Hi.
I have a similar problem.
What platform are you on? What version of SSLeay?
Does it occur also when you turn off
SSLVerifyClient require?
What does your ssl_engine_log show?
I am seeing this on an alpha running linux,
apache 1.3.3 / mod_ssl 2.1.5 / OpenSSL current,
client verification set to none,
server certificate issued by same root cert as
trusted in NS 4.5.
The error returned by mod_ssl seems nonsense,
this looks like the server cert is refused by NS.
ssl_engine_log (SSLLogLevel debug) shows:
[trace] OpenSSL: Handshake: start
[trace] OpenSSL: Loop: before SSL initialization
[debug] OpenSSL: read 7/7 bytes = [ 80 40 01 03 00 00 27 ]
[debug] OpenSSL: read 59/59 bytes =
+-------------------------------------------------------------------------+
| 0000: 00 00 00 10 01 00 80 02-00 80 03 00 80 04 00 80
................ |
| 0010: 06 00 40 07 00 c0 00 00-04 00 ff e0 00 00 0a 00
..@............. |
| 0020: ff e1 00 00 09 00 00 03-00 00 06 20 50 f8 27 aa ...........
P.'. |
| 0030: e0 4b 96 4f 65 3e 30 16-b2 2a 57
.K.Oe>0..*W |
+-------------------------------------------------------------------------+
[debug] OpenSSL: write 1024/1024 =
+-------------------------------------------------------------------------+
| 0000: 16 03 00 00 4a 02 00 00-46 03 00 36 92 83 45 ac
....J...F..6..E. |
| 0010: 70 e4 a4 a7 b3 d2 1d 64-5b 3d 11 ae 07 26 97 14
p......d[=...&.. |
| 0020: b0 db a0 13 02 f5 cc 00-00 00 00 20 d4 ad 11 6c ...........
...l |
| 0030: 47 58 a0 57 90 5c d4 00-5f b2 15 28 4d d5 32 a4
GX.W.\.._..(M.2. |
| 0040: bc 98 a6 5b 06 1a ad 1a-ee a2 d5 e6 00 04 00 16
...[............ |
| 0050: 03 00 04 cb 0b 00 04 c7-00 04 c4 00 02 6c 30 82
.............l0. |
| 0060: 02 68 30 82 01 d1 a0 03-02 01 02 02 01 03 30 0d
.h0...........0. |
| 0070: 06 09 2a 86 48 86 f7 0d-01 01 04 05 00 30 59 31
..*.H........0Y1 |
| 0080: 0b 30 09 06 03 55 04 06-13 02 4e 4c 31 13 30 11
.0...U....NL1.0. |
| 0090: 06 03 55 04 0a 13 0a 6f-72 67 2e 6e 65 74 20 62 ..U....org.net
b |
| 00a0: 76 31 13 30 11 06 03 55-04 03 13 0a 6f 72 67 2d
v1.0...U....org- |
| 00b0: 6e 65 74 20 43 41 31 20-30 1e 06 09 2a 86 48 86 net CA1
0...*.H. |
| 00c0: f7 0d 01 09 01 16 11 6f-66 66 69 63 65 40 6f 72
.......office@or |
| 00d0: 67 2d 6e 65 74 2e 6e 6c-30 1e 17 0d 39 39 30 31
g-net.nl0...9901 |
| 00e0: 30 35 31 38 32 35 34 35-5a 17 0d 30 30 30 31 30
05182545Z..00010 |
| 00f0: 35 31 38 32 35 34 35 5a-30 73 31 0b 30 09 06 03
5182545Z0s1.0... |
| 0100: 55 04 06 13 02 4e 4c 31-13 30 11 06 03 55 04 0a
U....NL1.0...U.. |
| 0110: 13 0a 6f 72 67 2e 6e 65-74 20 62 76 31 10 30 0e ..org.net
bv1.0. |
| 0120: 06 03 55 04 0b 13 07 61-78 70 20 31 36 34 31 18 ..U....axp
1641. |
| 0130: 30 16 06 03 55 04 03 13-0f 6d 61 73 6b 2e 6f 72
0...U....mask.or |
| 0140: 67 2d 6e 65 74 2e 6e 6c-31 23 30 21 06 09 2a 86
g-net.nl1#0!..*. |
| 0150: 48 86 f7 0d 01 09 01 16-14 77 65 62 6d 61 73 74
H........webmast |
| 0160: 65 72 40 6e 65 74 62 6f-78 2e 6f 72 67 30 81 9f
[EMAIL PROTECTED] |
