Re: [apache-ssl] no client certificate ??
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [apache-ssl] no client certificate ??

Ben Laurie wrote:

> Michael Voucko wrote:
> >
> > Hi *,
> >
> > I have a little problem :
> > We are running apache1.2 with ssleay 0.8.0. In the httpds.conf the
> > directive
> >     SSLVerifyClient    2
> > is set so no connection should be possible if the client delivers no
> > certificate or the server is unable to verify the certificate against a
> > trusted CA.
> > Now to the strange thing, when I connect with Communicator to the server
> > all works fine, the browser shows me a secure connection the way it
> > should be. But now what the logfiles talk about this connections
> >
> > access_log :
> > 141.12.207.13 - - [02/Sep/1998:10:49:12 +0200] "GET / HTTP/1.0" 200 1976
> >
> > 141.12.207.13 - - [02/Sep/1998:10:49:14 +0200] "GET /links.JPG HTTP/1.0"
> > 200 11225
> > 141.12.207.13 - - [02/Sep/1998:10:49:14 +0200] "GET /info.gif HTTP/1.0"
> > 200 2745
> > 141.12.207.13 - - [02/Sep/1998:10:49:14 +0200] "GET /email.gif HTTP/1.0"
> > 200 211
> > 141.12.207.13 - - [02/Sep/1998:10:49:14 +0200] "GET /support.gif
> > HTTP/1.0" 200 264247
> > 141.12.207.13 - - [02/Sep/1998:10:49:14 +0200] "GET /gmbh.JPG HTTP/1.0"
> > 200 5799
> > 141.12.207.13 - - [02/Sep/1998:10:49:18 +0200] "GET /products.JPG
> > HTTP/1.0" 200 3809
> > 141.12.207.13 - - [02/Sep/1998:10:49:19 +0200] "GET /secude-gmbh-89a.gif
> > HTTP/1.0" 200 2017
> > 141.12.207.13 - - [02/Sep/1998:10:49:19 +0200] "GET /partner.JPG
> > HTTP/1.0" 200 3782
> >
> > ssl_log :
> > [02/Sep/1998:10:49:12 +0200] 3 EXP-RC4-MD5
> > [02/Sep/1998:10:49:14 +0200] 3 EXP-RC4-MD5
> > [02/Sep/1998:10:49:14 +0200] 3 EXP-RC4-MD5
> > [02/Sep/1998:10:49:14 +0200] 3 EXP-RC4-MD5
> > [02/Sep/1998:10:49:14 +0200] 3 EXP-RC4-MD5
> > [02/Sep/1998:10:49:14 +0200] 3 EXP-RC4-MD5
> > [02/Sep/1998:10:49:18 +0200] 3 EXP-RC4-MD5
> > [02/Sep/1998:10:49:19 +0200] 3 EXP-RC4-MD5
> > [02/Sep/1998:10:49:19 +0200] 3 EXP-RC4-MD5
> >
> > error_log :
> > [Wed Sep  2 10:49:12 1998] No client certificate
> > [Wed Sep  2 10:49:18 1998] No client certificate
> > [Wed Sep  2 10:49:19 1998] No client certificate
> > [Wed Sep  2 10:49:19 1998] No client certificate
> >
> > My Problem is the "no client certificate" in the errorlog.
> > How could this happen when the SSLVerifyClient directive is set to 2 ?
> > Or is the logging not correct ?
>
> Have you got the browser set to prompt for a cert? Could it be that it
> tries once without a cert and then again with?
>
> Cheers,
>
> Ben.

My setting is "ask every time". Meanwhile I tried a few configurations.When
having no certifiacte at all the logs say :
    error:140890BD:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not
return a certificate
When delivering a certificate which the server can't verify because of the
untrusted CA the log tells me :
    error:140890AB:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate
returned
When I use a certificate issued by the same CA as used by the server there is
    No client certificate
line in the log.

I looked in the code and there is only one place at apache_ssl.c where this
message will be produced but I haven't spent a lot of time reading the source
of apache so it don't tells me a lot:-(
But to be more general can someone explain why the connection didn't fail even
though there is an error which shows up that apache thought that the client is
not authenticated ?

Thanks
        Michael