From owner-freebsd-questions Thu Aug 28 17:35:21 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id RAA29846 for questions-outgoing; Thu, 28 Aug 1997 17:35:21 -0700 (PDT) Received: from gratia.it.hq.nasa.gov (gratia.it.hq.nasa.gov [131.182.119.134]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id RAA29841 for ; Thu, 28 Aug 1997 17:35:14 -0700 (PDT) Received: from wirehead.it.hq.nasa.gov (WireHead.it.hq.nasa.gov [131.182.119.88]) by gratia.it.hq.nasa.gov (8.8.6/8.8.6) with ESMTP id UAA02871 for ; Thu, 28 Aug 1997 20:30:36 -0400 (EDT) Received: from localhost (cshenton@localhost) by wirehead.it.hq.nasa.gov (8.6.12/8.6.12) with ESMTP id AAA28163 for ; Fri, 29 Aug 1997 00:35:12 GMT Message-Id: <199708290035.AAA28163@wirehead.it.hq.nasa.gov> X-Authentication-Warning: wirehead.it.hq.nasa.gov: cshenton owned process doing -bs To: questions@freebsd.org Subject: apache-ssl -- can't verify cert (MORE) X-Mailer: Mew version 1.69 on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Date: Thu, 28 Aug 1997 20:35:12 -0400 From: Chris Shenton Sender: owner-freebsd-questions@freebsd.org X-Loop: FreeBSD.org Precedence: bulk I forgot to mention: although the apache-ssl server cannot verify the client cert, it *will* do SSL between client and server. I tell the client not to return to the server one of my client certs. The server is configured in httpd.conf with: # Set SSLVerifyClient to: # 0 if no certicate is required # 1 if the client may present a valid certificate # 2 if the client must present a valid certificate # 3 if the client may present a valid certificate but it is not required to # have a valid CA SSLVerifyClient 3 So it doesn't require the client to submit one. Hummm... #1 requires a valid CA, but #3 does not. So I really don't know why it fails me when it can't verify the client cert. This means that a majority of the SSL is working fine -- that it simply cannot validate the client's cert.