Article delegate-en <_A1117@delegate-en.ML_>
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[delegate-en/1117]
Newsgroups: mail-lists.delegate-en

sslway client auth problem
22 Apr 2001 11:32:36 GMT     Roger Buck <peecabdyi.ml@delegate.org>
-= Studio of Arts And Sciences =-

Using delegated-7.1.2 + sslway on Linux RH6.2, I cannot get sslway to
accept client certificates (server certificates load correctly).

First error message from delegated log is "unable to get local issuer
certificate"

If my configuration (below) is incorrect, can someone please tell me
correct syntax for FCL= ?

and/or correct format (openssl) for client certificate bundle/file(s)?

I am using client certificate signed by same CA system that generated
the Delegate server-cert.pem. The client certificate loaded into
Navigator ith no apparent problem. Delegate/sslway log files show
correct client certificate info (client using Netscape 4.76 browser on
RH6.2).

Any help most gratefully accepted,

Regards,

R.


Log excerpts follow:

#!/bin/sh
#
$DELEGATED \
        -P203.53.94.193:443 \
        ADMIN="www@localhost" \
        SERVER=https \
        RELAY=no \
        FCL="sslway -auth -CAfile 01.pem cacert.pem" \
        CACHE=no \
        MOUNT="/* http://10.1.1.67/* host=-x-msi.example.com.au" \
        MOUNT="/* http://10.1.1.66/* host=-x-linux.example.com.au" \
        REACHABLE=".localnet,*" \
        RELIABLE="*" \
        PERMIT="*:*:*" \
        REMITTABLE="http,https,ftp,file"  \
        CRON="10 2 * * * -expire 3" \
        CRON="40 2 * * * -restart" 


All the .pem files are in ./lib/  (including server-cert.pem and
server-key.pem

I have tried a variety of options for FCL, but all have similar result.



One short example "snipped" from delegated log file:

[--snip--]
04/22 20:37:14.17 [2671] 0+0: arg[10] RELIABLE=*
04/22 20:37:14.17 [2671] 0+0: arg[11] PERMIT=*:*:*
04/22 20:37:14.17 [2671] 0+0: arg[12] REMITTABLE=http,https,ftp,file
04/22 20:37:14.17 [2671] 0+0: arg[13] CRON=10 2 * * * -expire 3
04/22 20:37:14.17 [2671] 0+0: arg[14] CRON=40 2 * * * -restart
04/22 20:37:14.17 [2671] 0+0: DELEGATE_Modified[1]: 3ae2b45a
04/22 20:37:14.17 [2671] 0+0: --INITIALIZATION DONE--
04/22 20:37:45.02 [2693] 1+0: -- Fork(OnetimeServer): 2671 -> 2693
04/22 20:37:45.03 [2693] 1+0: (0) accepted [42]
-@[203.28.124.38]nux.saas.nsw.edu.au:1881 (0.009s)(1)
04/22 20:37:45.03 [2693] 1+0: PATH:
https://-:443!tls.msi.com.au:443!nux.saas.nsw.edu.au:1881!anonymous@nux.saas.nsw.edu.au;987935865
04/22 20:37:45.04 [2694] 1+0: -- Fork(FCL): 2693 -> 2694
04/22 20:37:45.04 [2694] 1+0: #### execFilter[FCL]
[/var/spool/delegate-nobody/lib/sslway]sslway -cert server-cert.pem -key
server-key.pem -auth -CAfile 01.pem cacert.pem
## SSLway[2694](nux.saas.nsw.edu.au) depth=0/10 20:"unable to get local
issuer certificate" /C=AU/ST=New South Wales/L=Sydney/O=MSI Certificate
Authority/OU=IT Department/CN=Elvis
Presley/I=EP/Email=peecabdyi.ml@delegate.org
## SSLway[2694](nux.saas.nsw.edu.au) depth=0/10 27:"certificate not
trusted" /C=AU/ST=New South Wales/L=Sydney/O=MSI Certificate
Authority/OU=IT Department/CN=Elvis
Presley/I=EP/Email=peecabdyi.ml@delegate.org
## SSLway[2694](nux.saas.nsw.edu.au) depth=0/10 21:"unable to verify the
first certificate" /C=AU/ST=New South Wales/L=Sydney/O=MSI Certificate
Authority/OU=IT Department/CN=Elvis
Presley/I=EP/Email=peecabdyi.ml@delegate.org
## SSLway[2694](nux.saas.nsw.edu.au) client's cert. =
**subject<</C=AU/ST=New South Wales/L=Sydney/O=MSI Certificate
Authority/OU=IT Department/CN=Elvis
Presley/I=EP/Email=peecabdyi.ml@delegate.org>> **issuer<</C=AU/ST=New South
Wales/L=Sydney/O=MSI Certificate Authority/OU=IT Department/CN=MSI
International/Email=webmaster@example..au>>
04/22 20:37:47.96 [2693] 1+0: Proxy: host=nux.saas.nsw.edu.au;
User-Agent: Mozilla/4.76 [en] (X11; U; Linux 2.2.17-14 i686); DIRECT
04/22 20:37:47.96 [2693] 1+0: HCKA:[0] Keep-Alive;
host=nux.saas.nsw.edu.au; (User-Agent: Mozilla/4.76 [en] (X11; U; Linux
2.2.17-14 i686))
[--snip--]

==end==
  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V