Доброе утро.
Пытаюсь создать SSL канал, и авторизацию при помощи SSL сертификатов.Создаю сертификаты, как описанно здесь : http://www.vanemery.com/Linux/Apache/apache-SSL.html
CA:
openssl genrsa -des3 -out my-ca.key 2048
openssl req -new -x509 -days 3650 -key my-ca.key -out my-ca.crt
Для сервера
openssl genrsa -des3 -out mars-server.key 1024
openssl req -new -key mars-server.key -out mars-server.csr
openssl x509 -req -in mars-server.csr -out mars-server.crt -sha1 -CA my-ca.crt -CAkey my-ca.key -CAcreateserial -days 3650
для клиента :
openssl genrsa -des3 -out van-c.key 1024
openssl req -new -key van-c.key -out van-c.csr
openssl x509 -req -in van-c.csr -out van-c.crt -sha1 -CA my-ca.crt -CAkey my-ca.key -CAcreateserial -days 3650
openssl pkcs12 -export -in van-c.crt -inkey van-c.key -name "Van Emery Cert" -out van-c.p12
openssl pkcs12 -in van-c.p12 -clcerts -nokeys -info
Импортирую в IE 7 van-c.p12. Все ок, но Пишет что "Невозможно обнаружить поставщика этого сертификата." на вкладке "путь сертификации".
Это значит, как я понимаю, в сертификат не включена инфа о поставщике (CA)????
пробовал параметр указывать -CAfile при подписи van-c : не получилось указать, не понятно как и где....
в логе ssl -
[error] Re-negotiation handshake failed: Not accepted by client!?
[trace] OpenSSL: Write: SSLv3 read client certificate B
[trace] OpenSSL: Exit: error in SSLv3 read client certificate B
[error] SSL error on writing data (OpenSSL library error follows)
[error] OpenSSL: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate [Hint: No CAs known to server for verification?]
если указать SSLVerifyClient none, то соеденение SSL работает нормально.
Совсем запутался.
В http.conf сначало такая секция:
<VirtualHost _default_:443>
# General setup for the virtual host
DocumentRoot "/usr/local/www/data"
ServerName mars
ServerAdmin admin@mars
ErrorLog /var/log/httpd-error.log
TransferLog /var/log/httpd-access.log
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
# Server Certificate:
SSLCertificateFile /usr/local/etc/apache/ssl.crt/mars-server.crt
# Server Private Key:
SSLCertificateKeyFile /usr/local/etc/apache/ssl.key/mars-server.key
# Server Certificate Chain:
#SSLCertificateChainFile /usr/local/etc/apache/ssl.crt/ca.crt
# Certificate Authority (CA):
#SSLCACertificatePath /usr/local/etc/apache/ssl.crt
#by Crx
SSLCACertificateFile /usr/local/etc/apache/ssl.crt/my-ca.crt
<Directory /home/mars/data/www/mars/test/restructed/>
# SSLRequireSSL
# SSLVerifyClient require
# SSLVerifyClient 2
# SSLVerifyClient none
# SSLVerifyDepth 1
</Directory>
# Certificate Revocation Lists (CRL):
#SSLCARevocationPath /usr/local/etc/apache/ssl.crl
#SSLCARevocationFile /usr/local/etc/apache/ssl.crl/ca-bundle.crl
# Client Authentication (Type):
# by crx
#SSLVerifyClient require
#SSLVerifyDepth 10
# SSL Engine Options:
#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/usr/local/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
# SSL Protocol Adjustments:
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# Per-Server Logging:
CustomLog /var/log/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
далее такая. не очень разобрался, но надо прописывать параметры в обоих почемуто....
<VirtualHost ip:443>
ServerName mars
DocumentRoot /home/mars/data/www/mars
Group mars
User mars
CustomLog /home/mars/logs/mars.access.log combined
ErrorLog /home/mars/logs/mars.error.log
ServerAlias www.mars
ServerAdmin admin@mars
AddDefaultCharset windows-1251
php_admin_value open_basedir "/home/mars/data:."
php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f admin@mars"
php_admin_value upload_tmp_dir "/home/mars/data/tmp"
php_admin_value session.save_path "/home/mars/data/tmp"
AddType application/x-httpd-php .php .php3 .php4 .php5 .phtml
AddType application/x-httpd-php-source .phps
SSLEngine on
SSLCertificateFile /usr/local/etc/apache/ssl.crt/mars-server.crt
SSLCertificateKeyFile /usr/local/etc/apache/ssl.key/mars-server.key
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
<Directory /home/mars/data/www/mars/test/restructed/>
SSLVerifyClient 2
# SSLVerifyClient none
# SSLVerifyClient reque
SSLVerifyDepth 1
</Directory>
</VirtualHost>