Hello,
I'm slowly going insane trying to get clientside SSL auth to work with
Apache 2.2. I think it's mostly related to the recent openssl bug
which caused ssl renegotiation to be completely disabled. Initial
configuration steps were:
1. Created ca crt/key pair
2. Created apache key/crt pair
3. Signed apache key/crt pair with the new ca
4. Created client crt/key pair
5. Signed client cert with ca
6. Exported client crt/key pair to .p12 format\
7. Installed client crt/key pair .p12 bundle into the browser
My vhost looks like this (slightly redacted for privacy reasons):
---------------------
<VirtualHost 127.0.0.1:443>
CustomLog /var/log/apache2/CLIENT.mark-alogs combined
ErrorLog /var/log/apache2/CLIENT.mark-elogs
SSLEngine on
SSLCertificateFile /etc/ssl/private/apache.crt
SSLCertificateKeyFile /etc/ssl/private/apache.key
DocumentRoot "/var/www/CLIENT/htdocs"
ServerName mark
DirectoryIndex index.php
SSLCACertificateFile /etc/ssl/private/ca.crt
SSLOptions +FakeBasicAuth +ExportCertData
RewriteEngine On
# rewrite rules and aliases redacted
<IfModule authn_dbd_module>
DBDriver pgsql
DBDParams "dbname=CLIENT user=mark"
DBDPersist Off
DBDMin 0
DBDKeep 1
DBDMax 1
DBDExptime 5
</IfModule>
<Directory /var/www/CLIENT">
SSLRequireSSL
SSLVerifyClient optional
SSLVerifyDepth 1
# core authentication and mod_auth_basic configuration
# for mod_authn_dbd
AuthType Basic
AuthName "mark"
AuthBasicProvider dbd
# core authorization configuration
Require valid-user
# mod_authn_dbd SQL query to authenticate a user
AuthDBDUserPWQuery \
"SELECT password FROM user WHERE username = %s"
</Directory>
</VirtualHost>
-----------------------
This works in the sense that it forces the browser to select a
certificate when connecting, however the auth fails and in the logs I
get:
[Thu Sep 09 08:45:41 2010] [info] Initial (No.1) HTTPS request
received for child 1 (server mark:443)
[Thu Sep 09 08:45:41 2010] [info] Requesting connection re-negotiation
[Thu Sep 09 08:45:41 2010] [info] Awaiting re-negotiation handshake
[Thu Sep 09 08:45:41 2010] [error] Re-negotiation handshake failed:
Not accepted by client!?
which suggests to me that it's broken because renegotiation isn't
allowed, and the SSLVerifyClient directive in the Directory context
makes it think it needs to renegotiate because the Directory context
is different from the VirtualHost context. If I move SSLVerifyClient
into the VirtualHost context the error goes away, but no client ssl
authentication is done at all. If I put it in both contexts, the same
errors occurs, so it's trying to renegotiate even though both contexts
have the same directive.
I've spent hours crawling forums and google trying to figure this out
and I'm baffled, did the disabling of renegotiation basically prevent
client-side ssl auth from working or is there a way round this? I'm
confused as to why SSLVerifyClient does nothing when used in the
VirtualHost context, could it be that I have something elsewhere in
the apache general config that disables it when used in this context?
Any help and advice would be much appreciated.
Thanks,
Mark
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|