Hello,
For last few years we succesfully used both client or server type x509 certificates (specified purpose of 'SSL Server' or 'SSL Client') on our application client side to communicates with Apache web server versions 1.3.22 up to 1.3.33 until openssl_0.9.7g and mod_ssl-2.8.22-1.3.33.
The only change I had to make was to edit source file
mod_ssl-2.8.22-1.3.33/pkg.sslmod/ssl_engine_init.c
and replace line
SSL_set_purpose(ssl, X509_PURPOSE_SSL_SERVER);
with
SSL_CTX_set_purpose(ctx, X509_PURPOSE_ANY);
just before code for
/*
* Configure Client Authentication details
*/
But since openssl_0.9.7h and mod_ssl-2.8.22-1.3.33 this change does not work anymore. The code for SSL_set_purpose(ssl, X509_PURPOSE_SSL_SERVER) in file ssl_engine_init.c is not present and adding line
SSL_CTX_set_purpose(ctx, X509_PURPOSE_ANY) does not help.
I still need to verify client certificate and retrive the CN value from it which means I have set parameter as
SSLVerifyClient require
This is the error message I see in error_log:
[error] mod_ssl: Certificate Verification: Error (26): unsupported certificate purpose
[error] mod_ssl: SSL handshake failed (server zcarh0uj.ca.nortel.com:443, client 47.129.93.32) (OpenSSL library error follows)
[error] OpenSSL: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Please, any suggestions how to solve this issue with latest
apache_1.3.34
openssl-0.9.7i
mod_ssl-2.8.25-1.3.34
and also with
apache_2.0.55
openssl-0.9.8a
Thanks a lot for any suggestions.
John Chmelicek
Yahoo! FareChase - Search multiple travel sites in one click.
