Bug#503311: monit: Client Certificate authentication fails with openssl-engine error

Tue, 28 Oct 2008 03:23:22 -0700 


Georges Toth wrote:

Quoting Martin Pala <[EMAIL PROTECTED]>:


Please can you provide your monit configuration? (the "set httpd ..." 
part is sufficient).



set httpd port 28000 and
     use address 123.123.123.123
     ssl enable
     pemfile /etc/ssl/ca_priv_pub.pem
     clientpemfile /etc/monit/client_certificates.pem
     ALLOWSELFCERTIFICATION



Is the certificate self-signed or using public CA?


It's a self-signed certificate.

Besides the version, nothing changed on the server.
Firefox (32bit binary, 3.x, gentoo) seems to be the problem here.

Certificate is correctly installed, including root (with correct 
cert-permissions set in firefox).

Firefox doesn't even ask for me to choose a certificate.
On other website it on the other hand does.

Really strange...




I tried to replicate ... using self-compiled monit-5.0_beta4 with 
libssl-0.9.8g-13 on Debian-unstable with Iceweasel-3.0.3-2 works fine.


Configuration:
--8<--
set httpd port 2812 and
    use address 127.0.0.1
    ssl enable
    pemfile /var/certs/monit.pem
    clientpemfile /var/certs/monit_client.pem
    allowselfcertification
    allow localhost
--8<--

I can see the same error logged which you saw as well:

--8<--

monit: Openssl engine error: error:140D9115:SSL 
routines:func(217):reason(277)

--8<--


... but the authentication works, and i don't see the error which you 
mentioned and which is root cause of the problem:


--8<--
monit[2067]: monit: The client did not supply a required client certificate!
--8<--


When i switched the Iceweasel's certificate setting: 
Edit->Preferences->Advanced->Encryption->"When a server requests my 
personal certificate" to "Ask me every time" i get the dialog which 
reports that Monit asked for certificate and allows to select the 
certificate.


Summary:
########

it's quite strange problem - in Monit there were no changes in SSL 
related code between 4.10.1 and 5.0_beta4 so they should work the same. 
It's possible that it's browser problem (on your side, konqueror worked 
and i have tested with Iceweasel alias Firefox without problem).



Thanks,
Martin







--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]























					Reply via email to