Please please help me get this stuff working.
I want client authentication. Currently, I am trying
to get authentication work with my own CA, but that is foobar.
I have an intranet where the people already have certificates.
I want to use the CA that signed those as well.
When s_client does work, it shows that the server
is requesting certificates signed by the allowed CAs, so I am
content with that.

It seems as if the browser is not sending the certificates to Apache.

I'm running Mac OS X Tiger, I've tried importing my own certificates
into Keychain, but that makes no difference, and besides, I already
have a certificate for my intranet in there that should work.
Moreover, my own signed certificates don't have purposes like "client
authentication,"
which is perhaps the cause of some of the trouble.

Any advice will be appreciated.

When I have SSLVerifyClient none

I can log into the SSL enabled server just fine.


When it is SSLVerifyClient optional

s_client without a certificate works

s_client with a certificate produces:

CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1 /C=US/ST=/L=/O=/OU=/CN=/
Email=
verify return:1
depth=0 /C=US/ST=/L=/O=/OU=Server/
CN=/Email=
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client certificate A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write certificate verify A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL3 alert read:fatal:unknown CA
SSL_connect:failed in SSLv3 read finished A
5100:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown
ca:s3_pkt.c:1046:SSL alert number 48
5100:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:226:

and a browser causes:

[28/Jun/2005 07:20:28 05071] [info] Connection to child 0
established (server :443, client 127.0.0.1)
[28/Jun/2005 07:20:28 05071] [info] Seeding PRNG with 0 bytes of
entropy
[28/Jun/2005 07:20:28 05071] [error] Certificate Verification: Error
(20): unable to get local issuer certificate
[28/Jun/2005 07:20:28 05071] [error] SSL handshake failed (server
:443, client 127.0.0.1) (OpenSSL library error follows)
[28/Jun/2005 07:20:28 05071] [error] OpenSSL: error:140890B2:lib
(20):func(137):reason(178)


When it is SSLVerifyClient require

s_client without certificate: same as with cert above

s_client with certificate:

CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1 /C=US/ST=/L=/O=/OU=/CN=/
Email=
verify return:1
depth=0 /C=US/ST=/L=/O=/OU=/CN=/
Email=
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client certificate A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write certificate verify A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL3 alert read:fatal:unknown CA
SSL_connect:failed in SSLv3 read finished A
5111:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown
ca:s3_pkt.c:1046:SSL alert number 48
5111:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:226:

browser produces errors:

[28/Jun/2005 07:20:28 05071] [info] Connection to child 0
established (server :443, client 127.0.0.1)
[28/Jun/2005 07:20:28 05071] [info] Seeding PRNG with 0 bytes of
entropy
[28/Jun/2005 07:20:28 05071] [error] Certificate Verification: Error
(20): unable to get local issuer certificate
[28/Jun/2005 07:20:28 05071] [error] SSL handshake failed (server
:443, client 127.0.0.1) (OpenSSL library error follows)
[28/Jun/2005 07:20:28 05071] [error] OpenSSL: error:140890B2:lib
(20):func(137):reason(178)



Running s_server always works, and the client certificate from the
browser is loaded up.
__________________________________________________ ____________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org