Re: HTTPD and SSL Certs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Ian,

On Mar 9, 2007, at 11:01 AM, Ian Johnson wrote:


Is there anyone out there that can answer the following set of
questions for me (or point me to where I may find the information)?
If you're in Europe, you may consider attending my Practical SSL Implementation with Apache Training at ApacheCon EU 2007: 

http://www.eu.apachecon.com/program/talk/120


Any and all help/responses is greatly appreciated.

While setting up ssl and apache 2 employing name servers I noticed
that you may only have one cert per httpd server rather than, what I
would consider desired, one per name.
You need to run every SSL-enabled virtual host on its own IP address. This is necessary because the SSL handshake happens before the HTTP request (and its Host: header which drives name-based virtual hosting) is available to the server, and Apache needs to present the correct certificate for the server name under consideration. 


Be that as it may, having set up a self signed cert, I am getting
certificate validation error that I don't believe I should be getting.
That is:

"Could not verify this certificate for unknown reasons"
What are you using for a client? A self-signed certificate cannot be verified by the browser unless you install that certificate in your browser's SSL certificate store as a trusted cert. You will get either of these errors, or both:
1) Your browser doesn't trust the certificate because it doesn't know the entity that issued it (which in your case is the certificate itself)
2) The browser connected to hostname A, but got a certificate for hostname B. This ties back to the issue you raised above: SSL hosts need to have their own IP, and for the browser to make the correct connection these need to resolve correctly in your DNS. 


My Questions then:

1.  Is there something wrong with my cert?
From the above error message above, it's impossible to tell. I'll take a wild guess and say that your certificate is fine. Do make sure that the cert matches the private key: 

$ openssl x509 -in yourcert.pem -noout -modulus | openssl md5
$ openssl rsa  -in yourkey.pem  -noout -modulus | openssl md5
should yield the same output. You should also be able to connect to the server by running openssl s_client -connect yourserver:443, type an HTTP request and get an HTTP response.
2. Must my cert be signed by a registered authority to be considered valid?
Yes, it has to be signed by an authority that your browser recognizes as valid. Note that you can install your own authority (the cert itself if you have self-signed) in your browser as trusted entity.
If your site is an internal website and you have control over all your clients, you can install your own CA cert on those machines and be done. If your website is accessible to the general public and you don't want to saddle them with the burden of clicking through dialogs or installing your CA cert, give money to a CA already recognized by your users' browsers. 


3.  What verifications are actually performed?


Depends on the client, but the following checks are generally performed:

1) Validity period of the certificate against the client system clock

2) Hostname to which the client connected vs. the Common Name (CN)
   attribute of the certificate Subject.  This is why your DNS records
   need to be in place and your server needs to present the correct
   certificate for a particular IP address

3) Certificate signature and chain of authority as presented by the
   server against the root CA certificates stored by the client or
   operating system

4) The client could check a Certificate Revocation List (CRL) or Online
Certificate Status Protocol (OCSP) server to see whether the certificate is revoked, but no browser generally deployed in the field today does 
   this by default.


When using the 'testing purposes' cert that installs with the app I do
not get this message.
I can't speak to your application or its installation, since you don't tell us what they are. 

Hope the above gives you some idea of what is going wrong.

S.

--
sctemme@xxxxxxxxxx            http://www.temme.net/sander/
Open Source Software Consultant
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF

ApacheCon 2007 Europe, May 1-4 in Amsterdam
http://www.eu.apachecon.com/

Attachment: smime.p7s
Description: S/MIME cryptographic signature

[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux