My setup has a ROOT CA and 3 level of Sub CA's. I have generated apache web server and client certificates from every the ROOT and Sub CA's.
I have configured my APACHE web server for client certificate (mutual) authentication. I have generated the apache web server certificate and client certificates from the ROOT CA with proper extensions. In case of Root CA, it works well. Mutual authentication works fine.
In case of Sub CA, the apache web server certifictae and client certificates are generated by SubCA with the same extensions/profile as in case of ROOT CA. But when i try to authenticate users from Sub CA's then following error occurs "unhandled critical extension". SSLCACertificateFile contains the concatenated certifcates of all the CA's( issuing CA certtificate is at top and Root ca certificate is at bottom of this file)
Here is my vhost file
NameVirtualHost *:80
NameVirtualHost *:443
<VirtualHost *:80>
DocumentRoot /srv/www/htdocs/
ServerName XXXXXXXXXXXXXX
RewriteEngine On
RewriteRule ^(.*)$ https://%{SERVER_NAME}$1 [L,R]
</VirtualHost>
<VirtualHost *:443>
DocumentRoot /srv/www/htdocs/
ServerName XXXXXXXXX
SSLEngine on
SSLCipherSuite HIGH
SSLProtocol all -SSLv2
SSLCertificateFile /etc/apache2/certificates/cert.pem
SSLCertificateKeyFile /etc/apache2/certificates/key.pem
SSLCACertificateFile /etc/apache2/certificates/chain.pem
#SSLCertificateChainFile /etc/apache2/certificates/chain.pem
//chain.pem contains all the upper level certificates concanetated such that (1st certificate is of issuing CA , going downward towards the root CA...
// i have also tried with the SSLCertificateChainFile directive but the error is same ...
<Directory "/srv/www/htdocs/">
SSLVerifyClient require
SSLRequireSSL
SSLRequire %{SSL_CLIENT_S_DN_CN} eq "XXXX"
SSLVerifyDepth 3
SSLOptions +StdEnvVars +ExportCertData
</Directory>
</VirtualHost>
I am using OpenSSL version 0.9.8h release 28 May 2008 and Apache version 2.2.10-2.5 that come by default with OpenSUSE 11.1 distribution...
This issue has already been reported in May 2006, Kindly guide me in this aspect.
Waiting for your kind Reply
Best Regards
Scott Thomas
Diarmuid Curtin-- Diarmuid Curtin wrote :
Hi,
I am running the following test:
openssl 0.9.8b
Mod_SSL 2.0.58
I am using mod_ssl for client authentication, however, when the client
presents the certificate, the following error appears
[error] Certificate Verification: Error (34): unhandled critical extension
in Apache log, and the SSL handshake fails.
When I use openssl -verify on the certificate, it seems happy.
Is there a way I can ask mod_ssl or openssl to ignore critical extensions?
I am aware that this is not good practice, however, I need to demo this
setup and there does not seem to be any other way forward.
i.e. is there a flag in openssl that can turn this checking off temporarily
& how can I do this?
Diarmuid
--
This message was sent on behalf of scott_t...@yahoo.com at openSubscriber.com
http://www.opensubscriber.com/message/openss...@openssl.org/4108750.html
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org
https://sexypg89.com/%e0%b8%aa%e0%b8%a5%e0%b9%87%e0%b8%ad%e0%b8%95betflik/