<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body text="#000000" bgcolor="#ffffff"> Wow!! Actually I had directory directive instead of location at that moment (I was just trying that). I made a copy-paste and changed it on-the-fly but I guess I didn't realize about the first <Location>... hehehe sorry So... do you do something similar in your virtualhost? I mean, do you need users to use a client certificate only in some parts of the website? Thank you very much On 31/08/10 10:11, Luis Neves wrote: <blockquote cite="mid:COL110-W43BC3ECD13EF8D0DDF798DA78A0@phx.gbl" type="cite"> <style></style>Hi Tomas, Its missing something on your post, like the first location, etc, but anyway, is when using the "location" tag that is giving the problem? I dont use it but will make a test to see what happens here Luis <hr id="stopSpelling">Date: Mon, 30 Aug 2010 14:24:00 +0200 From: <a class="moz-txt-link-abbreviated" href="mailto:ttormo@indenova.com">ttormo@indenova.com</a> To: <a class="moz-txt-link-abbreviated" href="mailto:mod_nss-list@redhat.com">mod_nss-list@redhat.com</a> Subject: [Mod_nss-list] Problem configuring Client certificate Authentication <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <meta name="Generator" content="Microsoft SafeHTML"> Greetings I'm trying to configure mod_nss in Apache in order to use it as my client certificate authentication mechanism, but I'm having problems with it.. I'd like to use client authentication in some parts of a website... so I tried to do it as with mod_ssl, using the Location directive with the NSSVerifyClient require directive inside, but I never works... I always get this error... Mon Aug 30 14:17:34 2010] [info] Requesting connection re-negotiation [Mon Aug 30 14:17:34 2010] [debug] nss_engine_kernel.c(404): Performing full renegotiation: complete handshake protocol [Mon Aug 30 14:17:34 2010] [debug] nss_engine_kernel.c(426): Awaiting re-negotiation handshake [Mon Aug 30 14:17:34 2010] [info] Read error -12176 [Mon Aug 30 14:17:34 2010] [error] Re-negotiation handshake failed: Not accepted by client!? [Mon Aug 30 14:17:34 2010] [debug] mod_deflate.c(615): [client 192.168.125.53] Zlib: Compressed 283 to 216 : URL /files, referer: <a moz-do-not-send="true" class="ecxmoz-txt-link-freetext" href="https://amsterdam/" target="_blank">https://amsterdam/</a> [Mon Aug 30 14:17:34 2010] [info] (70014)End of file found: SSL input filter read failed. [Mon Aug 30 14:17:34 2010] [info] Connection to child 69 closed (server amsterdam:443, client 192.168.125.53) After this, I checked the documentation and it says I can work per-server or per-directory context... So I tried to do it per-server and It works perfectly.. but, as I told you, this is not the solution I'm looking for.. so I tried to configure it per-directory... but it doesn't work neither... Here I attach my per-directory configuration... Is just a test but this is more or less how it should look at the end: <VirtualHost *:443> ServerName amsterdam LogLevel debug ErrorLog /var/log/apache2/testmodnss/error.log CustomLog /var/log/apache2/testmodnss/access.log combined DocumentRoot /var/www/testmodnss # ssl NSSEngine on RewriteEngine on NSSCipherSuite -des,-desede3,-rc2,-rc2export,-rc4,-rc4export,+rsa_3des_sha,+rsa_des_56_sha,+rsa_des_sha,+rsa_null_md5,+rsa_null_sha,+rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_rc4_40_md5,+rsa_rc4_56_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+fips_des_sha,+fips_3des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha NSSProtocol All ## Certificate database. It contains both public and private key of the ssl server. It also contains the CA certificate of the allowed client certificates NSSCertificateDatabase /etc/apache2/certs/nss/ NSSNickName Server-Cert # ssl client <Directive "/var/www/testmodnss/files/"> AllowOverride all NSSVerifyClient require NSSOptions +ExportCertData NSSOptions +StdEnvVars </Location> </VirtualHost> NSSPassPhraseHelper /usr/sbin/nss_pcache Could you please help me? Thank you very much <pre class="ecxmoz-signature">-- Un saludo, Tomás Tormo Franco Area de sistemas INDENOVA S.L. C/ Dels Traginers 14, 2º B Polígono Vara de Quart 46014 Valencia Tel. (34) 96 381 99 47 Fax. (34) 96 381 99 48 <a moz-do-not-send="true" class="ecxmoz-txt-link-abbreviated" href="mailto:ttormo@indenova.com">ttormo@indenova.com</a> <a moz-do-not-send="true" class="ecxmoz-txt-link-freetext" href="http://www.indenova.com" target="_blank">http://www.indenova.com</a> Descárguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electrónicamente: <a moz-do-not-send="true" class="ecxmoz-txt-link-freetext" href="http://www.indenova.com/eSignaViewer.php" target="_blank">http://www.indenova.com/eSignaViewer.php</a> </pre> _______________________________________________ Mod_nss-list mailing list <a class="moz-txt-link-abbreviated" href="mailto:Mod_nss-list@redhat.com">Mod_nss-list@redhat.com</a> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/mod_nss-list">https://www.redhat.com/mailman/listinfo/mod_nss-list</a> </blockquote> <pre class="moz-signature" cols="72">-- Un saludo, Tomás Tormo Franco Area de sistemas INDENOVA S.L. C/ Dels Traginers 14, 2º B Polígono Vara de Quart 46014 Valencia Tel. (34) 96 381 99 47 Fax. (34) 96 381 99 48 <a class="moz-txt-link-abbreviated" href="mailto:ttormo@indenova.com">ttormo@indenova.com</a> <a class="moz-txt-link-freetext" href="http://www.indenova.com">http://www.indenova.com</a> Descárguese gratuitamente el software eSigna Viewer para visualizar documentos firmados electrónicamente: <a class="moz-txt-link-freetext" href="http://www.indenova.com/eSignaViewer.php">http://www.indenova.com/eSignaViewer.php</a> </pre> </body> </html>