Re: apache client authentication problem (somewhat long)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: users@xxxxxxxxxxxxxxxx
Subject: Re: apache client authentication problem (somewhat long)
From: "Serge Dubrouski" <sergeyfd@xxxxxxxxx>
Date: Tue, 28 Nov 2006 13:03:00 -0700
Delivered-to: mailing list users@xxxxxxxxxxxxxxxx
In-reply-to: <456C902E.3060205@xxxxxxxxxxxxxxxx>
Mailing-list: contact users-help@xxxxxxxxxxxxxxxx; run by ezmlm
References: <456C902E.3060205@xxxxxxxxxxxxxxxx>
Reply-to: users@xxxxxxxxxxxxxxxx

Your client submits certificate signed by CA which certificate you
don't have in your SSLCACertificatePath. Actually it looks like you
incorrectly configured it. You have:

SSLCACertificateFile /etc/httpd/conf/ssl.crt/root.crt
SSLCACertificatePath /etc/httpd/conf/ssl.crt

You should use just one of those options. If you use
SSLCACertificateFile your file (stacked pem) should have certificates
for all CA that issue certificates for you clients. If you use
SSLCACertificatePath place all certs into that directory and create
links like it's described here:

http://www.redhat.com/docs/manuals/stronghold/Stronghold-4.0-Manual/SH4_HTML/authenc.html





On 11/28/06, Bill Tangren <bjt@xxxxxxxxxxxxxxxx> wrote:

I posted this on the Redhat Enterprise Linux 4 (Nahant) list, but I didn't get
sufficient help to solve my problem, so I'm trying here. I apologize in advance
if any of you have seen this before.



I am having a problem with client authentication with apache and openssl. I have
been ordered to get this working, or I will have to be shut down. I think this
is a complex problem (because my web site is somewhat complex, at least for me)
but I will try to simplify it as much as possible.

I am trying to set up a test directory that requires client authentication,
while the parent directory (which is used for web email) does not. I also have
non-encrypted web sites, and that may be what is bollixing up this process, I
don't know.

When I use Internet Explorer to access this test directory, I am successfully
presented with the certificate, and required to provide my client certificate.
After I do so, however, I get a

"The page cannot be displayed. The page is currently unavailable..."

Nothing shows up in /var/log/httpd/ssl_error_log, or in
/var/log/httpd/ssl_access_log. However, /var/log/httpd/webmail_error_log shows this:

[Wed Nov 22 11:00:56 2006] [error] Certificate Verification: Error (20): unable
to get local issuer certificate
[Wed Nov 22 11:00:56 2006] [error] Re-negotiation handshake failed: Not accepted
by client!?

/var/log/httpd/webmail_access_log indicates an apache 103 error:

schwarzschild.usno.navy.mil - - [22/Nov/2006:11:00:55 -0500] "GET /pkitest/
HTTP/1.0" 103 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;
.NET CLR 1.1.4322; .NET CLR 1.0.3705; .NET CLR 2.0.50727)"

I've never heard of a 103 error. The apache error codes seem to start in the
200's (http://bignosebird.com/apache/a5.shtml).

Googling comes up with this:

<http://www.mail-archive.com/modssl-users@xxxxxxxxxx/msg17064.html>

which indicated a number of things, which I tried without success.

Googling on the renegotiation handshake error yielded quite a bit on use of
KeepAlive, but I don't use it, and turning it on didn't help.

There are other, simpler, web sites here at work that only have this client
authentication, and they were able to implement it without trouble. They are,
however, on a fedora core 5 system running apache 2.2.x.

I run httpd-2.0.52-28 and openssl-0.9.7a-43.14 on a RHEL ES 4 system. My
*httpd.conf* contains (in part)

<VirtualHost aa.usno.navy.mil:443>
    ServerAdmin bjt@xxxxxxxxxxxxxxxx
    ServerName aa.usno.navy.mil
    ErrorLog /var/log/httpd/webmail_error_log
    CustomLog /var/log/httpd/webmail_access_log combined
    TransferLog /var/log/httpd/access_log
    SSLEngine on
    SSLCertificateFile    /etc/httpd/conf/ssl.crt/AA_PKI.crt
    SSLCertificateKeyFile /etc/httpd/conf/ssl.key/AA_PKI.key
    SSLCACertificateFile  /etc/httpd/conf/ssl.crt/root.crt
    SSLVerifyClient none

    <Files ~ "\.(cgi|shtml)$">
       SSLOptions +StdEnvVars
    </Files>

    ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
    <Directory "/var/www/cgi-bin">
       SSLOptions +StdEnvVars
       AllowOverride None
       Options None
       Order allow,deny
       Allow from all
    </Directory>

    <Directory "/var/www/html/pkitest">
       Options Indexes FollowSymLinks MultiViews Includes
       AllowOverride None
       Order allow,deny
       Allow from all
       SSLRequireSSL
       SSLVerifyClient require
       SSLVerifyDepth 10
    </Directory>

    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown \
       downgrade-1.0 force-response-1.0
    CustomLog /etc/httpd/logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x \
       %{SSL_CIPHER}x \"%r\" %b"

    DocumentRoot /var/www/html
    <Directory "/var/www">
       Options -Indexes FollowSymLinks MultiViews Includes
       AllowOverride None
       Order allow,deny
       Allow from all
    </Directory>
    Alias /webmail /usr/share/squirrelmail
</VirtualHost>


My *ssl.conf* contains

LoadModule ssl_module modules/mod_ssl.so
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl
SSLPassPhraseDialog  builtin
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin

<VirtualHost _default_:443>

ServerName aa.usno.navy.mil:443
ServerAdmin bjt@xxxxxxxxxxxxxxxx
RewriteEngine on
RewriteRule ^https://aa/$ https://aa.usno.navy.mil/
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
SSLCertificateFile /etc/httpd/conf/ssl.crt/AA_PKI.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/AA_PKI.key
SSLCACertificateFile /etc/httpd/conf/ssl.crt/root.crt
SSLCACertificatePath /etc/httpd/conf/ssl.crt
SSLVerifyClient optional
SSLVerifyDepth  10
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
     SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
     SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
          nokeepalive ssl-unclean-shutdown \
          downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
           "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>

Can anyone help?

TIA,

Bill Tangren



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx

Follow-Ups:
- Re: apache client authentication problem (somewhat long)
  - From: Bill Tangren

References:
- apache client authentication problem (somewhat long)
  - From: Bill Tangren

Prev by Date: apache client authentication problem (somewhat long)
Next by Date: RE: Apache, mod_jk, client certificates, and Jetty
Previous by thread: apache client authentication problem (somewhat long)
Next by thread: Re: apache client authentication problem (somewhat long)
Index(es):
- Date
- Thread

[Index of Archives] [Open SSH Users] [Linux ACPI] [Linux Kernel] [Linux Laptop] [Kernel Newbies] [Security] [Netfilter] [Bugtraq] [Squid] [Yosemite News] [MIPS Linux] [ARM Linux] [Linux Security] [Linux RAID] [Samba] [Video 4 Linux] [Device Mapper]