| 0170: 30 0d 06 09 2a 86 48 86-f7 0d 01 01 01 05 00 03
0...*.H......... |
| 0180: 81 8d 00 30 81 89 02 81-81 00 d0 f9 d8 b2 fc 05
...0............ |
| 0190: 11 e6 61 e1 85 c6 72 1f-a5 c5 0f 90 32 a9 16 00
..a...r.....2... |
| 01a0: 27 04 ff 51 bc a6 41 8e-78 29 3e 61 98 c3 7a 9f
'..Q..A.x)>a..z. |
| 01b0: a0 99 39 69 37 97 48 dc-af 1f e0 0a e6 6d 2e 5d
..9i7.H......m.] |
| 01c0: ea 4f d3 9f d6 f9 64 36-2d 05 df 3a 5c 73 5a 74
.O....d6-..:\sZt |
| 01d0: e0 48 05 f4 19 d7 3d 24-6b e9 d7 3e 99 3b a3 46
.H....=$k..>.;.F |
| 01e0: 9c a8 81 1a a6 64 18 0f-d9 4d 9c 75 a7 61 0a 8e
.....d...M.u.a.. |
| 01f0: f2 f1 00 b6 13 89 db c0-75 aa ce 93 f9 cb e1 b9
........u....... |
| 0200: fa 7c e4 2f 26 0f 79 d0-93 83 02 03 01 00 01 a3
.|./&.y......... |
| 0210: 26 30 24 30 0f 06 03 55-1d 13 04 08 30 06 01 01
&0$0...U....0... |
| 0220: ff 02 01 00 30 11 06 09-60 86 48 01 86 f8 42 01
....0...`.H...B. |
| 0230: 01 04 04 03 02 00 40 30-0d 06 09 2a 86 48 86 f7
[EMAIL PROTECTED]*.H.. |
| 0240: 0d 01 01 04 05 00 03 81-81 00 4a 76 4e 92 f7 40
..........JvN..@ |
| 0250: bf 14 5a d8 d0 f7 af 18-19 5b 05 55 9e 4f df 2e
..Z......[.U.O.. |
| 0260: ba a5 cb cf 64 59 c2 48-37 9f 9f f5 dc 37 df c7
....dY.H7....7.. |
| 0270: 33 34 c5 d7 a3 64 ee d9-63 11 cb e6 9b 3d 79 9b
34...d..c....=y. |
| 0280: ff ec 91 5f 47 b5 e7 22-c0 1a 82 c8 af e3 6d f6
..._G.."......m. |
| 0290: 7c 11 75 bd f6 da 1e e0-f7 13 fc e4 b0 41 5b cb
|.u..........A[. |
| 02a0: bf 61 b1 2b ec fd c4 1a-85 80 b4 60 eb 84 00 9a
.a.+.......`.... |
| 02b0: b4 77 35 a8 2c 2b 3b de-58 13 4b 4e 54 57 d8 1a
.w5.,+;.X.KNTW.. |
| 02c0: ba ff 19 b7 b8 fb 21 a5-6b 9a 00 02 52 30 82 02
......!.k...R0.. |
| 02d0: 4e 30 82 01 b7 a0 03 02-01 02 02 01 00 30 0d 06
N0...........0.. |
| 02e0: 09 2a 86 48 86 f7 0d 01-01 04 05 00 30 59 31 0b
.*.H........0Y1. |
| 02f0: 30 09 06 03 55 04 06 13-02 4e 4c 31 13 30 11 06
0...U....NL1.0.. |
| 0300: 03 55 04 0a 13 0a 6f 72-67 2e 6e 65 74 20 62 76 .U....org.net
bv |
| 0310: 31 13 30 11 06 03 55 04-03 13 0a 6f 72 67 2d 6e
1.0...U....org-n |
| 0320: 65 74 20 43 41 31 20 30-1e 06 09 2a 86 48 86 f7 et CA1
0...*.H.. |
| 0330: 0d 01 09 01 16 11 6f 66-66 69 63 65 40 6f 72 67
......office@org |
| 0340: 2d 6e 65 74 2e 6e 6c 30-1e 17 0d 39 38 31 32 31
-net.nl0...98121 |
| 0350: 36 31 33 35 36 31 36 5a-17 0d 30 34 30 37 32 35
6135616Z..040725 |
| 0360: 31 33 35 36 31 36 5a 30-59 31 0b 30 09 06 03 55
135616Z0Y1.0...U |
| 0370: 04 06 13 02 4e 4c 31 13-30 11 06 03 55 04 0a 13
....NL1.0...U... |
| 0380: 0a 6f 72 67 2e 6e 65 74-20 62 76 31 13 30 11 06 .org.net
bv1.0.. |
| 0390: 03 55 04 03 13 0a 6f 72-67 2d 6e 65 74 20 43 41 .U....org-net
CA |
| 03a0: 31 20 30 1e 06 09 2a 86-48 86 f7 0d 01 09 01 16 1
0...*.H....... |
| 03b0: 11 6f 66 66 69 63 65 40-6f 72 67 2d 6e 65 74 2e
.office@org-net. |
| 03c0: 6e 6c 30 81 9f 30 0d 06-09 2a 86 48 86 f7 0d 01
nl0..0...*.H.... |
| 03d0: 01 01 05 00 03 81 8d 00-30 81 89 02 81 81 00 a2
........0....... |
| 03e0: 1d 6a 31 12 63 8b 68 8a-32 91 8f f8 90 52 5d a5
.j1.c.h.2....R]. |
| 03f0: b0 68 b4 b7 80 8c 0b d5-d8 66 6e ed 38 f2 49 51
.h.......fn.8.IQ |
+-------------------------------------------------------------------------+
[trace] OpenSSL: Loop: SSLv3 write certificate A
[trace] OpenSSL: Loop: SSLv3 write server done A
[debug] OpenSSL: write 296/296 bytes =
+-------------------------------------------------------------------------+
| 0000: 81 43 79 09 9a 2b 6f d9-e9 15 40 76 c1 e6 16 d7
[EMAIL PROTECTED] |
| 0010: 5d ec 29 d1 80 fe cf 92-f3 93 d5 fc 9c 2e 73 c2
].)...........s. |
| 0020: 99 33 fd 30 fc 0a 1b 03-69 ce 19 54 2d 15 f0 d8
.3.0....i..T-... |
| 0030: 75 37 eb 61 bd ec b4 c0-45 1b b1 4b 61 42 2b 57
u7.a....E..KaB+W |
| 0040: e2 33 58 7e 78 58 d9 59-1f 8a 99 12 22 29 5e a2
.3X~xX.Y....")^. |
| 0050: 87 a7 ab c5 a5 cb 8c bb-62 29 b4 8b d1 d5 7f 02
........b)...... |
| 0060: 03 01 00 01 a3 26 30 24-30 0f 06 03 55 1d 13 04
.....&0$0...U... |
| 0070: 08 30 06 01 01 ff 02 01-02 30 11 06 09 60 86 48
.0.......0...`.H |
| 0080: 01 86 f8 42 01 01 04 04-03 02 00 07 30 0d 06 09
...B........0... |
| 0090: 2a 86 48 86 f7 0d 01 01-04 05 00 03 81 81 00 10
*.H............. |
| 00a0: c1 f6 73 89 df a0 75 5c-66 56 1f cd 01 57 d6 7b
..s...u\fV...W.{ |
| 00b0: 67 5c b0 30 2c a5 97 41-20 7b b3 35 70 2a ee 83 g\.0,..A
{.5p*.. |
| 00c0: 71 66 c5 34 51 83 d5 fe-69 99 81 04 81 57 95 78
qf.4Q...i....W.x |
| 00d0: be 2a 85 03 6f bf b6 f7-ba 40 4e 9d ad 3e 93 e5
.*[EMAIL PROTECTED]>.. |
| 00e0: 4b 9d 3b 9f ba 34 b0 44-78 60 99 a3 f8 b8 70 8e
K.;..4.Dx`....p. |
| 00f0: 74 18 a2 75 26 16 fa a1-8b 3d c8 cf a6 da 0c 7f
t..u&....=...... |
| 0100: 8b 18 12 57 75 dd 4e bf-96 03 9a c4 46 9e bf ee
...Wu.N.....F... |
| 0110: 76 91 a3 48 c9 b6 1d 72-f1 17 32 40 73 05 fd 16
[EMAIL PROTECTED] |
| 0120: 03 00 00 04 0e
..... |
0128 - <SPACES/NULS>
+-------------------------------------------------------------------------+
[trace] OpenSSL: Loop: SSLv3 flush data
[debug] OpenSSL: read 5/5 bytes = [ 15 03 00 00 02
] [debug] OpenSSL: read 2/2 bytes = [
02 2a ]
[trace] OpenSSL: Read: SSLv3 read client certificate A
[trace] OpenSSL: Exit: failed in SSLv3 read client certificate A
[error] SSL handshake failed (OpenSSL library error follows)
[error] OpenSSL: error:14094412:SSL routines:SSL3_READ_BYTES:
sslv3 alert bad certificate
[Hint: Subject DN in certificate not server name!?]
[info] Connection to child 0 closed (server mask.org-net.nl:443)
The openssl s_client works fine, and the servername *does* match
the Subject/DN,CN field.
chchar wrote:
>
> Hi all!
>
> I created my own CA, made my private cert, signed and downloaded it
> back to Netscape 4.5 Communicator.
>
> Then I set "SSLVerifyClient require" on httpd.conf file.
>
> When trying to connect my secure server I got response :
> "This certificate is not approved for the attempted application"
>
> What wrong ? Please advice, thank.
>
> Note : I'm using apache 1.3.3, mod_ssl 2.1.4-1.3.3
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
