Problem Configuring httpd 2.4 to allow expired client certficates

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I am working on migrating an application to httpd 2.4 on AL2023.  The application uses client certificates, which will be expiring before they can all be rotated with new expirations. I am attempting to configure httpd 2.4 to continue requiring client certificates, but change the configuration to accept them if they are expired. I have not been able to figure out how to accept expired client certificates, however, I did find some info from the following:

https://blog.fem.tu-ilmenau.de/archives/1025-Accepting-expired-client-certificates-with-apache-2.4.html

I tried the method suggested and built the shared library mysslverify.so, and placed the drop in service mysslverify.conf at /etc/systemd/system/httpd.service.d with contents:

[Service]
Environment="LD_PRELOAD=/etc/httpd/conf/mysslverify.so"

To reload the service file and restart httpd I issued: 

$ systemctl daemon-reload
$ systemctl restart httpd

For which there were no errors, and I confirmed mysslverify.so was loaded as follows:

$ ps aux | grep httpd
root      347549  0.8  0.1  35256 15144 ?        Ss   23:34   0:00 /usr/sbin/httpd -DFOREGROUND
apache    347558  0.0  0.0  46212  5300 ?        S    23:34   0:00 /usr/sbin/httpd -DFOREGROUND
apache    347559  0.0  0.1 1572936 8620 ?        Sl   23:34   0:00 /usr/sbin/httpd -DFOREGROUND
apache    347560  0.0  0.1 1572936 8640 ?        Sl   23:34   0:00 /usr/sbin/httpd -DFOREGROUND
apache    347561  0.0  0.1 1736840 8684 ?        Sl   23:34   0:00 /usr/sbin/httpd -DFOREGROUND
root      347738  0.0  0.0 222312  2156 pts/5    S+   23:34   0:00 grep --color=auto httpd
$ cat /proc/347549/maps | grep mysslverify.so
7fec37187000-7fec37188000 r--p 00000000 103:01 226492593                 /etc/httpd/conf/mysslverify.so
7fec37188000-7fec37189000 r-xp 00001000 103:01 226492593                 /etc/httpd/conf/mysslverify.so
7fec37189000-7fec3718a000 r--p 00002000 103:01 226492593                 /etc/httpd/conf/mysslverify.so
7fec3718a000-7fec3718b000 r--p 00002000 103:01 226492593                 /etc/httpd/conf/mysslverify.so
7fec3718b000-7fec3718c000 rw-p 00003000 103:01 226492593                 /etc/httpd/conf/mysslverify.so

After making this configuration change, expired certificates continued to be rejected.
Issuing the openssl s_client command to test results in:

003E67F4887F0000:error:0A000415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1605:SSL alert number 45

Clients using non-expired certificates can connect ok.

Also, at https://httpd.apache.org/support.html , I repeatedly attempted to go to the "archives" link that we are supposed to consult before posting. However, clicking on that link resulted in the error: httpd.markmail.ort took too long to respond (ERR_CONNECTION_TIMED_OUT). I found another link to the archive that is http://mail-archives.apache.org/mod_mbox/httpd-users/ , and that results in error too:
mail-archives.apache.org took too long to respond (ERR_TIMED_OUT).

Please advise on how I can get expired client certificates to be accepted by an httpd 2.4 server running on AL2023.


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux