Joshua Slive wrote:
On Tue, Apr 15, 2008 at 1:56 PM, Shakti <corewafer@xxxxxxxxxxxx> wrote:Hi, I am new to the apache and need help with ssl authentication. I have compiled apache2 on Mac OS X. Configured it with basic authentication and that worked fine. I enabled ssl and that worked fine. Then I generated certificates for the server and clients, installed certificates in client's browsers and that worked OK too. Then I tried to combine certificate authentication with basic authentication and that is were I run into a problem. I am not sure if that is possible to do? When I do that I get normal prompt form the server to accept the certificate, them the user name and password prompt. I type the user name and password, but then it comes again and again and prompts me for the user name and password over and over again. When I do not use client certificate, then typing the user name and password works fine. Here is the section in httpd-ssl.conf where I am experimenting <Directory "/usr/local/apache2/htdocs"> Options Indexes FollowSymLinks MultiViews SSLVerifyClient require SSLVerifyDepth 1 SSLCACertificatePath "conf/certs" SSLCACertificateFile "conf/certs/cwsca.crt" AuthType Basic AuthName "CoreWafer" AuthUserFile /usr/local/apache2/conf/passwd/passwords AuthGroupFile /usr/local/apache2/conf/passwd/groups Require group CoreWafer Order allow,deny Allow from all </Directory> If I disable: SSLVerifyClient require SSLVerifyDepth 1 SSLCACertificatePath "conf/certs" SSLCACertificateFile "conf/certs/cwsca.crt" then prompting for user name and password works fine. If I disable: AuthType Basic AuthName "CoreWafer" AuthUserFile /usr/local/apache2/conf/passwd/passwords AuthGroupFile /usr/local/apache2/conf/passwd/groups Require group CoreWafer then using the client certificate works fine. It is when I try to use both, that is the client certificate and the password when I get into trouble.I'm not an expert in this stuff, but I'd suggest 1. Move SSLVerifyDepth out of the <Directory> section. According to the docs, this will force a renegotiation when placed there. (And you are just repeating the default anyway, so you can probably remove it entirely.) 2. Tell us what the error log says and what you are seeing in the access log. Joshua.
HiThank you for your reply. I have follow your suggestion and removed SSLVerifyDepth. Then cleared all logs, started the server and saved all log files during each step so that all logs can be seen. I have put them into one file (attached here) with comment indicating what steps have been accomplish after each entry in a log file.
I can not deduce anything from these longs? Thank you, Shakti
This is log of the following files error_log access_log ssl_engine_log ssl_request_log ssl_scache.dir ssl_scache.pag I have inserted comments stating what step has been accomplished after each step. If there are consecutive Comments with nothing between them, that means that no change has been made to that file error_log [Tue Apr 15 13:09:09 2008] [notice] Digest: generating secret for digest authentication ... [Tue Apr 15 13:09:09 2008] [notice] Digest: done [Tue Apr 15 13:09:09 2008] [notice] Apache/2.2.8 (Unix) DAV/2 mod_ssl/2.2.8 OpenSSL/0.9.7l configured -- resuming normal operations Comment: Server started Comment: browser requested web page Comment: client accepted the certificate Comment: User name and password entered Comment: User name and password entered again Comment: Login in canceled access_log Comment: Server started Comment: browser requested web page 127.0.0.1 - /C=US/ST=New Mexico/O=Core Wafer Systems, Inc./OU=Core Wafer Systems Abq/CN=CoreWaferSystems/emailAddress=earl@xxxxxxxxxxxxx [15/Apr/2008:13:16:34 -0600] "GET / HTTP/1.1" 401 401 Comment: client accepted the certificate 127.0.0.1 - /C=US/ST=New Mexico/O=Core Wafer Systems, Inc./OU=Core Wafer Systems Abq/CN=CoreWaferSystems/emailAddress=earl@xxxxxxxxxxxxx [15/Apr/2008:13:21:31 -0600] "GET / HTTP/1.1" 401 401 Comment: User name and password entered 127.0.0.1 - /C=US/ST=New Mexico/O=Core Wafer Systems, Inc./OU=Core Wafer Systems Abq/CN=CoreWaferSystems/emailAddress=earl@xxxxxxxxxxxxx [15/Apr/2008:13:25:43 -0600] "GET / HTTP/1.1" 401 401 Comment: User name and password entered again Comment: Login in canceled ssl_engine_log [Tue Apr 15 13:09:08 2008] [info] Loading certificate & private key of SSL-aware server [Tue Apr 15 13:09:08 2008] [info] Configuring server for SSL protocol [Tue Apr 15 13:09:09 2008] [info] Loading