Re: MSIE, certificates and SSLeay

Frederick J. Hirsch (fjh@opengroup.org)
Wed, 09 Jul 1997 10:00:28 -0400

   * Messages sorted by: [ date ][ thread ][ subject ][ author ]
   * Next message: Raymond K. Bush: "Anyone having any luck with apache
     1.2.1 and ssleay 0.8.0?"
   * Previous message: jacek@unipos.com.pl: "Re: MSIE, certificates and
     SSLeay"
   * In reply to: jacek@unipos.com.pl: "Re: MSIE, certificates and SSLeay"
   * Next in thread: jacek@unipos.com.pl: "Re: MSIE, certificates and
     SSLeay"

>>How can I download my CA info (confirmed by me) to MSIE ?

I have written up some information about creating a CA, and server and
client certs, and loading them, in

http://www.opengroup.org/~fjh/Papers/cook/ssl_cook.html

(This is oriented to SSLeay-0.6.6 but still applicable)

>I have add this to apache_ssl.c but still can't get MSIE get connected to
>apache. It still doesn't work with netscape 3.01 while having sslv3
>enabled.
>No problems with apache + ssl 0.6.1 (without sslv3).

I should point out that this change was part of my attempt to get
SSL established with IE 3.02 when requiring client certificates to be used.
You don't need to do this otherwise and should be able to establish SSL
with NS or IE when not requiring client certs.

I was working with apacheSSL 1.7 (apache_1.2.0+ssl_1.7.tar.gz) with Apache
1.2.0 and SSLeay-0.8.0. There is now an apache SSL 1.8 which I am trying.

Looking at the spec for SSL3, it seems to me that the CA
cert is the right one to include in the list, since section 5.6.4 says
that the certificate request includes the list of distinguished names of
acceptable certificate authorities. I think SSL_CTX_set_client_CA_list
sets the SSL * variable which is checked to fill this list (client_CA)
There are two such variables, one in the ssl_st structure, and one in
ssl_ctx_st (ssl.h). I'm initializing the one in ssl_ctx but am not yet sure
if the other needs to be initialized.

The routine ssl3_send_certificate_request(s) is used to request a client
certificate when required (s3_srvr.c). This calls
SSL_get_client_CA_list(s) to determine the CA names to include in the
request for the client certificate. SSL_get_client_CA_list is defined
in ssl_cert.c and accesses either s->client_CA or s->ctx->client_CA

ctx->client_CA is initialized by
SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(CAfile));

< Frederick

--------------------------------------------------------------------------
Frederick J. Hirsch The Open Group Research Institute
11 Cambridge Center, Room 418 Cambridge, MA 02142
(617) 621-8986 (617) 621-8696 (FAX)
http://www.opengroup.org/~fjh/ f.hirsch@opengroup.org

   * Next message: Raymond K. Bush: "Anyone having any luck with apache
     1.2.1 and ssleay 0.8.0?"
   * Previous message: jacek@unipos.com.pl: "Re: MSIE, certificates and
     SSLeay"
   * In reply to: jacek@unipos.com.pl: "Re: MSIE, certificates and SSLeay"
   * Next in thread: jacek@unipos.com.pl: "Re: MSIE, certificates and
     SSLeay"