Re: client certificate error

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

thank you for the answer.

can you please point the right direction for solution, please?

Regarding the "look suspicious - it means your client is connecting from 127.0.0.1 and your server is also listening on 127.0.0.1 ; is this really what you have in mind? " i'm testin on my local system, having apache server and browser (chrome) on the same system.

And yes, the server cetificate have localhost as DNS alias.

Again, thank you so much.

PW

Am 30.06.21 um 05:32 schrieb Jan Just Keijser:
Hi,

On 30/06/21 00:23, Paulo Wollny wrote:
Dear @ll

My environment:

OpenSSL 1.1.1f  31 Mar 2020

Ubuntu 20.04

Server version: Apache/2.4.41 (Ubuntu)
Server built:   2021-06-17T18:27:53

My problem:

connecting to a secure server requiring client certificate, i get the following error when presenting my certificate:

ERR_BAD_SSL_CLIENT_AUTH_CERT

It started to fail after the previous one voided and i issued a new one.

CA, the same, server cert, renewed after previous voided.


this is an apache/mod_ssl issue and has little to do with openssl; from reading the logs the lines

[Tue Jun 29 19:15:45.592363 2021] [ssl:error] [pid 241357] [client 127.0.0.1:57026] AH02261: Re-negotiation handshake failed

look suspicious - it means your client is connecting from 127.0.0.1 and your server is also listening on 127.0.0.1 ; is this really what you have in mind?

But again, this is an apache httpd/mod_sssl issue and does not belong on this list.

JJK

My server conf:

<VirtualHost *:443>
                ServerAdmin webmaster@localhost

                DocumentRoot /home/www/

                # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
                # error, crit, alert, emerg.
                # It is also possible to configure the loglevel for particular
                # modules, e.g.
                #LogLevel info ssl:warn

                ErrorLog /var/log/apache2/ssl_engine.log
                LogLevel debug

                #ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined

                # For most configuration files from conf-available/, which are                 # enabled or disabled at a global level, it is possible to                 # include a line for only one particular virtual host. For example the                 # following line enables the CGI configuration for this host only
                # after it has been globally disabled with "a2disconf".
                #Include conf-available/serve-cgi-bin.conf

                #   SSL Engine Switch:
                #   Enable/Disable SSL for this virtual host.
                SSLEngine on

                SSLProtocol all -SSLv3 -TLSv1.3
                #SSLProtocol all
                #SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.3
                SSLHonorCipherOrder on
                SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"

                #   A self-signed (snakeoil) certificate can be created by installing
                #   the ssl-cert package. See
                #   /usr/share/doc/apache2/README.Debian.gz for more info.                 #   If both key and certificate are stored in the same file, only the
                #   SSLCertificateFile directive is needed.
                SSLCertificateFile /etc/ssl/private/server.crt
                SSLCertificateKeyFile /etc/ssl/private/server.key
                SSLCACertificatePath /etc/ssl/certs/
                #SSLCACertificateFile /etc/ssl/certs/PSign_TrustCenter_Root_CA-I.pem
                SSLCACertificateFile /etc/ssl/private/fullchain.crt


                #   Server Certificate Chain:
                #   Point SSLCertificateChainFile at a file containing the                 #   concatenation of PEM encoded CA certificates which form the                 #   certificate chain for the server certificate. Alternatively                 #   the referenced file can be the same as SSLCertificateFile                 #   when the CA certificates are directly appended to the server
                #   certificate for convinience.
                #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt

                #   Certificate Authority (CA):
                #   Set the CA certificate verification path where to find CA                 #   certificates for client authentication or alternatively one                 #   huge file containing all of them (file must be PEM encoded)                 #   Note: Inside SSLCACertificatePath you need hash symlinks                 #                to point to the certificate files. Use the provided                 #                Makefile to update the hash symlinks after changes.
                #SSLCACertificatePath /etc/ssl/certs/
                #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt

                #   Certificate Revocation Lists (CRL):
                #   Set the CA revocation path where to find CA CRLs for client                 #   authentication or alternatively one huge file containing all
                #   of them (file must be PEM encoded)
                #   Note: Inside SSLCARevocationPath you need hash symlinks                 #                to point to the certificate files. Use the provided                 #                Makefile to update the hash symlinks after changes.
                #SSLCARevocationPath /etc/apache2/ssl.crl/
                #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl

                #   Client Authentication (Type):
                #   Client certificate verification type and depth. Types are                 #   none, optional, require and optional_no_ca. Depth is a                 #   number which specifies how deeply to verify the certificate                 #   issuer chain before deciding the certificate is not valid.
                #SSLVerifyClient require
                #SSLVerifyDepth  10

