> -----Original Message----- > From: McGregor, Donald (Don) (CIV) > Sent: Monday, March 23, 2015 15:22 > > > I'm attempting to get smart cards (DoD CAC) working with > apache 2.2 (CentOS 6). > > It works on some browsers-Chrome, Safari-but not Firefox > 36.0.3 and IE 11.0.9600.1760 on Windows 8.1. Firefox doesn't work > on OS X, either. The root cause of the problem seems to be > the SSL negotiation. Interesting. Lets ignore FF and OS X for now, as Chrome and IE (on windows) use the same certificate store for accessing the smart card. > > The SSLProtocol setting is this: > > SSLProtocol All -SSLv2 -SSLv3 -TLSv1.2 -TLSv1.1 > > I started off allowing TLS 1.1 and 1.2 but this seemed to > provoke complaints in the > protocol negotiation about downgrade attacks. Apparently the > clients tried to downgrade > to TLS1 and the server thought there was some sort of attack going on > and terminated the negotiation. > > The above change got through the initial version negotiation, > but then ran aground on > this, with info level debugging on: > Can you run wireshark on the browser side? I would like to see (pcap.gz please) the chrome success and the IE failure, then we can tweak to get IE working too. > > [Mon Mar 23 12:08:08 2015] [info] Seeding PRNG with 144 bytes > of entropy > [Mon Mar 23 12:08:08 2015] [info] [client 172.20.82.139] SSL > library error 1 in handshake (server localhost.localdomain:443) > [Mon Mar 23 12:08:08 2015] [info] SSL Library Error: > 336109761 error:1408A0C1:SSL > routines:SSL3_GET_CLIENT_HELLO:no shared cipher Too > restrictive SSLCipherSuite or using DSA server certificate? > [Mon Mar 23 12:08:08 2015] [info] [client 172.20.82.139] > Connection closed to child 2 with abortive shutdown (server > localhost.localdomain:443) > > > The cipher suite is highly (i.e., too) accommodating: > > SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW > > So: > > Anyone seen this before? What should the SSLProtocol and > CipherSuite settings be to allow > client certificate authentication while maintaining > reasonable security? Alternatively, what > should the client settings on the browsers be? I have very > limited control over the client > settings but it would be nice to know. > > httpd-2.2.15-39.el6.centos.x86_64 > openssl-1.0.1e-30.el6_6.5.x86_64 -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100 - - +1 (443) 269-1555 x333 Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00.
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
|