I’m attempting to get smart cards (DoD CAC) working with apache 2.2 (CentOS 6). It works on some browsers—Chrome, Safari—but not Firefox 36.0.3 and IE 11.0.9600.1760 on Windows 8.1. Firefox doesn’t work on OS X, either. The root cause of the problem seems to be the SSL negotiation. The SSLProtocol setting is this: SSLProtocol All -SSLv2 -SSLv3 -TLSv1.2 -TLSv1.1 I started off allowing TLS 1.1 and 1.2 but this seemed to provoke complaints in the protocol negotiation about downgrade attacks. Apparently the clients tried to downgrade to TLS1 and the server thought there was some sort of attack going on and terminated the negotiation. The above change got through the initial version negotiation, but then ran aground on this, with info level debugging on: [Mon Mar 23 12:08:08 2015] [info] Seeding PRNG with 144 bytes of entropy [Mon Mar 23 12:08:08 2015] [info] [client 172.20.82.139] SSL library error 1 in handshake (server localhost.localdomain:443) [Mon Mar 23 12:08:08 2015] [info] SSL Library Error: 336109761 error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher Too restrictive SSLCipherSuite or using DSA server certificate? [Mon Mar 23 12:08:08 2015] [info] [client 172.20.82.139] Connection closed to child 2 with abortive shutdown (server localhost.localdomain:443) The cipher suite is highly (i.e., too) accommodating: SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW So: Anyone seen this before? What should the SSLProtocol and CipherSuite settings be to allow client certificate authentication while maintaining reasonable security? Alternatively, what should the client settings on the browsers be? I have very limited control over the client settings but it would be nice to know. httpd-2.2.15-39.el6.centos.x86_64 openssl-1.0.1e-30.el6_6.5.x86_64 --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|