Re: SSLVerifyClient within <Location>

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Jun 29, 2011 at 9:45 AM, Jose Jerez
<jose.jerez.ext@xxxxxxxxxxxxxxxxxxx> wrote:
> Hello folks,
>
> I'm having trouble with the apache configuration in one of my virtual hosts
> and I'm starting to wonder if what I'm trying is a supported configuration.
>
> I'm setting up an SSL vhost with a <Location> directive, so that when a
> request is made for that location the client certificate is requested, or is
> supposed to because what really happens is that an error is shown in the
> browser (ssl_error_handshake_failure_alert in firefox) and in the apache logs
> (Re-negotiation request failed).
>
> The environment where it is installed is: Linux SLES10, apache 2.2.3 and
> SLES11, apache 2.2.10
>
> The vhost configuration is:
>
> ###################################################################
> <IfDefine SSL>
> <IfDefine !NOSSL>
>
> <VirtualHost 10.241.128.121:443>
>
>        DocumentRoot "/srv/www/vhosts/portaladriano"
>        ServerName portaladriano-pre.justicia.junta-andalucia.es:443
>        ServerAdmin gtsl.ius@xxxxxxxxxxxxxxxxxxx
>        ErrorLog /var/log/apache2/ws121-error_log
>        TransferLog /var/log/apache2/ws121-access_log
>
>        SSLEngine on
>
>        SSLProtocol all -SSLv2
>
>        SSLCipherSuite HIGH:MEDIUM
>
>        SSLCertificateFile /etc/apache2/ssl.crt/padrianop.crt
>        SSLCertificateKeyFile /etc/apache2/ssl.key/padrianop.key
>        SSLCACertificateFile /etc/apache2/ssl.crt/fnmt.crt
>
>        <Location "/Fispenco/">
>            SSLOptions +stdEnvVars +ExportCertData
>            SSLVerifyClient require
>            SSLVerifyDepth  2
>        </Location>
>
>        <Directory "/srv/www/vhosts/portaladriano">
>                Options FollowSymLinks
>                AllowOverride None
>                Order allow,deny
>                Allow from all
>        </Directory>
> </VirtualHost>
> </IfDefine>
> ##################################################################
>
> The reason to use a <Location> instead of a <Directory> is because, in the
> production servers, the URL within the directive is jk mounted from a tomcat
> server.
>
> Accessing the parts outside the <Location> works without any problem, the ssl
> connection is made and the requested content is shown.
>
> For example accessing the URL
>
>    https://10.241.128.121/DilPenHU.html
>
> shows the html page perfectly, but accessing
>
>    https://10.241.128.121/Fispenco/fispenco.htm
>
> returns the error mentioned before.
>
> Funny thing is that this same configuration is working in one of my test
> servers (SLES10, apache 2.2.3), the first one that was set up. And on top of
> that a few of my colleagues, not many, get the client certificate request when
> accessing the URL in the <Location> directive, in the servers where the
> vhost configuration is "mostly" not working.
>
> Also tried to access the URL with curl and this is what I get:
>
> #######################################################################
> # curl -v --cacert ca.cert https://portaladriano-pre.justicia.junta-andalucia.es/Fispenco/fispenco.htm
> * About to connect() to portaladriano-pre.justicia.junta-andalucia.es port 443 (#0)
> *   Trying 10.241.128.121... connected
> * Connected to portaladriano-pre.justicia.junta-andalucia.es (10.241.128.121) port 443 (#0)
> * successfully set certificate verify locations:
> *   CAfile: ca.cert
>  CApath: /etc/ssl/certs/
> * SSLv3, TLS handshake, Client hello (1):
> * SSLv3, TLS handshake, Server hello (2):
> * SSLv3, TLS handshake, CERT (11):
> * SSLv3, TLS handshake, Server key exchange (12):
> * SSLv3, TLS handshake, Server finished (14):
> * SSLv3, TLS handshake, Client key exchange (16):
> * SSLv3, TLS change cipher, Client hello (1):
> * SSLv3, TLS handshake, Finished (20):
> * SSLv3, TLS change cipher, Client hello (1):
> * SSLv3, TLS handshake, Finished (20):
> * SSL connection using DHE-RSA-AES256-SHA
> * Server certificate:
> *        subject: /C=es/O=Junta de Andalucia/OU=ius/CN=portaladriano-pre.justicia.junta-andalucia.es/emailAddress=gtsl.ius@xxxxxxxxxxxxxxxxxxx
> *        start date: 2009-06-23 10:29:23 GMT
> *        expire date: 2024-06-23 10:29:23 GMT
> *        common name: portaladriano-pre.justicia.junta-andalucia.es (matched)
> *        issuer: /C=es/O=junta-andalucia/OU=ius/CN=AC para la Administracion de Justicia en la Junta de Andalucia
> * SSL certificate verify ok.
>> GET /Fispenco/fispenco.htm HTTP/1.1
>> User-Agent: curl/7.18.1 (i686-suse-linux-gnu) libcurl/7.18.1 OpenSSL/0.9.8g zlib/1.2.3 libidn/1.8
>> Host: portaladriano-pre.justicia.junta-andalucia.es
>> Accept: */*
>>
> * SSLv3, TLS alert, Server hello (2):
> * Empty reply from server
> * Connection #0 to host portaladriano-pre.justicia.junta-andalucia.es left intact
> curl: (52) Empty reply from server
> * Closing connection #0
> * SSLv3, TLS alert, Client hello (1):
> #######################################################################
>
> Any clues about what might be happening here?
>
> Thanks.
>

I had similar issues when trying to setup this sort of thing myself.
My solution was to use 'SSLVerifyClient optional', to apply to the
whole vhost, and then put in the appropriate SSLRequire statement
where I wanted the certificates verified.

So in this example, anything not served from '/errors/*' requires a
valid client certificate. If you don't have one, show the appropriate
error page from /errors/.

<VirtualHost *:443>
    ServerName foo
    SSLEngine on
    SSLCertificateFile /etc/ssl/apache.crt
    SSLCertificateKeyFile /etc/ssl/apache.key
    SSLCACertificateFile /etc/ssl/ca.crt
    SSLVerifyClient optional

    ErrorDocument 403 /errors/certneeded.html
    Alias /errors /usr/local/etc/apache22/errors

    <LocationMatch ^(?!/errors/)>
        SSLRequire %{SSL_CLIENT_VERIFY} eq "SUCCESS"
        SSLVerifyClient optional
    </LocationMatch>

    SSLVerifyDepth 1
    SSLCARevocationFile /etc/ssl/ca.crl
    SSLUserName SSL_CLIENT_S_DN_Email
</VirtualHost>


Cheers

Tom

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx




[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux