Firefox refused to show certificate list when server apache requested client certificate? [closed]

Question

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.

---

This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.

Closed 9 years ago.

Improve this question

I'm trying to force Apache to authenticate users by their personal certificates before letting them access site's content, on my company's LAN website.

I've tried so far having configured the httpd-ssl.conf like this :

SSLVerifyDepth 0
SSLVerifyClient require
SSLProxyEngine off

When I go to https://localhost via firefox, it would show me a dialog with the list of my imported certificates to choose one.

That's OK exactly what I expected. But then I wonder "So, how can I give a test/verification against my client's certificate ?". At this point all the certificates that I've tried from the cert-dialog (all self-signed certs that I've created my own) were rejected by server.

Some googling led me to the a directive named "SSLCACertificateFile". That's the path to a certificate file that should be the root CA of all client's certificates. In other words, any certificates from client that was issued by this CA would be accepted as valid. (more about it could be found here)

But, the problem is, when I specify a concrete CA certificate file that way, Firefox stop showing me the certificate-dialog-box. The file "httpd-ssl.conf" like this :

SSLCACertificateFile    C:/(...)/apache2/server_certs/ca.pem

SSLVerifyDepth 0
SSLVerifyClient require
SSLProxyEngine off

Instead, Firefox showed me an error notification with error code : "ssl_error_handshake_failure_alert"

I'm sure the CA certificate file "ca.pen" was in correct format cause it's the original one in installation pakage that I've downloaded. (Actually, it's in a free product named uniServer)

I've tested this against IE, Chrome, which results are all the same. I've tried testing some other "ca.pem" files (all self-signed), and the result refused to change.

So, my question is quite simple : what's wrong with specifying a concrete CA file for apache directive "SSLCACertificateFile" ?

If you can tell me answer for that, then would you mind telling me some more way to verify the cleint-certs, such as CN, issued-date, validate-to, ... etc

Thanks & highly appreciate any suggestion

Answer 1

SSLVerifyDepth 0 "means that self-signed client certificates are accepted only", which doesn't seem to be what you're trying to do (since you've set up a CA).

You'd certainly want to increase this to at least 1 (or more if the client may present a certificate chain).

openssl s_client -connect your.server.name:443 should give you a list of the CA names advertised by the server. Firefox will only offer you a choice of certificates that can be chained to these issuers.

For authorisation conditions, you might be interested in SSLRequire (or its successor, depending on the version of Apache Httpd you're using).