cacert-sysadm AT lists.cacert.org
Subject: CAcert System Admins discussion list
List archive
- From: Michael Tänzer <michael.taenzer AT cacert.org>
- To: cacert-sysadm AT lists.cacert.org
- Subject: Re: apache2 config difference secure.c.o/lists.c.o
- Date: Wed, 23 Oct 2013 15:57:52 +0200
- Openpgp: id=9940BEF1
Hi Andre,
On 23.10.2013 06:55, Andre Klärner wrote:
> On Tue 22.10.2013 04:08:55, Michael Tänzer wrote:
>> On 22.10.2013 02:52, Andre Klärner wrote:
>>> I tried both with the same certificate, the same browser (Chrome on
>>> Android) and the same Android, just seconds one from each other, but the
>>> request on secure.cacert.org fails with the usual "cannot negotiate ssl…"
>>> while the login on Sympha works perfectly (actually I discovered that by
>>> in
>>> a routine just clicking on the cert while following an archive link and
>>> tried the cert logon on secure.cacert.org just to test it out).
>>
>> Can you try to get a more exact error message? Something that indicates
>> what exactly caused handshake to fail (e.g. no matching cipher suite,
>> invalid server certificate, no suitable client certificate, certificate
>> authentication denied). That would help a lot to narrow down where the
>> error is to be found.
>
> The error message is: "ERR_BAD_SSL_CLIENT_AUTH_CERT" which basicly mean
> "certificate-based authentication failed" as written in the error's header.
>
> I also attached a tcpdump of a session from my android against one of my
> servers, that shows the same problem.
a) your server doesn't include the CAcert class 3 subroot cert in the
chain although it is signed by it, this could result in strange
behaviour on clients that trust the class 1 root but haven't cached the
class 3 cert yet, because they can't establish the trust chain. This
can't be the issue with the critical web server though because that uses
a class 1 signed certificate.
b) in the first two connection attempts the server correctly transmits
the DNs of the CAs he's aqccepting certificates from but the client just
closes the TCP connection instead of responding
c) in the third attempt the client responds with a CAcert class 3
certificate and from my view the certificate validates just fine, but
for some reason the server responds with a fatal "Unknown CA" message.
That seems a bit strange.
d) Have you imported the class 3 root in android? because the secure.c.o
only sends the class 1 root as accepted DNs on the client cert request.;
now if your android doesn't know the missing link it can't include it
when it sends your client certificate which is signed by class 3 and
then the server doesn't know how to validate it.
--
Cheers,
Michael Tänzer
Attachment:
signature.asc
Description: OpenPGP digital signature
- apache2 config difference secure.c.o/lists.c.o, Andre Klärner, 10/22/2013
- Re: apache2 config difference secure.c.o/lists.c.o, Michael Tänzer, 10/22/2013
- Re: apache2 config difference secure.c.o/lists.c.o, Andre Klärner, 10/23/2013
- Re: apache2 config difference secure.c.o/lists.c.o, Michael Tänzer, 10/23/2013
- Re: apache2 config difference secure.c.o/lists.c.o, Andre Klärner, 10/23/2013
- Re: apache2 config difference secure.c.o/lists.c.o, Michael Tänzer, 10/22/2013
Archive powered by MHonArc 2.6.18.