(modssl-user list, and it's -owner email are refusing any/all mail.
sigh. @#httpd suggested this is the 'right' forum ...)
hi,
i'm trying to set up modssl-based, unique SSL certificate
authentication for a subdirectory @ a shared-host.
atm, my setup returns a Server error of,
ssl_error_handshake_failure_alert
here's what i've done so far ...
locally, i've created a client cert, signed by my own CA.
on my local desktop, verifying,
cd /Users/pgn/ssl
openssl verify -verbose \
-CAfile myCA.cert.rsa.pem \
-purpose sslclient \
mydomain.com.cert.rsa.pem
returns,
mydomain.com.cert.rsa.pem: OK
i convert that verified cert in .pkcs12,
openssl pkcs12 -export \
-in mydomain.com.cert.rsa.pem \
-inkey mydomain.com.privkey.rsa.pem \
-out mydomain.com.cert.rsa.pkcs12
Enter Export Password: ###
Verifying - Enter Export Password: ###
and import it, successfully, into my local Firefox instance.
i copy my CA cert from local machine to remote host,
scp \
myCA.cert.rsa.pem \
my_remote_u...@mydomain.com:/home/pgn/ssl/myCA.cert.rsa.pem
and rehash,
ssh -l my_remote_user mydomain.com \
"c_rehash /home/pgn/ssl/"
checking the results @ remote host,
cd /home/pgn/ssl
ls -al
lrwxrwxrwx 1 my_remote_user my_group 30 2009-06-16 10:19
18e1fe7b.0 -> myCA.cert.rsa.pem
-rw-r--r-- 1 my_remote_user my_group 2451 2009-06-16 10:19
myCA.cert.rsa.pem
next, in a subdir @ my host, i've
cat $HOME/(... path to webroot ...)/test/.htaccess
SSLCipherSuite HIGH:MEDIUM
SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
deny from all
allow from xx.xx.xx.xx/29
SSLVerifyClient require
SSLVerifyDepth 1
SSLCACertificateFile "/home/pgn/ssl/myCA.cert.rsa.pem"
SSLCACertificatePath "/home/pgn/ssl"
SSLOptions +OptRenegotiate +StdEnvVars
SSLRequireSSL
Options +Indexes
but, @ browser nav to:
https://mydomain.com/test/
i get a browser error,
Secure Connection Failed
An error occurred during a connection to www.mydomain.com.
SSL peer was unable to negotiate an acceptable set of security
parameters.
(Error code: ssl_error_handshake_failure_alert)
&, @ apache error.log,
==> /home/pgn/logs/mydomain.com/https/error.log <==
[Tue Jun 16 10:35:12 2009] [error] Re-negotiation handshake failed:
Not accepted by client!?
[Tue Jun 16 10:35:12 2009] [error] Re-negotiation request failed
reading around, i presume this is _supposed_ to work, so, likely i've
missed, or configured, something :-/
any suggestions as to what the prob is ?
thanks!
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
