headers
Paul Puschmann | 4 Aug 2005 09:59

Re: SSLVerifyClient fails

Sven Löschner schrieb:
>>Try using "openssl s_client ...." to connect(? arg for 
>>options). It'll give alot of debug info.
> 
> 
> Okay, I tried "openssl s_client -connect www.test.de:443 -CAfile
> /etc/ssl/UserCA/UserCAchaincert.pem -verify 3 -cert
> /etc/ssl/UserCA/svencert.pem -key /etc/ssl/UserCA/svenkey.pem -reconnect
> -showcerts -state -bugs"
> 
> The output is the following:
> 
> CONNECTED(00000003)
> SSL_connect:before/connect initialization
> SSL_connect:SSLv2/v3 write client hello A
> SSL_connect:SSLv3 read server hello A
> depth=0 /C=DE/ST=NRW/L=Hattingen/O=MX/OU=Demo
> Server/CN=www.test.de/emailAddress=info <at> test.de
> verify error:num=20:unable to get local issuer certificate

Seems you don't have the required Root-CA-Certificates installed on your
webserver. (you need the root-certificate of your client-certificates)
anyone correct me if I'm wrong.

Paul
--

-- 
Linux-User #271918 with the Linux Counter, http://counter.li.org/
Permalink | Reply | 1 comment |
headers
Sven Löschner | 4 Aug 2005 11:49
Picon

RE: SSLVerifyClient fails

Ok, a friend of mine sent me a working ca-cert with a working client
cert....but it's not working for me. I guess I will set up an Apache 1.x,
and delete the Apache2, because it makes a lot of trouble in working
correctly e.g. with openssl. I tried a lot of versions, but always errors
(OpenSSL 0.9.7f - 0.9.8, Apache 2.0.48, 2.0.54, 2.0.55-dev)

Sven

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users <at> modssl.org
Automated List Manager                            majordomo <at> modssl.org
Permalink | Reply | 0 comments |
headers
Pitrich, Karl | 8 Aug 2005 14:26

access restriction based on RFC3280/4.2 'Certificate Extensions'

Hi,

is it somehow possible to restrict access to 
a httpd2/mod_ssl based on the presence
of an extended attribute with a specific OID 
in the client's certificate?

i was unsuccessfull looking that up in the docs or ml-archive.

than you for any hint,

 / pit
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users <at> modssl.org
Automated List Manager                            majordomo <at> modssl.org
Permalink | Reply | 1 comment |
headers
Mads Toftum | 8 Aug 2005 17:28
Picon

Re: access restriction based on RFC3280/4.2 'Certificate Extensions'

On Mon, Aug 08, 2005 at 02:26:37PM +0200, Pitrich, Karl wrote:
> Hi,
> 
> is it somehow possible to restrict access to 
> a httpd2/mod_ssl based on the presence
> of an extended attribute with a specific OID 
> in the client's certificate?
> 
There is some support for that in the very latest httpd dev tree - see
http://mail-archives.apache.org/mod_mbox/httpd-cvs/200507.mbox/%3c20050720164301.95859.qmail <at> minotaur.apache.org%3e

vh

Mads Toftum
--

-- 
`Darn it, who spiked my coffee with water?!' - lwall

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users <at> modssl.org
Automated List Manager                            majordomo <at> modssl.org
Permalink | Reply | 0 comments |
headers
Christopher L. Everett | 9 Aug 2005 04:58
Favicon

Compile failure

Hi,

I downloaded and unpacked mm-1.3.1, openssl-0.9.8, apache_1.3.33 and
modssl-2.8.23-1.3.33.  Then I installed everything:

installed MM
------------

./configure --prefix=/usr/local
make && make test && make install

openssl-0.9.8
-------------

./config --prefix=/usr/local
make && make test && make install

apache+mod_ssl
--------------
mkdir httpd-ssl
cd httpd-ssl
cp -rl ../apache_1.3.33/ .
cp -rl ../modssl-2.8.23-1.3.33/ .
ln ../../mod_proxy_add_forward.c src/modules/extra/
cp -rl ../../gzip src/modules/
cd modssl-2.8.23-1.3.33/
./configure --with-apache=../apache_1.3.33/
cd ../apache_1.3.33/
CC="gcc" \
CFLAGS="`mm-config --cflags` -DOPENSSL_NO_KRB5" \
(Continue reading)

Permalink | Reply | 0 comments |
headers
SB | 9 Aug 2005 20:45
Picon

Migrating cert from Sun Web Server

I've already paid for a few Verisign certs (that were requested from
and installed on Sun Web Server aka SWS aka ONE aka iPlanet) and now
we are migrating from SWS to Apache and mod_ssl. I would like to reuse
the certs but they (and the keys) use some weird db format. I have the
certs in my email somewhere still so all I need is the keys. Anyone
know how I can extract the key from the db file or elsewhere for use
with mod_ssl and Apache2?

