httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "TAYLOR, TIM \(CONTRACTOR\)" <TIM.TAY...@DFAS.MIL>
Subject FW: [users@httpd] client cert authentication problem
Date Thu, 09 Dec 2004 23:26:04 GMT
Brian,
  if you tell apache to authenticate certificates (which you are doing with the SSLVerifyClient
require directive) you must provide trusted cert(s) for apache to use. If you are able to
passthru (this is news to me) the client verification piece to tomcat, remove the SSLVerifyClient
directive from apache config. Otherwise Apache expects to load up his ssl certificate store
to perform client verification.

Also, although it is common to use a number like 10, a high verify depth weakens your security.
You should use as low a number as will work. Needing a depth of 10 means you have a pretty
complex trust hierarchy. Trust a certificate issued by a CA certificate issued by a CA certificate
issued by a CA certificate...7 more of same.

regards,
tt
317-510-5987


-----Original Message-----
From: Brian Rook [mailto:Brian.Rook@state.co.us]
Sent: Thursday, December 09, 2004 5:44 PM
To: users@httpd.apache.org
Subject: Re: [users@httpd] client cert authentication problem


Forgot to add my error log information in the last email:

[Thu Dec 09 10:51:04 2004] [error] Certificate Verification: Error
(18): self signed certificate
[Thu Dec 09 10:51:04 2004] [error] SSL handshake failed (server
dev.childsupport.state.co.us:443, client 165.127.154.64)
[Thu Dec 09 10:51:04 2004] [error] SSL Library Error: 336105650
error:140890B2:lib(20):func(137):reason(178)
[Thu Dec 09 10:52:19 2004] [error] Spurious SSL handshake interrupt
[Hint: Usually just one of those OpenSSL confusions!
?]
[Thu Dec 09 10:52:20 2004] [error] SSL handshake failed (server
dev.childsupport.state.co.us:443, client 165.127.158.212
)
[Thu Dec 09 10:52:20 2004] [error] SSL Library Error: 336105671
error:140890C7:lib(20):func(137):reason(199)

This is what the last entry looked like.

Looks like Apache _is_ trying to do some sort of certificate
validation.

>>> jorton@redhat.com 12/9/2004 1:20:27 PM >>>
On Thu, Dec 09, 2004 at 10:34:09AM -0700, Brian Rook wrote:
> Hello,
> 
> I added the following lines to my virtual host
> 
> <VirtualHost dev.childsupport.state.co.us:443>
>   ServerName dev.childsupport.state.co.us
>   SSLEngine on
> *>  SSLVerifyClient require
> *>  SSLVerifyDepth 10

>   SSLCertificateFile conf/ssl.crt/myserver.crt
>   SSLCertificateKeyFile conf/ssl.key/myserver.key
>   SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
downgrade-1.0 force-response-1.0
>   ProxyRemote  /*  http://myserver:8080/ 
>   ProxyPass / http://myserver:8080/ 
>   ProxyPassReverse / http://myserver:8080/ 
>  </VirtualHost>

You also have to configure the set of trusted CAs for you have issued
client certificates, using SSLCACertificateFile and ...Path - have you
done that?

http://httpd.apache.org/docs-2.0/mod/mod_ssl.html#sslcacertificatefile


What does the server error_log say?

joe

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org 
   "   from the digest: users-digest-unsubscribe@httpd.apache.org 
For additional commands, e-mail: users-help@httpd.apache.org 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message