----- Original Message ----- From: "Igor GaliÄ" <i.galic@xxxxxxxxxxxxxx>
To: <users@xxxxxxxxxxxxxxxx> Sent: Tuesday, January 04, 2011 1:30 PM Subject: Re: SSL Client Authentication Problem ----- "Alan Brown" <em745219@xxxxxxxxxxxxxxxx> wrote:
Hi all, I am working in a test environment with Apache v2.2.14 on XP Pro SP3 and I have experienced difficulties setting up SSL Client Authentication. I have used the openssl command line tool to set up my private key, server certificate, and a certificate authority, and I have configured the httpd-ssl.conf file. All works as expected, except when I try to configure SSL Client Authentication. All browsers report an error and are unable to establish an SSL session, eg with Firefox :- Secure Connection Failed An error occurred during a connection to myhost_1. SSL peer was unable to negotiate an acceptable set of security parameters. (Error code: ssl_error_handshake_failure_alert) (myhost_1 is configured as 127.0.0.1 in hosts file) In the config which works I have :- <VirtualHost _default_:443> SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile "/xampp/xampp/apache/conf/test/server.crt" SSLCertificateKeyFile "/xampp/xampp/apache/conf/test/server.key" #SSLCACertificateFile "/xampp/xampp/apache/conf/test/ca/ca.crt" #SSLVerifyClient require #SSLVerifyDepth 10 </VirtualHost> When I uncomment the lines to configure SSL Client Authentication then I get the above errors. The browser is supposed to request which client certificate the user wants to use, then I can select the one I created and signed with ca.crt, which I have set as a trusted CA in the browser. My Apache server has the following identifier (from HTTP Response header) :- Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 The openssl version I am using is also 0.9.8l (l for 'link').
No. OpenSSL 0.9.8l is a version regularily released: http://www.openssl.org/source/
Here are the openssl commands I used :- openssl genrsa -out ca.key 1024 openssl req -new -key ca.key -x509 -days 60 -out ca.crt openssl genrsa -out server.key 1024 openssl req -new -key server.key -days 90 -out server.csr openssl x509 -req -in server.csr -set_serial 451470 -CA ca\ca.crt -CAkey ca\ca.key -out server.crt openssl genrsa -out client_a.key 1024 openssl req -new -key client_a.key -days 90 -out client_a.csr openssl x509 -req -in client_a.csr -set_serial 451470 -CA ..\ca\ca.crt -CAkey ..\ca\ca.key -out client_a.crt I have carefully studied all documentation and I just wonder why this is not working - have I misunderstood something or is there possibly a bug? Thanks in advance for any advice.
Instead of involving a browser, which is a big, complex and opaque thing, can you please test with openssl s_client?
Alan.
So long, i -- Igor GaliÄ Tel: +43 (0) 664 886 22 883 Mail: i.galic@xxxxxxxxxxxxxx URL: http://brainsware.org/Thanks Igor for pointing out this s_client tool within openssl. On investigating use of this tool, I realised I needed a bit more understanding of how SSL/TLS works, and realised I omitted to understand one essential feature of the SSL handshake, namely that the client must possess a private key.
This means the client cert must actually contain a private key, which makes it quite unlike a website cert, which just has the public key<->identity mapping (and digital signature). I found this concept very odd at first - even if it is password protected a digital cert seems not a place to store a private key. The format for the composite file is PKCS#12, (.p12 extension). (When you view such a client cert in IE8, for example, it says 'You have a private key which corresponds to this certificate').
To create the .p12 file you enter the command :-openssl pkcs12 -export -out client_a.p12 -in client_a.crt -inkey client_a.key
where client_a.crt is the client cert and client_a.key is the private key file.
Then the browser can accept import of the file client_a.p12 as a 'Personal Certificate', and it now all works on Firefox/Chrome/Opera/IE8, with the browser displaying a dialog for client cert choice on accessing the secure page.
Thanks also Joost - you are correct, importing client cert is needed, it will not work without this, ie it won't just prompt for a client cert on accessing secure page. But I had not set up client cert correctly, so the import did not work.
--------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|