> -----Original Message----- > From: McGregor, Donald (Don) (CIV) > Sent: Friday, May 30, 2014 0:01 > > I'm attempting to get CAC card authentication working with > Apache httpd-2.2.3-85 on Centos 5. CAC cards are the DoD Here is what I tell my employees and contractors to do first. Get is working with soft certs. You will need a CA cert, a server cert and a client cert. Then you will have test cases (and errors) you can share. > variant of smart cards. The SSL connection is failing (Chrome > error: ERR_SSL_PROTOCOL_ERROR) and I'm having problems > diagnosing exactly where the problem is. > > The objective is to confirm that the user has in his > possession a valid CAC card--at this point I don't need to > extract the contents of the client certificate into > environment variables and do a SSLFakeBasicAuth. If they have > a valid CAC card, they should be able to reach the page. > > Subdirectory I want CAC authentication in: > > > Code: > <Directory /var/www/html/cac> > SSLVerifyDepth 10 > SSLVerifyClient require > </Directory> > > > SSL settings: > > > Code: > SSLEngine on > SSLProtocol all -SSLv2 > SSLHonorCipherOrder On > SSLCipherSuite > ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES > :ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS > SSLCertificateFile /etc/httpd/keys/myCertificate.crt > SSLCertificateKeyFile /etc/httpd/keys/myCertificate.key > SSLCertificateChainFile /etc/pki/tls/certs/allDoDCerts.pem > SSLCACertificateFile /etc/pki/tls/certs/allDoDCerts.pem > SSLCARevocationFile /etc/pki/tls/crls/allCrls.pem > And if you are working on an accredited DoD system, you will need to run in FIPS 140 mode, which is not supported by mod_ssl, you will have to use mod_nss. > Non-CAC https works. Client certificate authentication for > CAC cards fails. > > I've retrieved the CRL list. allDoDCerts.pem is the PEM > encoded, concatenated, root and intermediate certificates for > the DoD CAs. I'm testing the client side on windows 8.1. In > IE 11 I'm presented with a list of candidate certificates > (showing that the OS and browser are contacting the smart > card, and that the SSLCACertificateFile is doing its job of > providing the client with a list of candidate CAs) and enter > a PIN to access the card, suggesting the certificate is being > retrieved from the card. The SSL connection then fails to be > established. > > > I can set up my own CA, add the CA's cert to the > SSLCACertificateFile and SSLCAChainFile, create a certificate > from that CA, and that works after I add a PKCS#12 file to Firefox. Debug this from curl, it will make your life easier. Ironically, IE does a nice job of presenting the server status too. Change the require to optional, and verify the server is sending a "proper" chain. > > What can I do to trouble shoot exactly where this problem > resides? Ideally this would be some magic that allowed me to > see the client or the server failing to authenticate a > certificate, so I could see exactly where the problem is. > > Sorry for the half answers, its late. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100 - - +1 (443) 269-1555 x333 Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|