Menu
▾
▴
#48 check_http and SSL and SSLVerifyClient
We are using the Check_http for 1.2.9-4 and Netsaint 7
both on Linux 6.2 2.14
We are upgrading our Apache and Openssl to
1.3.26 and 0.9.6e, but are having major problems with
the Check_http since implementation.
The regular check returns normal but
[root@qalinux01 plugins]# ./check_http -H
$HOSTNAME$ -u /url?status -v
Page is 196 characters
STATUS: HTTP/1.1 200
**** HEADER ****
Date: Tue, 30 Jul 2002 22:32:06 GMT
Server: Apache/1.3.26 (Unix) mod_jk/1.2.0
mod_ssl/2.8.9 OpenSSL/0.9.6e
Connection: close
Content-Type: text/plain
**** CONTENT ****
ControllerServlet NORMAL
HTTP ok: HTTP/1.1 200 - 0 second response time
The ssl check fails
root@qalinux01 plugins]# ./check_http -H
$HOSTNAME$ -S -u /url?status -v
18229:error:1407F0E5:SSL routines:SSL2_WRITE:ssl
handshake failure:s2_pkt.c:427:
from the apache logs
[Tue Jul 30 22:30:55 2002] [error] OpenSSL:
error:140710CA:SSL routines:REQUEST_
CERTIFICATE:peer error no certificate
[Tue Jul 30 22:31:59 2002] [error] mod_ssl: SSL
handshake failed (server $HOSTNAME$:443, client
10.102.15.52) (OpenSSL library error follo
ws)
[Tue Jul 30 22:31:59 2002] [error] OpenSSL:
error:140710CA:SSL routines:REQUEST_
CERTIFICATE:peer error no certificate
The crutial part in the Http.conf is the SSLVerifyClient
SSLOptions +ExportCertData
SSLVerifyClient optional
SSLVerifyDepth 2
If the SSLVerifyClient is set to none it will work. But
obviously we need this to work with the optional
requirement.
Looks like check_http is unable to handle the request
for a client key in any way. Put it used to under
Apache 1.3.26 with Openssl 0.9.6 Any ideas?
