httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "TAYLOR, TIM \(CONTRACTOR\)" <TIM.TAY...@DFAS.MIL>
Subject FW: FW: [users@httpd] client cert authentication problem
Date Thu, 09 Dec 2004 23:47:07 GMT
The more I think about this, the more skeptical I get about what you have described.

I think you need make your server either a pig or a puppy. In other words, I cannot see how
a browser could handle two applications on your server trying to shake hands with it at the
same time. Either apache shakes hands or you don't use apache and instead let the catalina
container be an ssl-enabled web server itself and thus shake hands.

If your configuration is such that apache frontends your tomcat, I think you want apache to
fully authenticate the certificate. The authenticated ID should then be available to tomcat
through session environment variables such as SSL_CLIENT_S_DN. 

SSL is a point to point protocol and the browser point is talking to the apache point. Browsers
aren't talking directly to tomcat remember (in this situation). I am pretty sure you can't
pass the handshake (and certainly not part of it) through apache to tomcat.

So, if a pig, remove all ssl conf from tomcat and fully equip apache to shake hands and authenticate.
When requests make it through, inspect the session env for who the user is. If a puppy, drop
apache out and ssl-enable tomcat.

regards,
tt
317-510-5987

-----Original Message-----
From: Brian Rook [mailto:Brian.Rook@state.co.us]
Sent: Thursday, December 09, 2004 6:30 PM
To: users@httpd.apache.org
Subject: Re: FW: [users@httpd] client cert authentication problem


If I tell Apache to perform the certificate authentication, will it pass
the authentication information to tomcat so that I can perfom my user
authentication there?  Do I have to do more configuration in Apache or
Tomcat in order to make this happen?

Thanks for the helpful information, I've been working on this for over
a week now and its hard to find useful information.

>>> TIM.TAYLOR@DFAS.MIL 12/9/2004 4:26:04 PM >>>
Brian,
  if you tell apache to authenticate certificates (which you are doing
with the SSLVerifyClient require directive) you must provide trusted
cert(s) for apache to use. If you are able to passthru (this is news to
me) the client verification piece to tomcat, remove the SSLVerifyClient
directive from apache config. Otherwise Apache expects to load up his
ssl certificate store to perform client verification.

Also, although it is common to use a number like 10, a high verify
depth weakens your security. You should use as low a number as will
work. Needing a depth of 10 means you have a pretty complex trust
hierarchy. Trust a certificate issued by a CA certificate issued by a CA
certificate issued by a CA certificate...7 more of same.

regards,
tt
317-510-5987


-----Original Message-----
From: Brian Rook [mailto:Brian.Rook@state.co.us] 
Sent: Thursday, December 09, 2004 5:44 PM
To: users@httpd.apache.org 
Subject: Re: [users@httpd] client cert authentication problem


Forgot to add my error log information in the last email:

[Thu Dec 09 10:51:04 2004] [error] Certificate Verification: Error
(18): self signed certificate
[Thu Dec 09 10:51:04 2004] [error] SSL handshake failed (server
dev.childsupport.state.co.us:443, client 165.127.154.64)
[Thu Dec 09 10:51:04 2004] [error] SSL Library Error: 336105650
error:140890B2:lib(20):func(137):reason(178)
[Thu Dec 09 10:52:19 2004] [error] Spurious SSL handshake interrupt
[Hint: Usually just one of those OpenSSL confusions!
?]
[Thu Dec 09 10:52:20 2004] [error] SSL handshake failed (server
dev.childsupport.state.co.us:443, client 165.127.158.212
)
[Thu Dec 09 10:52:20 2004] [error] SSL Library Error: 336105671
error:140890C7:lib(20):func(137):reason(199)

This is what the last entry looked like.

Looks like Apache _is_ trying to do some sort of certificate
validation.

>>> jorton@redhat.com 12/9/2004 1:20:27 PM >>>
On Thu, Dec 09, 2004 at 10:34:09AM -0700, Brian Rook wrote:
> Hello,
> 
> I added the following lines to my virtual host
> 
> <VirtualHost dev.childsupport.state.co.us:443>
>   ServerName dev.childsupport.state.co.us
>   SSLEngine on
> *>  SSLVerifyClient require
> *>  SSLVerifyDepth 10

>   SSLCertificateFile conf/ssl.crt/myserver.crt
>   SSLCertificateKeyFile conf/ssl.key/myserver.key
>   SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
downgrade-1.0 force-response-1.0
>   ProxyRemote  /*  http://myserver:8080/ 
>   ProxyPass / http://myserver:8080/ 
>   ProxyPassReverse / http://myserver:8080/ 
>  </VirtualHost>

You also have to configure the set of trusted CAs for you have issued
client certificates, using SSLCACertificateFile and ...Path - have you
done that?

http://httpd.apache.org/docs-2.0/mod/mod_ssl.html#sslcacertificatefile



What does the server error_log say?

joe

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org 
   "   from the digest: users-digest-unsubscribe@httpd.apache.org 
For additional commands, e-mail: users-help@httpd.apache.org 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org 
   "   from the digest: users-digest-unsubscribe@httpd.apache.org 
For additional commands, e-mail: users-help@httpd.apache.org 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org 
   "   from the digest: users-digest-unsubscribe@httpd.apache.org 
For additional commands, e-mail: users-help@httpd.apache.org 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message