SSLVerifyClient in apache + openssl

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: users@xxxxxxxxxxxxxxxx
Subject: SSLVerifyClient in apache + openssl
From: Mike Pechkin <mike.pechkin@xxxxxxxxx>
Date: Wed, 15 Apr 2009 13:57:32 +0300
Reply-to: users@xxxxxxxxxxxxxxxx

hi,

Is it a bug ?

This is scenarion for CentOS 5.3 (apache 2.2.3 + openssl-0.9.8e)
1. Simple httpd.conf (nothing special) + ssl part, selfsigned certs + CA:

SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect file:/dev/urandom 512
SSLSessionCache shmcb:/var/cache/mod_ssl/ssl_scache(512000)
# try default too
SSLMutex default

<VirtualHost 172.25.16.86:8443>
    ...
    SSLEngine on
    <Location />
        SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
    </Location>
    SSLCertificateKeyFile "/root/mihailp1-ca/mihailp1.key"
    SSLCertificateFile "/root/mihailp1-ca/mihailp1.crt"
    SSLCACertificateFile "/root/mihailp1-ca/mihailp1-ca.crt"
    SSLProtocol all -SSLv2
    SSLCipherSuite HIGH:MEDIUM

    <LocationMatch ^/nike(.*)>
        SSLVerifyClient require
        SSLVerifyDepth 3
        SSLOptions +OptRenegotiate
    </LocationMatch>
    ....
</VirtualHost>

2. I've installed a user's cert, it works:
# openssl verify -CAfile mihailp1-ca.crt browser.crt
browser.crt: OK

3. Interesting part starts here.
[Wed Apr 15 13:24:57 2009] [debug] ssl_engine_kernel.c(1598): Inter-Process
Session Cache: request=SET status=OK
id=16EA972E4C09B2D7B7B788ABB2273BF3A0E3856A161CA98F62C083B2AF45A8AF
timeout=300s (session caching)

4. I see only "...request=SET..." requests and firefox open pop-up window
(User Identification request) to click OK. This is boring for 10k users.
It doesn't use session cache.

5. If i use apache + openssl 0.9.7 it works as before without pop-up window,
it uses the same certs and configs at the same time.

6. the problem in httpd is ssl_engine_kernel.c:

                if ((dc->nOptions & SSL_OPT_OPTRENEGOTIATE) &&
                    (verify_old == SSL_VERIFY_NONE) &&
                    ((peercert = SSL_get_peer_certificate(ssl)) != NULL))
                {
                    renegotiate_quick = TRUE;
                    X509_free(peercert);
                }
7. SSL_get_peer_certificate in 0.9.8 returns NULL, openssl 0.9.7 returns not
NULL and variable renegotiate_quick sets TRUE and it will do *quick*
renegotiation.

Help.

--mpech

Prev by Date: cgi http complete header
Next by Date: Re: cgi http complete header
Previous by thread: cgi http complete header
Next by thread: Example of URL-to-URL in mod_rewrite
Index(es):
- Date
- Thread

[Index of Archives] [Open SSH Users] [Linux ACPI] [Linux Kernel] [Linux Laptop] [Kernel Newbies] [Security] [Netfilter] [Bugtraq] [Squid] [Yosemite News] [MIPS Linux] [ARM Linux] [Linux Security] [Linux RAID] [Samba] [Video 4 Linux] [Device Mapper]