I've already looked in the docs[1] and googled a bit but so far
nothing. Any help is greatly appreciated!

SB
-----
[1] http://docs.sun.com/source/817-1831-10/agcert.html#wp1004981
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users <at> modssl.org
Automated List Manager                            majordomo <at> modssl.org
Permalink | Reply | 2 comments |
headers
Phil Ehrens | 9 Aug 2005 21:21
Picon

Re: Migrating cert from Sun Web Server

SB wrote:
> I've already paid for a few Verisign certs (that were requested from
> and installed on Sun Web Server aka SWS aka ONE aka iPlanet) and now
> we are migrating from SWS to Apache and mod_ssl. I would like to reuse
> the certs but they (and the keys) use some weird db format. I have the
> certs in my email somewhere still so all I need is the keys. Anyone
> know how I can extract the key from the db file or elsewhere for use
> with mod_ssl and Apache2?
> 
> I've already looked in the docs[1] and googled a bit but so far
> nothing. Any help is greatly appreciated!

Look here (search for pk12util):

http://docs.sun.com/source/816-5682-10/esecurty.htm

--

-- 
Phil Ehrens <pehrens <at> ligo.caltech.edu>| Fun stuff:
The LIGO Laboratory, MS 18-34         | http://www.ralphmag.org
California Institute of Technology    | http://www.yellow5.com
1200 East California Blvd.            | http://www.total.net/~fishnet/
Pasadena, CA 91125 USA                | http://slashdot.org
Phone:(626)395-8518 Fax:(626)793-9744 | http://kame56.homepage.com
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users <at> modssl.org
Automated List Manager                            majordomo <at> modssl.org
Permalink | Reply | 1 comment |
headers
SB | 9 Aug 2005 21:50
Picon

Re: Migrating cert from Sun Web Server

On 8/9/05, Phil Ehrens <pehrens <at> ligo.caltech.edu> wrote:

> Look here (search for pk12util):
> 
> http://docs.sun.com/source/816-5682-10/esecurty.htm

Thanks! I actually found it on the Sun Forum too. Apparently it's
kinda tricky to use so here's the process...

# export LD_LIBRARY_PATH=<serverroot>/bin/https/lib
# cd <serverroot>/alias
# ../bin/https/admin/bin/pk12util -o export.pkcs12 -n Server-Cert -d .
-P "https-hostname-hostname-"
Enter Password or Pin for "NSS Certificate DB":
Enter password for PKCS12 file: 
Re-enter password: 
pk12util: PKCS12 EXPORT SUCCESSFUL
# ls -tlra export.pkcs12
-rw-------   1 root     root        3372 Aug  9 12:16 export.pkcs12
#

Then you can extract either the key or the cert...

# openssl pkcs12 -info -in export.pkcs12 
Enter Import Password:
...
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----BEGIN RSA PRIVATE KEY-----
...
(Continue reading)

Permalink | Reply | 0 comments |
headers
Andrew Musselman | 16 Aug 2005 18:57
Favicon

SSL support for a VirtualHost on a port other than 443

Hi,

I am trying to set up apache2 to provide SSL support for a VirtualHost
running on port 81.

The server handles https requests just fine, but when I try connecting
with https through port 81 I receive an error (in Firefox "The
connection to [myhost]:81 has terminated unexpectedly.  Some data may
have been transferred.").

Openssl seems to be running fine, as these commands from the FAQ at
http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html return no errors:

$ openssl s_client -connect localhost:443 -state -debug
GET / HTTP/1.0

Can anyone offer some help on getting this to work?  Thanks for your
time.

Best,
Andrew

Andrew Musselman
andrew <at> cwu.edu
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users <at> modssl.org
Automated List Manager                            majordomo <at> modssl.org
(Continue reading)

Permalink | Reply | 1 comment |
headers
Mads Toftum | 16 Aug 2005 20:06
Picon

Re: SSL support for a VirtualHost on a port other than 443

On Tue, Aug 16, 2005 at 09:57:38AM -0700, Andrew Musselman wrote:
> I am trying to set up apache2 to provide SSL support for a VirtualHost
> running on port 81.
> 
Have you added a virtualhost for port 81 and the corresponding Listen
statement?

> The server handles https requests just fine, but when I try connecting
> with https through port 81 I receive an error (in Firefox "The
> connection to [myhost]:81 has terminated unexpectedly.  Some data may
> have been transferred.").
> 
Browser messages are not much use.

> Openssl seems to be running fine, as these commands from the FAQ at
> http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html return no errors:
> 
> $ openssl s_client -connect localhost:443 -state -debug
> GET / HTTP/1.0
> 
What if you use localhost:81 instead?

We need more info like the SSL specific part of the conf and perhaps
output of openssl s_client.

vh

Mads Toftum
--

-- 
`Darn it, who spiked my coffee with water?!' - lwall
(Continue reading)

Permalink | Reply | 0 comments |

Gmane