httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 15370] New: - SSLProxyCACertificateFile directive doesnt get picked up when passing client certificates onto a server reqesting a client cert.
Date Fri, 13 Dec 2002 18:19:54 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=15370>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=15370

SSLProxyCACertificateFile directive doesnt get picked up when passing client certificates
onto a server reqesting a client cert.

           Summary: SSLProxyCACertificateFile directive doesnt get picked up
                    when passing client certificates onto a server reqesting
                    a client cert.
           Product: Apache httpd-2.0
           Version: 2.0.43
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: Major
          Priority: Other
         Component: mod_proxy
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: mogul@totalise.co.uk


(i think this is a bug, but no-one seems to be able to confirm this)

I'll try and be a succinct as possible. 

I have configured two apache 2.0.43 servers, one acting as an ssl enabled 
server which requests a client cert via http://server:81, the other is acting 
as a client proxy which users connect to via their browser, via 
https://proxy:7800/server

The proxy is configured to Proxy the client request using the client cert (in 
pem format) to the server (via the ProxyPass mechanism). I have confirmed my 
configs as I can s_client connect to both proxy and server to docroot.

I can also connect to the endpoint server by installing my client cert in p12 
format from my browser and it works ok. (and via commandline on the proxy using 
curl)

I have noticed the following errors.

a. the proxy cannot complete the ssl handshake to the server as it cannot find 
the end point servers client cert.

from default_error_logs
------------------------
[Fri Dec 13 14:43:30 2002] [warn] Proxy client certificate callback: 
(217.199.xx.xx:443) downstream server wanted client certificate but none are 
configured
[Fri Dec 13 14:43:30 2002] [error] SSL Proxy connect failed
[Fri Dec 13 14:43:30 2002] [error] SSL Library Error: 336151568 
error:14094410:lib(20):func(148):reason(1040)
[Fri Dec 13 14:43:30 2002] [error] (20014)Error string not specified yet: 
proxy: request failed to 62.49.xx.xx:81 (server.somewhere.com)

I have also run httpd on the proxy via strace and get the following errors at 
the same time.. ( pay particular attention to the client.pem open system call) 
as this is where the client pem cert is located as apache starts up.

30218 14:19:30 semget(IPC_PRIVATE, 1, IPC_CREAT|0x180|0600) = 2981895
30218 14:19:30 semctl(2981895, 0, 0x110 /* SEM_??? */, 0xbffff418) = 0
30218 14:19:30 geteuid32()              = 0
30218 14:19:30 semctl(2981895, 0, 0x101 /* SEM_??? */, 0xbffff428) = 0
30218 14:19:30 gettimeofday({1039789170, 486809}, NULL) = 0
30218 14:19:30 write(9, "[Fri Dec 13 14:19:30 2002] [warn"..., 121) = 121
30218 14:19:30 open("/usr/local/apache2/conf/client.pem", O_RDONLY) = 10
30218 14:19:30 fstat64(10, {st_mode=S_IFREG|0644, st_size=3489, ...}) = 0
30218 14:19:30 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4002c000
30218 14:19:30 read(10, "Certificate:\n    Data:\n        V"..., 4096) = 3489
30218 14:19:30 read(10, "", 4096)       = 0
30218 14:19:30 close(10)                = 0
30218 14:19:30 munmap(0x4002c000, 4096) = 0
30218 14:19:30 open("/usr/local/apache2/conf/client.pem", O_RDONLY) = 10
30218 14:19:30 fstat64(10, {st_mode=S_IFREG|0644, st_size=3489, ...}) = 0
30218 14:19:30 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4002c000
30218 14:19:30 read(10, "Certificate:\n    Data:\n        V"..., 4096) = 3489
30218 14:19:30 read(10, "", 4096)       = 0
30218 14:19:30 close(10)                = 0

I have tried using the other SSLProxyCARevocationFile directive, and I get the 
same results.

When i connect to the proxy via the browser I get this error.

<from html browser error page>

Server error!
The server encountered an internal error and was unable to complete your 
request. Either the server is overloaded or there was an error in a CGI script. 
If you think this is a server error, please contact the webmaster. 
Error 20014
proxy.somwhere.com
Fri Dec 13 17:18:12 2002 
Apache/2.0.43 (Unix) mod_ssl/2.0.43 OpenSSL


extract from httpd.conf for proxy pass

        ProxyPass /server https://server.somewhere.com:81
        ProxyPassReverse /server https://server.somewhere.com:81

This has been bugging me for nearly a week and I'm sure it's a bug, if it's 
not, please correct my errors...

Regards

Dan Cave

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message