On Mon, Jun 28, 2010, Chris Peters wrote: > This might be more a question for the mod_ssl forums, but I suspect it is > more fundamentally rooted in openssl than that so here goes: > > Intermittently, we receive the following block of errors in our Apache SSL > logs: > > [Mon Jun 28 11:24:09 2010] [error] [client ip_address_scrubbed] Certificate > Verification: Error (7): certificate signature failure > [Mon Jun 28 11:24:09 2010] [info] [client ip_address_scrubbed] SSL library > error 1 in handshake (server hostname_scrubbed:8443) > [Mon Jun 28 11:24:09 2010] [info] SSL Library Error: 218910881 > error:0D0C50A1:lib(13):func(197):reason(161) > [Mon Jun 28 11:24:09 2010] [info] SSL Library Error: 218910881 > error:0D0C50A1:lib(13):func(197):reason(161) > [Mon Jun 28 11:24:09 2010] [info] SSL Library Error: 336105650 > error:140890B2:lib(20):func(137):reason(178) > > We are using SSLVerifyClient because we need Apache to retrieve a cert and > then pass it along to a Tomcat application. However, it's unimportant for > Apache to verify the cert thus we specify optional_no_ca. > The certs we are dealing with are signed by a CA that I have added to my > certificate chain (depth 1 above) simply because Apache won't let us buy if > it doesn't recognize the signer . > This problem only appears to happen with certain hosts--so far--and those > hosts are all running IIS. Is this an incompatibility with Windows' SSL > software and OpenSSL? Unfortunately, I have no version information from our > hosts. > Our software versions are: Solaris 10, Apache/2.2.13 (Unix) mod_jk/1.2.25 > mod_ssl/2.2.13 OpenSSL/0.9.8n >
This is caused by an unknown digest algorithm. Possibly a bogus error or use of something like SHA256 which isn't added as an SSL algorithm in 0.9.8n. I'd suggest you try 0.9.8o and see if that resolves the issue. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
