vfy.c:535: and error log
[error] mod_ssl: Re-negotiation handshake failed: Not accepted by client!?
[error] mod_ssl: SSL error on writing data (OpenSSL library error follows)
[error] OpenSSL: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did \
not return a certificate [Hint: No CAs known to server for verification?]
there is a part of my CA's information
Signature Algorithm: md2WithRSAEncryption
Issuer: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification \
Authority Validity
Not Before: Jan 29 00:00:00 1996 GMT
Not After : Jan 7 23:59:59 2004 GMT
Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification \
Authority Subject Public Key Info:
Public Key Algorithm: rsaEncryption
there is a part of my certificate's information
Signature Algorithm: md5WithRSAEncryption
Issuer: O=HiTRUST, Inc., OU=VeriSign Trust Network, \
OU=www.verisign.com/repository/RPA Incorp. by Ref.,LIAB.LTD.(c)98, OU=HiTRUST Class 1 \
CA - Individual Subscriber Validity
Not Before: Feb 14 00:00:00 2001 GMT
Not After : Feb 28 23:59:59 2002 GMT
Subject: O=VeriSign, Inc., OU=www.hitrust.com.tw/RPA Incorp. by \
Ref.,LIAB.LTD(c)98, OU=Authenticated by HiTRUST, Inc., OU=Member, VeriSign Trust \
Network, OU=Persona Not Validated, OU=Digital ID Class 1 - Microsoft Full Service, \
CN=taiwan niceshipping.com Subject Public Key Info:
Public Key Algorithm: rsaEncryption
How should I do to correct my configuration or process?
Thank you.
Best regard,
Gary
[Attachment #3 (text/html)]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content="text/html; charset=big5" http-equiv=Content-Type>
<META content="MSHTML 5.00.3018.900" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT size=2>Hi all,</FONT></DIV>
<DIV> </DIV>
<DIV><FONT size=2>I got a strange problem about Client Certification, could you
plz help me?</FONT></DIV>
<DIV> </DIV>
<DIV><FONT size=2>My situation is described as following:</FONT></DIV>
<DIV><FONT size=2>I am mutiple CAs user, and I have created hash and set
SSLCACertificatePath.</FONT></DIV>
<DIV><FONT size=2>I connect to my server with IE is no problem but not with
s_client.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT size=2>When I use "openssl s_client -connect Host:443 -cert
client.cert", </FONT></DIV>
<DIV><FONT size=2>I got this message</FONT></DIV>
<DIV><FONT size=2> verify error:num=19:self signed certificate
in certificate chain<BR> verify return:0<BR>
2011:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
failure:s3_pkt.c:767:SSL alert number 40<BR>
2011:error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake
failure:s3_pkt.c:712: "</FONT></DIV>
<DIV><FONT size=2>and error log</FONT></DIV>
<DIV><FONT size=2> [error] mod_ssl: Certificate Verification:
Error (20): unable to get local issuer
certificate<BR> [error] mod_ssl: Re-negotiation handshake
failed: Not accepted by client!?<BR> [error] mod_ssl: SSL
error on writing data (OpenSSL library error follows)<BR>
[error] OpenSSL: error:140D2081:SSL routines:TLS1_ENC:block cipher pad is
wrong<BR></FONT></DIV>
<DIV><FONT size=2></FONT> </DIV>
<DIV><FONT size=2>When I use "openssl s_client -connect Host:443 -cert
client.cert -CApath PATH -CAfile CA.pem", </FONT></DIV>
<DIV><FONT size=2>I got this message</FONT></DIV>
<DIV><FONT size=2> CONNECTED(00000003)<BR>
depth=1 /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification
Authority<BR> verify error:num=10:Certificate has
expired<BR> notAfter=Dec 31 23:54:17 1999
GMT<BR> verify return:0<BR>
2049:error:0B07C065:x509 certificate routines:X509_STORE_add_cert:cert already
in hash table:x509_vfy.c:535:<BR>and error log</FONT></DIV>
<DIV><FONT size=2> [error] mod_ssl: Re-negotiation
handshake failed: Not accepted by client!?<BR> [error]
mod_ssl: SSL error on writing data (OpenSSL library error
follows)<BR> [error] OpenSSL: error:140890C7:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
</FONT></DIV>
<DIV><FONT size=2> [Hint: No CAs known to server for
verification?]<BR></FONT><FONT size=2></FONT></DIV>
<DIV><FONT size=2>there is a part of my CA's information</FONT></DIV>
<DIV><FONT size=2> Signature Algorithm:
md2WithRSAEncryption<BR> Issuer: C=US, O=VeriSign,
Inc., OU=Class 3 Public Primary Certification
Authority<BR> Validity<BR> \
Not Before: Jan 29 00:00:00 1996
GMT<BR> Not
After : Jan 7 23:59:59 2004 GMT<BR> Subject:
C=US, O=VeriSign, Inc., OU=Class 3 Public Primary
Certification Authority<BR> Subject Public
Key Info:<BR> Public Key Algorithm:
rsaEncryption</FONT></DIV>
<DIV><FONT size=2></FONT> </DIV>
<DIV><FONT size=2>there is a part of my certificate's
information<BR> Signature Algorithm:
md5WithRSAEncryption<BR> Issuer: O=HiTRUST, Inc.,
OU=VeriSign Trust Network, OU=www.verisign.com/repository/RPA Incorp. by
Ref.,LIAB.LTD.(c)98, OU=HiTRUST Class 1 CA - Individual
Subscriber<BR> Validity<BR> \
Not Before: Feb 14 00:00:00 2001
GMT<BR> Not After : Feb 28
23:59:59 2002 GMT<BR> Subject: O=VeriSign,
Inc., OU=www.hitrust.com.tw/RPA Incorp. by Ref.,LIAB.LTD(c)98, OU=Authenticated
by HiTRUST, Inc., OU=Member, VeriSign Trust Network, OU=Persona Not Validated,
OU=Digital ID Class 1 - Microsoft Full Service, CN=taiwan
niceshipping.com<BR> Subject Public Key
Info:<BR> Public Key Algorithm:
rsaEncryption<BR></FONT></DIV>
<DIV><FONT size=2>How should I do to correct my configuration or
process?</FONT></DIV>
<DIV><FONT size=2></FONT> </DIV>
<DIV><FONT size=2>Thank you.</FONT></DIV>
<DIV><FONT size=2></FONT> </DIV>
<DIV><FONT size=2>Best regard,</FONT></DIV>
<DIV><FONT size=2></FONT> </DIV>
<DIV><FONT size=2>Gary<BR></DIV></FONT></BODY></HTML>
-----------------------------------------------------------------------------------
to unsubscribe, send a blank email to: apache-ssl-unsubscribe@lists.aldigital.co.uk
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic