Image may be NSFW.
Clik here to view.
I have a apache 2 host running with a commercial (rapidssl) signed certificate and I need to generate client certificates for authentication.
I created a CA (according to http://www.cafesoft.com/products/cams/ps/docs30/admin/ConfiguringApache2ForSSLTLSMutualAuthentication.html ) and modified my apache config file accordingly.
<VirtualHost *:443>
Servername SITEtest.XXX.com
DocumentRoot /SITE/html CustomLog /SITE/html.log vhost_combined
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/comercialcert.cer
SSLCertificateChainFile /etc/apache2/ssl/comercialcert.int
SSLCertificateKeyFile /etc/apache2/ssl/comercialcert.key <Directory /SITE>
AllowOverride All
SSLRequireSSL
SSLCACertificateFile /etc/apache2/ssl/selfsignedcaCA.crt
SSLVerifyClient require
SSLVerifyDepth 1
SSLOptions +StrictRequire +StdEnvVars +ExportCertData +FakeBasicAuth
</Directory></VirtualHost>
I imported a pkcs12 file generated with the same CA to my browser.
Every time I try to access I get the error “Re-negotiation handshake failed: Not accepted by client!?” on apache error log.
Everything works fine if I use a certificate generated by my CA in SSLCertificateFile but that doesn’t work as intended as the browser recognizes the web server certificate as self signed.
Further details:
Apache/2.2.9 (Debian Lenny)
mod_ssl/2.2.9 OpenSSL/0.9.8g
Image may be NSFW.
Clik here to view.
You may be using an apache distribution that has had the tis renegotiation workarounds back-ported into it. One quick thing to try is to add the SSLInsecureRenegotiation off directive. If that doesn’t work, change your SSLVerifyClient directive to Optional.
This will open the server up to TLS Renegotiation vulnerabilities for that directory location but there isn’t much you can do about it until Debian updates their distribution (or you custom compile your own distribution).
Check more discussion of this question.