                #   SSL Engine Options:
                #   Set various options for the SSL engine.
                #   o FakeBasicAuth:
                #        Translate the client X.509 into a Basic Authorisation.  This means that                 #        the standard Auth/DBMAuth methods can be used for access control.  The                 #        user name is the `one line' version of the client's X.509 certificate.                 #        Note that no password is obtained from the user. Every entry in the user
                #        file needs this password: `xxj31ZMTZzkVA'.
                #   o ExportCertData:
                #        This exports two additional environment variables: SSL_CLIENT_CERT and                 #        SSL_SERVER_CERT. These contain the PEM-encoded certificates of the                 #        server (always existing) and the client (only existing when client                 #        authentication is used). This can be used to import the certificates
                #        into CGI scripts.
                #   o StdEnvVars:
                #        This exports the standard SSL/TLS related `SSL_*' environment variables.                 #        Per default this exportation is switched off for performance reasons,                 #        because the extraction step is an expensive operation and is usually                 #        useless for serving static content. So one usually enables the
                #        exportation for CGI and SSI requests only.
                #   o OptRenegotiate:
                #        This enables optimized SSL connection renegotiation handling when SSL
                #        directives are used in per-directory context.
                #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
                <FilesMatch "\.(cgi|shtml|phtml|php)$">
                                SSLOptions +StdEnvVars
                </FilesMatch>
                <Directory /usr/lib/cgi-bin>
                                SSLOptions +StdEnvVars
                </Directory>

                #   SSL Protocol Adjustments:
                #   The safe and default but still SSL/TLS standard compliant shutdown                 #   approach is that mod_ssl sends the close notify alert but doesn't wait for                 #   the close notify alert from client. When you need a different shutdown
                #   approach you can use one of the following variables:
                #   o ssl-unclean-shutdown:
                #        This forces an unclean shutdown when the connection is closed, i.e. no                 #        SSL close notify alert is send or allowed to received.  This violates                 #        the SSL/TLS standard but is needed for some brain-dead browsers. Use                 #        this when you receive I/O errors because of the standard approach where
                #        mod_ssl sends the close notify alert.
                #   o ssl-accurate-shutdown:
                #        This forces an accurate shutdown when the connection is closed, i.e. a                 #        SSL close notify alert is send and mod_ssl waits for the close notify                 #        alert of the client. This is 100% SSL/TLS standard compliant, but in                 #        practice often causes hanging connections with brain-dead browsers. Use                 #        this only for browsers where you know that their SSL implementation
                #        works correctly.
                #   Notice: Most problems of broken clients are also related to the HTTP                 #   keep-alive facility, so you usually additionally want to disable                 #   keep-alive for those clients, too. Use variable "nokeepalive" for this.                 #   Similarly, one has to force some clients to use HTTP/1.0 to workaround                 #   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
                #   "force-response-1.0" for this.
                # BrowserMatch "MSIE [2-6]" \
                #               nokeepalive ssl-unclean-shutdown \
                #               downgrade-1.0 force-response-1.0


# private
       Alias /ssl/ /home/www/html-ssl-certs/
       <location /ssl/>
             SSLVerifyClient require
             SSLVerifyDepth       5
             SSLOptions +StdEnvVars +ExportCertData
             AuthType Basic
             AuthName "Protected User access required"
             AuthUserFile /etc/apache2/.htpasswd
             Require valid-user
             DirectoryIndex phpinfo.php
             DirectoryIndexRedirect permanent
             Order deny,allow
             Allow from all
      </location>



</VirtualHost>



log shows:

[Tue Jun 29 19:15:43.024571 2021] [socache_shmcb:debug] [pid 241359] mod_socache_shmcb.c(530): AH00835: socache_shmcb_retrieve (0xae -> subcache 14) [Tue Jun 29 19:15:43.024597 2021] [socache_shmcb:debug] [pid 241359] mod_socache_shmcb.c(916): AH00851: shmcb_subcache_retrieve found no match [Tue Jun 29 19:15:43.024605 2021] [socache_shmcb:debug] [pid 241359] mod_socache_shmcb.c(541): AH00836: leaving socache_shmcb_retrieve successfully [Tue Jun 29 19:15:43.024632 2021] [ssl:debug] [pid 241359] ssl_engine_kernel.c(2387): [client 127.0.0.1:57022] AH02044: No matching SSL virtual host for servername localhost found (using default/first virtual host) [Tue Jun 29 19:15:43.024700 2021] [ssl:debug] [pid 241359] ssl_engine_kernel.c(2387): [client 127.0.0.1:57022] AH02044: No matching SSL virtual host for servername localhost found (using default/first virtual host) [Tue Jun 29 19:15:43.024711 2021] [core:debug] [pid 241359] protocol.c(2313): [client 127.0.0.1:57022] AH03155: select protocol from , choices=h2,http/1.1 for server hp15pw [Tue Jun 29 19:15:43.026143 2021] [ssl:info] [pid 241355] [client 127.0.0.1:57024] AH01964: Connection to child 0 established (server hp15pw:443) [Tue Jun 29 19:15:43.026407 2021] [socache_shmcb:debug] [pid 241355] mod_socache_shmcb.c(530): AH00835: socache_shmcb_retrieve (0x07 -> subcache 7) [Tue Jun 29 19:15:43.026424 2021] [socache_shmcb:debug] [pid 241355] mod_socache_shmcb.c(916): AH00851: shmcb_subcache_retrieve found no match [Tue Jun 29 19:15:43.026429 2021] [socache_shmcb:debug] [pid 241355] mod_socache_shmcb.c(541): AH00836: leaving socache_shmcb_retrieve successfully [Tue Jun 29 19:15:43.026449 2021] [ssl:debug] [pid 241355] ssl_engine_kernel.c(2387): [client 127.0.0.1:57024] AH02044: No matching SSL virtual host for servername localhost found (using default/first virtual host) [Tue Jun 29 19:15:43.026489 2021] [ssl:debug] [pid 241355] ssl_engine_kernel.c(2387): [client 127.0.0.1:57024] AH02044: No matching SSL virtual host for servername localhost found (using default/first virtual host) [Tue Jun 29 19:15:43.026497 2021] [core:debug] [pid 241355] protocol.c(2313): [client 127.0.0.1:57024] AH03155: select protocol from , choices=h2,http/1.1 for server hp15pw [Tue Jun 29 19:15:43.321198 2021] [ssl:debug] [pid 241359] ssl_engine_kernel.c(2254): [client 127.0.0.1:57022] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits) [Tue Jun 29 19:15:43.323322 2021] [ssl:debug] [pid 241359] ssl_engine_kernel.c(415): [client 127.0.0.1:57022] AH02034: Initial (No.1) HTTPS request received for child 4 (server hp15pw:443) [Tue Jun 29 19:15:43.323413 2021] [ssl:debug] [pid 241355] ssl_engine_kernel.c(2254): [client 127.0.0.1:57024] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits) [Tue Jun 29 19:15:43.323733 2021] [ssl:debug] [pid 241359] ssl_engine_kernel.c(782): [client 127.0.0.1:57022] AH02255: Changed client verification type will force renegotiation [Tue Jun 29 19:15:43.323837 2021] [ssl:info] [pid 241359] [client 127.0.0.1:57022] AH02221: Requesting connection re-negotiation [Tue Jun 29 19:15:43.323893 2021] [ssl:debug] [pid 241359] ssl_engine_kernel.c(984): [client 127.0.0.1:57022] AH02260: Performing full renegotiation: complete handshake protocol (client does support secure renegotiation) [Tue Jun 29 19:15:43.324148 2021] [ssl:debug] [pid 241359] ssl_engine_kernel.c(2254): [client 127.0.0.1:57022] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits) [Tue Jun 29 19:15:43.324265 2021] [ssl:info] [pid 241359] [client 127.0.0.1:57022] AH02226: Awaiting re-negotiation handshake [Tue Jun 29 19:15:43.324869 2021] [ssl:debug] [pid 241359] ssl_engine_kernel.c(2387): [client 127.0.0.1:57022] AH02044: No matching SSL virtual host for servername localhost found (using default/first virtual host) [Tue Jun 29 19:15:43.331104 2021] [ssl:error] [pid 241359] [client 127.0.0.1:57022] AH02261: Re-negotiation handshake failed [Tue Jun 29 19:15:43.331256 2021] [ssl:debug] [pid 241359] ssl_engine_io.c(1368): (70014)End of file found: [client 127.0.0.1:57022] AH02007: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!] [Tue Jun 29 19:15:43.331328 2021] [ssl:info] [pid 