Hi,
I have spent too long staring at my crypto material and apache logs. I'm stuck.
I have checked and also had a colleague check my crypto trust chain, certificates and keys more than once.
I have a reverse proxy setup
client --> firewall --> reverse proxy --> tomcat
firewall presents all requests to reverse proxy as coming from the same address, but on different ports
The server appears to be rejecting client negotiations after the discovery of our self signed root certificate, we have two certificates in the chain, a RooCA and a subca
when I emulate the connection using openssl as a server on a different port it succeeds
CLIENT FAILURE
from client
++++++++++++++++++++++++
$ openssl s_client -connect lltpdxc001:443 -CApath test-ssl.crt -cert test.pem -verify 3 -ssl3
verify depth is 3
CONNECTED(00000003)
depth=2 /CN=TEST-Msad-Root-CA
verify return:1
depth=1 /DC=com/DC=horizonng/DC=internal/DC=Msad/CN=TEST-Msad-Sub-CA
verify return:1
depth=0 /CN=lltpdxc001
verify return:1
70352:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate:s3_pkt.c:1102:SSL alert number 42
70352:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:539:
++++++++++++++++++++++++
Server says
++++++++++++++++++++++++
Sun Aug 14 10:20:34 2011] [debug] ssl_engine_kernel.c(1321): [client 172.22.10.5] Certificate Verification: depth: 2, subject: /CN=TEST-Msad-Root-CA, issuer: /CN=TEST-Msad-Root-CA
Sun Aug 14 10:20:34 2011] [error] [client 172.22.10.5] Certificate Verification: Error (19): self signed certificate in certificate chain
Sun Aug 14 10:20:34 2011] [debug] ssl_engine_kernel.c(1884): OpenSSL: Write: SSLv3 read client certificate B
Sun Aug 14 10:20:34 2011] [debug] ssl_engine_kernel.c(1903): OpenSSL: Exit: error in SSLv3 read client certificate B
Sun Aug 14 10:20:34 2011] [debug] ssl_engine_kernel.c(1903): OpenSSL: Exit: error in SSLv3 read client certificate B
Sun Aug 14 10:20:34 2011] [info] [client 172.22.10.5] SSL library error 1 in handshake (server lltpdxc001:443)
Sun Aug 14 10:20:34 2011] [info] SSL Library Error: 336105650 error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Sun Aug 14 10:20:34 2011] [info] [client 172.22.10.5] Connection closed to child 6 with abortive shutdown (server lltpdxc001:443)
+++++++++++++++++++++++++
relevant server config from server-info
+++++++++++++++++++++++++
` In file: /data/httpd/conf/extra/proxydefs/lltpest001_443.conf
1: <VirtualHost _default_:443>
2: SSLEngine on
3: SSLProxyEngine on
In file: /data/httpd/conf/extra/httpd-ssl.conf
1: SSLProtocol -all +SSLv3 +TLSv1
2: SSLProxyCipherSuite ADH-AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:DHE-DSS-RC4-SHA:KRB5-RC4-MD5:KRB5-RC4-SHA:RC4-SHA:RC4-MD5:ADH-RC4-MD5:RC2-CBC-MD5:RC4-MD5
3: SSLCipherSuite ADH-AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:DHE-DSS-RC4-SHA:KRB5-RC4-MD5:KRB5-RC4-SHA:RC4-SHA:RC4-MD5:ADH-RC4-MD5:RC2-CBC-MD5:RC4-MD5
4: SSLCertificateFile /data/httpd/conf/server.crt
5: SSLCertificateKeyFile /data/httpd/conf/server.key
6: SSLCertificateChainFile /data/httpd/conf/ssl.crt/server-ca.crt
7: SSLCACertificatePath /data/httpd/conf/ssl.crt/
10: SSLProxyVerify require
11: SSLVerifyClient require
12: SSLVerifyDepth 2
13: SSLProxyVerifyDepth 2
14: SSLCADNRequestPath /data/httpd/conf/ssl.crt/
In file: /data/httpd/conf/extra/proxydefs/lltpest001_443.conf
8: <Location /EMDBEndpointWSInterface/>
9: SSLRequireSSL
: </Location>
: </VirtualHost>
+++++++++++++++++++++++++++++++++
EMULATED CLIENT SUCCESS
+++++++++++++++++++++++++++++++++++++++++
from the server
+++++++++++++++++++++++++++++++++++++++++
[root@lltpdxc001 conf]# openssl s_server -cert server.crt -accept 40020 -CApath /data/httpd/conf/ssl.crt -Verify 2 -key server.key
verify depth is 2, must return a certificate
Using default temp DH parameters
ACCEPT
+++++++++++++++++++++++++++++++++++++++++
from the client
+++++++++++++++++++++++++++++++++++++++++
$ openssl s_client -connect lltpdxc001:40020 -CApath test-ssl.crt -cert /home/carrollpg/test.pem
CONNECTED(00000003)
depth=2 /CN=TEST-Msad-Root-CA
verify return:1
depth=1 /DC=com/DC=horizonng/DC=internal/DC=Msad/CN=TEST-Msad-Sub-CA
verify return:1
depth=0 /CN=lltpdxc001
verify return:1
---
Certificate chain
0 s:/CN=lltpdxc001
i:/DC=com/DC=horizonng/DC=internal/DC=Msad/CN=TEST-Msad-Sub-CA
1 s:/DC=com/DC=horizonng/DC=internal/DC=Msad/CN=TEST-Msad-Sub-CA
i:/CN=TEST-Msad-Root-CA
2 s:/CN=TEST-Msad-Root-CA
i:/CN=TEST-Msad-Root-CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFbjCCBFagAwIBAgIKGMspqwAAAAAABj
.............
9jo=
-----END CERTIFICATE-----
subject=/CN=lltpdxc001
issuer=/DC=com/DC=horizonng/DC=internal/DC=Msad/CN=TEST-Msad-Sub-CA
---
No client certificate CA names sent
---
SSL handshake has read 4429 bytes and written 4449 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: BB3AE2B7F2AB96802985F0C131C7AA51AD2D3673E82F12999418D788467A4506
Session-ID-ctx:
Master-Key: DA5D9DED5CBCD6E57A687B87FAC0E034C2D7CD0DFFAA877847C5AB1E973C43BC2FB1D7A9B5C5135CC41FBCE9F037CC31
Key-Arg : None
Start Time: 1313313462
Timeout : 300 (sec)
Verify return code: 0 (ok)
++++++++++++++++++++++++++++++++++++++++++
Help!
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|