certificate & private key of SSL-aware server [Tue Apr 15 13:09:09 2008] [info] Configuring server for SSL protocol Comment: Server started [Tue Apr 15 13:14:43 2008] [info] [client 127.0.0.1] Connection to child 0 established (server CoreWaferSystems:443) [Tue Apr 15 13:14:43 2008] [info] Seeding PRNG with 272 bytes of entropy Comment: browser requested web page [Tue Apr 15 13:16:34 2008] [info] Initial (No.1) HTTPS request received for child 0 (server CoreWaferSystems:443) [Tue Apr 15 13:16:34 2008] [info] Requesting connection re-negotiation [Tue Apr 15 13:16:34 2008] [info] Awaiting re-negotiation handshake [Tue Apr 15 13:16:34 2008] [info] Faking HTTP Basic Auth header: "Authorization: Basic L0M9VVMvU1Q9TmV3IE1leGljby9PPUNvcmUgV2FmZXIgU3lzdGVtcywgSW5jLi9PVT1Db3JlIFdhZmVyIFN5c3RlbXMgQWJxL0NOPUNvcmVXYWZlclN5c3RlbXMvZW1haWxBZGRyZXNzPWVhcmxAY29yZXdhZmVyLmNvbTpwYXNzd29yZA==" [Tue Apr 15 13:16:34 2008] [error] [client 127.0.0.1] user /C=US/ST=New Mexico/O=Core Wafer Systems, Inc./OU=Core Wafer Systems Abq/CN=CoreWaferSystems/emailAddress=earl@xxxxxxxxxxxxx not found: / [Tue Apr 15 13:16:39 2008] [info] [client 127.0.0.1] (70007)The timeout specified has expired: SSL input filter read failed. [Tue Apr 15 13:16:39 2008] [info] [client 127.0.0.1] Connection closed to child 0 with standard shutdown (server CoreWaferSystems:443) Comment: client accepted the certificate [Tue Apr 15 13:21:31 2008] [info] [client 127.0.0.1] Connection to child 4 established (server CoreWaferSystems:443) [Tue Apr 15 13:21:31 2008] [info] Seeding PRNG with 272 bytes of entropy [Tue Apr 15 13:21:31 2008] [info] Initial (No.1) HTTPS request received for child 4 (server CoreWaferSystems:443) [Tue Apr 15 13:21:31 2008] [info] Requesting connection re-negotiation [Tue Apr 15 13:21:31 2008] [info] Awaiting re-negotiation handshake [Tue Apr 15 13:21:31 2008] [info] Faking HTTP Basic Auth header: "Authorization: Basic L0M9VVMvU1Q9TmV3IE1leGljby9PPUNvcmUgV2Ffh98rh9q3fq038nv8r8qhe9rgheXMgQWJxL0NOPUNvcmVXYWZlclN5c3RlbXMvZW1haWxBZGRyZXNzPWVhcmxAY29yZXdhZmVyLmNvbTpwYXNzd29yZA==" [Tue Apr 15 13:21:31 2008] [error] [client 127.0.0.1] user /C=US/ST=New Mexico/O=Core Wafer Systems, Inc./OU=Core Wafer Systems Abq/CN=CoreWaferSystems/emailAddress=earl@xxxxxxxxxxxxx not found: / [Tue Apr 15 13:21:36 2008] [info] [client 127.0.0.1] (70007)The timeout specified has expired: SSL input filter read failed. [Tue Apr 15 13:21:36 2008] [info] [client 127.0.0.1] Connection closed to child 4 with standard shutdown (server CoreWaferSystems:443) Comment: User name and password entered [Tue Apr 15 13:25:43 2008] [info] [client 127.0.0.1] Connection to child 2 established (server CoreWaferSystems:443) [Tue Apr 15 13:25:43 2008] [info] Seeding PRNG with 272 bytes of entropy [Tue Apr 15 13:25:43 2008] [info] Initial (No.1) HTTPS request received for child 2 (server CoreWaferSystems:443) [Tue Apr 15 13:25:43 2008] [info] Requesting connection re-negotiation [Tue Apr 15 13:25:43 2008] [info] Awaiting re-negotiation handshake [Tue Apr 15 13:25:43 2008] [info] Faking HTTP Basic Auth header: "Authorization: Basic L0M9VVMvU1Q9TmV3IE1leGljby9PPUNvcmUgV2Ffh98rh9q3fq038nv8r8qhe9rgheXMgQWJxL0NOPUNvcmVXYWZlclN5c3RlbXMvZW1haWxBZGRyZXNzPWVhcmxAY29yZXdhZmVyLmNvbTpwYXNzd29yZA==" [Tue Apr 15 13:25:43 2008] [error] [client 127.0.0.1] user /C=US/ST=New Mexico/O=Core Wafer Systems, Inc./OU=Core Wafer Systems Abq/CN=CoreWaferSystems/emailAddress=earl@xxxxxxxxxxxxx not found: / [Tue Apr 15 13:25:48 2008] [info] [client 127.0.0.1] (70007)The timeout specified has expired: SSL input filter read failed. [Tue Apr 15 13:25:48 2008] [info] [client 127.0.0.1] Connection closed to child 2 with standard shutdown (server CoreWaferSystems:443) Comment: User name and password entered again Comment: Login in canceled ssl_request_log Comment: Server started Comment: browser requested web page Comment: client accepted the certificate Comment: Login in canceled ssl_scache.dir Comment: Server started Comment: browser requested web page Comment: client accepted the certificate Comment: User name and password entered Comment: Login in canceled ssl_scache.pag Comment: Server started Comment: browser requested web page y?_N?H?????" 73706d4e3a1cee3e82ca4fda18932837877&#@*@�??????? Comment: client accepted the certificate Comment: User name and password entered Comment: User name and password entered again Comment: Login in canceled
--------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|