241359] [client 127.0.0.1:57022] AH01998: Connection closed to child 4 with abortive shutdown (server hp15pw:443) [Tue Jun 29 19:15:45.526753 2021] [ssl:info] [pid 241355] (70014)End of file found: [client 127.0.0.1:57024] AH01991: SSL input filter read failed. [Tue Jun 29 19:15:45.527179 2021] [ssl:debug] [pid 241355] ssl_engine_io.c(1102): [client 127.0.0.1:57024] AH02001: Connection closed to child 0 with standard shutdown (server hp15pw:443) [Tue Jun 29 19:15:45.537952 2021] [ssl:info] [pid 241357] [client 127.0.0.1:57026] AH01964: Connection to child 2 established (server hp15pw:443) [Tue Jun 29 19:15:45.538859 2021] [socache_shmcb:debug] [pid 241357] mod_socache_shmcb.c(530): AH00835: socache_shmcb_retrieve (0x68 -> subcache 8) [Tue Jun 29 19:15:45.538910 2021] [socache_shmcb:debug] [pid 241357] mod_socache_shmcb.c(916): AH00851: shmcb_subcache_retrieve found no match [Tue Jun 29 19:15:45.538929 2021] [socache_shmcb:debug] [pid 241357] mod_socache_shmcb.c(541): AH00836: leaving socache_shmcb_retrieve successfully [Tue Jun 29 19:15:45.538994 2021] [ssl:debug] [pid 241357] ssl_engine_kernel.c(2387): [client 127.0.0.1:57026] AH02044: No matching SSL virtual host for servername localhost found (using default/first virtual host) [Tue Jun 29 19:15:45.539162 2021] [ssl:debug] [pid 241357] ssl_engine_kernel.c(2387): [client 127.0.0.1:57026] AH02044: No matching SSL virtual host for servername localhost found (using default/first virtual host) [Tue Jun 29 19:15:45.539188 2021] [core:debug] [pid 241357] protocol.c(2313): [client 127.0.0.1:57026] AH03155: select protocol from , choices=h2,http/1.1 for server hp15pw [Tue Jun 29 19:15:45.574552 2021] [ssl:debug] [pid 241357] ssl_engine_kernel.c(2254): [client 127.0.0.1:57026] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits) [Tue Jun 29 19:15:45.589868 2021] [ssl:debug] [pid 241357] ssl_engine_kernel.c(415): [client 127.0.0.1:57026] AH02034: Initial (No.1) HTTPS request received for child 2 (server hp15pw:443) [Tue Jun 29 19:15:45.590043 2021] [ssl:debug] [pid 241357] ssl_engine_kernel.c(782): [client 127.0.0.1:57026] AH02255: Changed client verification type will force renegotiation [Tue Jun 29 19:15:45.590051 2021] [ssl:info] [pid 241357] [client 127.0.0.1:57026] AH02221: Requesting connection re-negotiation [Tue Jun 29 19:15:45.590124 2021] [ssl:debug] [pid 241357] ssl_engine_kernel.c(984): [client 127.0.0.1:57026] AH02260: Performing full renegotiation: complete handshake protocol (client does support secure renegotiation) [Tue Jun 29 19:15:45.590251 2021] [ssl:debug] [pid 241357] ssl_engine_kernel.c(2254): [client 127.0.0.1:57026] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits) [Tue Jun 29 19:15:45.590261 2021] [ssl:info] [pid 241357] [client 127.0.0.1:57026] AH02226: Awaiting re-negotiation handshake [Tue Jun 29 19:15:45.590535 2021] [ssl:debug] [pid 241357] ssl_engine_kernel.c(2387): [client 127.0.0.1:57026] AH02044: No matching SSL virtual host for servername localhost found (using default/first virtual host) [Tue Jun 29 19:15:45.592237 2021] [socache_shmcb:debug] [pid 241357] mod_socache_shmcb.c(555): AH00837: socache_shmcb_remove (0x4c -> subcache 12) [Tue Jun 29 19:15:45.592290 2021] [socache_shmcb:debug] [pid 241357] mod_socache_shmcb.c(570): AH00839: leaving socache_shmcb_remove successfully [Tue Jun 29 19:15:45.592363 2021] [ssl:error] [pid 241357] [client 127.0.0.1:57026] AH02261: Re-negotiation handshake failed [Tue Jun 29 19:15:45.592456 2021] [ssl:error] [pid 241357] SSL Library Error: error:1417C0C7:SSL routines:tls_process_client_certificate:peer did not return a certificate -- No CAs known to server for verification? [Tue Jun 29 19:15:45.592643 2021] [ssl:debug] [pid 241357] ssl_engine_io.c(1368): [client 127.0.0.1:57026] AH02007: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!] [Tue Jun 29 19:15:45.592662 2021] [ssl:info] [pid 241357] [client 127.0.0.1:57026] AH01998: Connection closed to child 2 with abortive shutdown (server hp15pw:443)
root@hp15pw:/var/log/apache2#

Any cue? I'm not being able to find out what is wrong.

Thx in advance.







[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux