[EMAIL PROTECTED] wrote:
>
> I'm having a bitch of a time getting client verification to work to work.
>
> I've got the root CA cert, project CA cert, and server and client certs (keys
> with passphrase removed) all in pem encoded format. I've done the following.
>
> 1.Created a new mod_ssl instance of apache
> 2.Set the server key and cert tags
> 3.set verifyclient to 'require', left the verifydepth at 10 (i've tried playing
> with this.. seems to have _no_ affect)
> 4. multiple scenerios here.
> a) set the ca file to the project CA cert (errors with something like 'failed to
> get local issuer)
> b) set the ca file to the root CA cert (some other error which basically said..
> can't verify the issuer)
> c) set the capath to a directory with the server, root ca, and project ca certs
> and ran make to build the hash symlinks
> d) set cerfificate chain to a file with project CA cert and root ca cert
> e) set ca file to a ca bundle I created with name, md5 fingerprint, cert, and
> text ouput of root CA and project CA.
>
> What works?
> if i turn off client verification i can hit the server with an https connection
>
> I realize that I'm not including error messages, and thats cuz they all seem to
> be alittle different. I've tried connecting to all these scenerio's using a p12
> version of the client cert which i generated using the client cert, key (with
> passphrase removed) and also using openssl s_client with cert and key parameters
> using the pem format cert/key (pass removed)
>
> Has anyone else attempted to do this multiple level CA thing and had success
> doing client cert verification? Is there something I might have missed?
>
> some various errors for a-e) "Certificate Verification: Error (26): unsupported
> certificate purpose"
> "Certificate
> Verification: Error (20): unable to get local issuer certificate"
>
You don't say what you are using as a client.
It looks like its having problems verifying the client certificate
chain.
You mention root CA, project CA and server and client certificates. What
actually signs the client certificates, i.e. what is its chain?
Also the unsupported purpose error suggests that you've either hit the
OpenSSL 0.9.5a verification bug (which can cause server verify problems:
its fixed in 0.9.6) or the chain is really invalid. Without seeing the
client certificate chain (text output) I can't decide which.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
