Hello list-members,
I'm trying to diagnose why client certificate authentication starts to fail after having run for some amount of time on a RHEL server running httpd 2.2.3-45.el5. When it fails, restarting the daemon can resolve it but I've been told that sometimes it takes several restarts.
The SSL configuration is at the bottom of this email (disclaimer- I didn't write the configs).
A couple things stand out to me as not the best way to do things. But I don't think these are a factor for the client cert auth failure.
1) Turning on SSLInsecureRenegotiation seems like a poor choice.
2) The location directive where the client certificate is defined should probably be within the vhost definition.
Additionally there is another SSL vhost defined on a different port as <VirtualHost _default_:9882>.
Any suggestions?
Thanks.
Erik
SSLPassPhraseDialog builtin
SSLSessionCache "shmcb:/etc/httpd/logs/ssl_scache(512000)"
SSLSessionCacheTimeout 300
SSLMutex "file:/etc/httpd/logs/ssl_mutex"
<VirtualHost _default_:443>
DocumentRoot "/var/www/html"
ServerName *.example.com:443
ServerAdmin admin@xxxxxxxxxxx
ErrorLog "/etc/httpd/logs/ssl_error_log"
TransferLog "/etc/httpd/logs/ssl_access_log"
Include conf.d/0_rewrite.conf
SSLEngine on
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
SSLProtocol all -SSLv2
SSLCertificateFile "/etc/httpd/ssl/wildcard.example.crt"
SSLCertificateKeyFile "/etc/httpd/ssl/wildcard.example.key"
SSLCertificateChainFile "/etc/httpd/ssl/wildcard.example.int.crt"
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog "/etc/httpd/logs/ssl_request_log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
CustomLog logs/ssl_reference_log \
"%h %t \"%{Host}i\" \"%r\" %>s %b"
SSLOptions +StrictRequire +OptRenegotiate
ProxyPass /services http://localhost:9883/services
ProxyPassReverse /services http://localhost:9883/services
<Location /services/>
AuthType Basic
AuthName "URL Restricted to valid Mule Web Services Users!"
AuthBasicProvider file
AuthUserFile /etc/httpd/conf/mule_access_passwords_file
Require user clm
#ProxyPass http://localhost:9883/services/
SetEnv force-proxy-request-1.0 1
SetEnv proxy-nokeepalive 1
</Location>
</VirtualHost>
SSLInsecureRenegotiation on
<Location /sso/>
SSLCACertificateFile /etc/httpd/ssl/clientCA.crt
SSLRequire %{SSL_CLIENT_S_DN_CN} in {"XXXXXXXXXXXXXXXXXXXX"}
SSLVerifyClient require
SSLVerifyDepth 1
</Location>
NOTICE: This electronic mail message and any files transmitted with it are intended
exclusively for the individual or entity to which it is addressed. The message,
together with any attachment, may contain confidential and/or privileged information.
Any unauthorized review, use, printing, saving, copying, disclosure or distribution
is strictly prohibited. If you have received this message in error, please
immediately advise the sender by reply email and delete all copies.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|