[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: The right magic for Netscape to send the client certificate?
Julio Sánchez Fernández wrote:
>
> I do not manage to convince Netscape to send the client certificate.
> The certificate is in the Netscape cert database, but I don't
> manage to convince Netscape to send it to the server. I get:
Still struggling. I have nearly discarded the possibility of slapd
being the culprit, since we are tracking very closely what mod_ssl
does and, yet, it does not work. Right now I am running Communicator
4.61. I am convinced that Communicator uses a different logic in
the LDAP part than in the HTTP part.
I have connected with the Address Book to port 443 where I run Apache
with mod_ssl and I get this in the error_log:
[error] OpenSSL: error:140890C7:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
[Hint: No CAs known to server for verification?]
That is exactly what I am getting in slapd:
daemon: new connection on 7
daemon: conn=9 fd=7 connection from j-sanchez.stl.es (74.3.11.123)
accepted.
daemon: added 7r
daemon: activity on:
daemon: select: listen=4 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 7r
daemon: read activity on 7
connection_get(7)
connection_get(7): got connid=9
connection_read(7): checking for input on id=9
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write certificate request A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
daemon: select: listen=4 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 7r
daemon: read activity on 7
connection_get(7)
connection_get(7): got connid=9
connection_read(7): checking for input on id=9
TLS trace: SSL3 alert read:warning:no certificate
TLS trace: SSL_accept:error in SSLv3 read client certificate A
daemon: select: listen=4 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 7r
daemon: read activity on 7
connection_get(7)
connection_get(7): got connid=9
connection_read(7): checking for input on id=9
TLS trace: SSL3 alert write:fatal:handshake failure
TLS trace: SSL_accept:error in SSLv3 read client certificate B
TLS: can't accept.
TLS: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did
not return a certificate s3_srvr.c:1531
connection_read(7): TLS accept error error=-1 id=9, closing.
connection_closing: readying conn=9 sd=7 for close.
connection_close: conn=9 sd=7.
daemon: removing 7
conn=-1 fd=7 closed.
daemon: select: listen=4 active_threads=0 tvp=NULL
However, if I connect with the browser to that Apache with HTTPS
on port 443, there is no problem, the certificate is sent correctly.
I can connect to both with s_client and there not many differences
between both logs, except that we negotiate different ciphers (we do
not support DH yet). The final differences are:
-New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
+New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 512 bit
SSL-Session:
Protocol : TLSv1
- Cipher : EDH-RSA-DES-CBC3-SHA
- Session-ID:
94495FBB1BC9BA97FCD5D0BB8E57721AFCC6E619E6C6B4F46CD9A9BB22E165F
1
+ Cipher : DES-CBC3-SHA
+ Session-ID:
40E984AEAF5AAC9095CFF643FB95A1D98E5C4442CBC3507C2957185AC4AD8FE
7
Session-ID-ctx:
- Master-Key:
36A40AC2722E5B51808D31BA4E9DBE0558B833ED95AC3F711248846531274F6
88594C0351579AE8ADA36C4BC38E62A24
+ Master-Key:
B41C519753B71F07E2B0C0B23FF09A2A13C2762496CBFBE0DB4A75BD6F2B08C
C7DD00F8C2DF61B325628D002B3F19192
Key-Arg : None
- Start Time: 932552349
+ Start Time: 932576902
Timeout : 300 (sec)
The first file (lines marked with -) is from mod_ssl, the second from
slapd.
Someone knows for sure what algorithm follows Communicator to decide
to send a certificate or not?
Please, someone give me a hint, I am desperate. I will commit now my
current
code so we are all in sync.
Julio