Clientside SSL

zeveck · Dec 13, 2006

Browser: Firefox 2.0
Server: Apache/2.0.54 (Ubuntu) PHP/5.0.5-2ubuntu1.6 mod_ssl/2.0.54 OpenSSL/0.9.7g Server at foo.bar.example.com Port 4443

The folder I am trying to access on the server is protected by a .htaccess containing:

SSLVerifyClient require
SSLVerifyDepth 1
SSLCACertificateFile /usr/local/foo/bar.crt

If I try to access said folder I get:
foo.bar.example.com has received an incorrect or unexpected message. Error Code: -12227

If I install a cert signed by bar.crt, I get:
Error establishing an encrypted connection to foo.bar.example.com. Error Code: -12195

I created the certificates by following the directions here:

http://blogs.ittoolbox.com/security...-a-website-with-client-ssl-certificates-11500

I am lost as to what I am doing wrong at this point, and confused as to why Firefox provides such crappy error messages. =(

mbrooks · Dec 13, 2006

Server: Apache/2.0.54 (Ubuntu) PHP/5.0.5-2ubuntu1.6 mod_ssl/2.0.54 OpenSSL/0.9.7g Server at foo.bar.example.com Port 4443

Is this correct? The standard SSL port is 443 not 4443.

M. Brooks

http://mbrooks.info

zeveck · Dec 13, 2006

Yes, it is running on 4443. Would this cause a problem?

mbrooks · Dec 13, 2006

Unless you specifiy in the broswer that you are using a different port other than 443 for SSL. It won't work.

M. Brooks

http://mbrooks.info

zeveck · Dec 13, 2006

How would I specify this?

I am currently trying to hit the secured folder using:

https://foo.bar.example.com:4443/secured/

Is there a step I am missing?

mbrooks · Dec 13, 2006

Set-up Apache to use port 443 then all you need to do is

https://foo.bar.example.com/secured/

The problem is that when you use https the browser defaults to port 443 which is the standard.

M. Brooks

http://mbrooks.info

zeveck · Dec 13, 2006

Is this something particular to client-side certs?

I can browse the rest of the site fine using:

https://sephiroth.corp.google.com:4443/...

I only have trouble with the folder requiring client-side certs. Since the whole site is SSL, I would assume that the browser/server are speaking SSL.

??

zeveck · Dec 14, 2006

Okay. For the record, mbrooks comments about 443 are incorrect. SSL works fine on whatever port you specify.

It turned out that my problem was that CACertificateFile has to be specified per-server rather than per-directory. Sadly, specifying it in an .htaccess file doesn't result in any errors...but the directive appears to just be ignored. Judging from the comment in the mod_ssl src, it looks like this wasn't always the case... =/

Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Clientside SSL

zeveck

Programmer

mbrooks

Programmer

zeveck

Programmer

mbrooks

Programmer

zeveck

Programmer

mbrooks

Programmer

zeveck

Programmer

zeveck

Programmer

Similar threads

Part and Inventory Search

Sponsor