Re: Mutual Authentication issue in 2.2.17 openssl 1.0.0d (Apache Users)

On Thu, Aug 18, 2011 at 5:44 PM, paddy carroll <paddy.carroll@xxxxxxx> wrote:

I don't accept it is an openssl issue.
I have already verified that the client connection from openssl to the apache server is reporting the correct certificates, and likewise that the server is returning a correct unexpired certificate and CA chain to the client.
It is not an openssl issue as openssl works when used at both ends it is an apache server issue that causes it to reject the client connection with:
SSLv3
server:

client 172.22.10.5] Certificate Verification: Error (19): self signed certificate in certificate chain
client:
SSL 3

11820:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate:s3_pkt.c:1102:SSL alert number 42
11820:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:539:

TLS1
9124:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1102:SSL alert number 48
9124:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:539:

I've had some issues running Apache with SSLProxyEngine as well and was made aware of a bug in mod_ssl where it fails to use the correct (or any) client certificate for communicating with the server you're proxing to.

Take a look at this bugzilla bug report and see if it fits your problem:

https://issues.apache.org/bugzilla/show_bug.cgi?id=47134

I was using Apache 2.2.17 at the time as a rev.proxy communicating with a client certificate to the server at the other end. I had to make a few modifications to the mod_ssl code but after recompilation it worked as intended (at least from my point of view).

On 18 Aug 2011, at 12:04, J-H Johansen wrote:

On Sun, Aug 14, 2011 at 11:42 AM, paddy carroll <paddy.carroll@xxxxxxx> wrote:

Hi,

I have spent too long staring at my crypto material and apache logs. I'm stuck.
I have checked and also had a colleague check my crypto trust chain, certificates and keys more than once.
I have a reverse proxy setup

client --> firewall --> reverse proxy --> tomcat

firewall presents all requests to reverse proxy as coming from the same address, but on different ports
The server appears to be rejecting client negotiations after the discovery of our self signed root certificate, we have two certificates in the chain, a RooCA and a subca
when I emulate the connection using openssl as a server on a different port it succeeds

CLIENT FAILURE

from client
++++++++++++++++++++++++
$ openssl s_client -connect lltpdxc001:443 -CApath test-ssl.crt -cert test.pem -verify 3 -ssl3
verify depth is 3
CONNECTED(00000003)
depth=2 /CN=TEST-Msad-Root-CA
verify return:1
depth=1 /DC=com/DC=horizonng/DC=internal/DC=Msad/CN=TEST-Msad-Sub-CA
verify return:1
depth=0 /CN=lltpdxc001
verify return:1
70352:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate:s3_pkt.c:1102:SSL alert number 42
70352:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:539:
++++++++++++++++++++++++
Server says
++++++++++++++++++++++++
Sun Aug 14 10:20:34 2011] [debug] ssl_engine_kernel.c(1321): [client 172.22.10.5] Certificate Verification: depth: 2, subject: /CN=TEST-Msad-Root-CA, issuer: /CN=TEST-Msad-Root-CA
Sun Aug 14 10:20:34 2011] [error] [client 172.22.10.5] Certificate Verification: Error (19): self signed certificate in certificate chain
Sun Aug 14 10:20:34 2011] [debug] ssl_engine_kernel.c(1884): OpenSSL: Write: SSLv3 read client certificate B
Sun Aug 14 10:20:34 2011] [debug] ssl_engine_kernel.c(1903): OpenSSL: Exit: error in SSLv3 read client certificate B
Sun Aug 14 10:20:34 2011] [debug] ssl_engine_kernel.c(1903): OpenSSL: Exit: error in SSLv3 read client certificate B
Sun Aug 14 10:20:34 2011] [info] [client 172.22.10.5] SSL library error 1 in handshake (server lltpdxc001:443)
Sun Aug 14 10:20:34 2011] [info] SSL Library Error: 336105650 error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Sun Aug 14 10:20:34 2011] [info] [client 172.22.10.5] Connection closed to child 6 with abortive shutdown (server lltpdxc001:443)
+++++++++++++++++++++++++
relevant server config from server-info
+++++++++++++++++++++++++
` In file: /data/httpd/conf/extra/proxydefs/lltpest001_443.conf
1: <VirtualHost _default_:443>
2: SSLEngine on
3: SSLProxyEngine on
In file: /data/httpd/conf/extra/httpd-ssl.conf
1: SSLProtocol -all +SSLv3 +TLSv1
2: SSLProxyCipherSuite ADH-AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:DHE-DSS-RC4-SHA:KRB5-RC4-MD5:KRB5-RC4-SHA:RC4-SHA:RC4-MD5:ADH-RC4-MD5:RC2-CBC-MD5:RC4-MD5
3: SSLCipherSuite ADH-AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:DHE-DSS-RC4-SHA:KRB5-RC4-MD5:KRB5-RC4-SHA:RC4-SHA:RC4-MD5:ADH-RC4-MD5:RC2-CBC-MD5:RC4-MD5
4: SSLCertificateFile /data/httpd/conf/server.crt
5: SSLCertificateKeyFile /data/httpd/conf/server.key
6: SSLCertificateChainFile /data/httpd/conf/ssl.crt/server-ca.crt
7: SSLCACertificatePath /data/httpd/conf/ssl.crt/
10: SSLProxyVerify require
11: SSLVerifyClient require
12: SSLVerifyDepth 2
13: SSLProxyVerifyDepth 2
14: SSLCADNRequestPath /data/httpd/conf/ssl.crt/
In file: /data/httpd/conf/extra/proxydefs/lltpest001_443.conf
8: <Location /EMDBEndpointWSInterface/>
9: SSLRequireSSL
: </Location>
: </VirtualHost>
+++++++++++++++++++++++++++++++++

Add the -showcerts parameter to the openssl command and verify each and every certificate you're using.

If you still can't find the problem try asking the same question on the openssl mailing list (http://www.openssl.org/support/community.html).

EMULATED CLIENT SUCCESS

+++++++++++++++++++++++++++++++++++++++++
from the server
+++++++++++++++++++++++++++++++++++++++++
[root@lltpdxc001 conf]# openssl s_server -cert server.crt -accept 40020 -CApath /data/httpd/conf/ssl.crt -Verify 2 -key server.key
verify depth is 2, must return a certificate
Using default temp DH parameters
ACCEPT
+++++++++++++++++++++++++++++++++++++++++
from the client
+++++++++++++++++++++++++++++++++++++++++

$ openssl s_client -connect lltpdxc001:40020 -CApath test-ssl.crt -cert /home/carrollpg/test.pem
CONNECTED(00000003)
depth=2 /CN=TEST-Msad-Root-CA
verify return:1
depth=1 /DC=com/DC=horizonng/DC=internal/DC=Msad/CN=TEST-Msad-Sub-CA
verify return:1
depth=0 /CN=lltpdxc001
verify return:1
---
Certificate chain
0 s:/CN=lltpdxc001
i:/DC=com/DC=horizonng/DC=internal/DC=Msad/CN=TEST-Msad-Sub-CA
1 s:/DC=com/DC=horizonng/DC=internal/DC=Msad/CN=TEST-Msad-Sub-CA
i:/CN=TEST-Msad-Root-CA
2 s:/CN=TEST-Msad-Root-CA
i:/CN=TEST-Msad-Root-CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFbjCCBFagAwIBAgIKGMspqwAAAAAABj
.............
9jo=
-----END CERTIFICATE-----
subject=/CN=lltpdxc001
issuer=/DC=com/DC=horizonng/DC=internal/DC=Msad/CN=TEST-Msad-Sub-CA
---
No client certificate CA names sent
---
SSL handshake has read 4429 bytes and written 4449 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: BB3AE2B7F2AB96802985F0C131C7AA51AD2D3673E82F12999418D788467A4506
Session-ID-ctx:
Master-Key: DA5D9DED5CBCD6E57A687B87FAC0E034C2D7CD0DFFAA877847C5AB1E973C43BC2FB1D7A9B5C5135CC41FBCE9F037CC31
Key-Arg : None
Start Time: 1313313462
Timeout : 300 (sec)
Verify return code: 0 (ok)
++++++++++++++++++++++++++++++++++++++++++

Help!

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx

--
Jens-Harald Johansen
--
There are 10 kinds of people in the world: Those who understand binary and
those who don't...

paddy carroll
paddy.carroll@xxxxxxx

--
Jens-Harald Johansen
--
There are 10 kinds of people in the world: Those who understand binary and
those who don't...