httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brian Rook" <Brian.R...@state.co.us>
Subject Re: FW: FW: [users@httpd] client cert authentication problem
Date Thu, 09 Dec 2004 23:55:17 GMT
This is what I had expected.  We don't have any SSL configuration in
Tomcat only the web.xml is asking for client-cert authentication.  So in
our instance Apache is acting like a pig.

So we need to tell Apache to recognize our client certificates through
its trusted SSLCACertificateFile Directive.  Do we need anything else
after that?  For example, I know that mod_jk includes some information
about SSL variables through its connection, but at the time we are not
using mod_jk (if its too hard any other way I could definitely push it
through).  mod_rewrite/mod_ssl have SSLOptions where you can specify
what environment variables to include.  Do I need to add any of those
directives/options as well?


>>> TIM.TAYLOR@DFAS.MIL 12/9/2004 4:47:07 PM >>>
The more I think about this, the more skeptical I get about what you
have described.

I think you need make your server either a pig or a puppy. In other
words, I cannot see how a browser could handle two applications on your
server trying to shake hands with it at the same time. Either apache
shakes hands or you don't use apache and instead let the catalina
container be an ssl-enabled web server itself and thus shake hands.

If your configuration is such that apache frontends your tomcat, I
think you want apache to fully authenticate the certificate. The
authenticated ID should then be available to tomcat through session
environment variables such as SSL_CLIENT_S_DN. 

SSL is a point to point protocol and the browser point is talking to
the apache point. Browsers aren't talking directly to tomcat remember
(in this situation). I am pretty sure you can't pass the handshake (and
certainly not part of it) through apache to tomcat.

So, if a pig, remove all ssl conf from tomcat and fully equip apache to
shake hands and authenticate. When requests make it through, inspect the
session env for who the user is. If a puppy, drop apache out and
ssl-enable tomcat.

regards,
tt
317-510-5987

-----Original Message-----
From: Brian Rook [mailto:Brian.Rook@state.co.us] 
Sent: Thursday, December 09, 2004 6:30 PM
To: users@httpd.apache.org 
Subject: Re: FW: [users@httpd] client cert authentication problem


If I tell Apache to perform the certificate authentication, will it
pass
the authentication information to tomcat so that I can perfom my user
authentication there?  Do I have to do more configuration in Apache or
Tomcat in order to make this happen?

Thanks for the helpful information, I've been working on this for over
a week now and its hard to find useful information.

>>> TIM.TAYLOR@DFAS.MIL 12/9/2004 4:26:04 PM >>>
Brian,
  if you tell apache to authenticate certificates (which you are doing
with the SSLVerifyClient require directive) you must provide trusted
cert(s) for apache to use. If you are able to passthru (this is news
to
me) the client verification piece to tomcat, remove the
SSLVerifyClient
directive from apache config. Otherwise Apache expects to load up his
ssl certificate store to perform client verification.

Also, although it is common to use a number like 10, a high verify
depth weakens your security. You should use as low a number as will
work. Needing a depth of 10 means you have a pretty complex trust
hierarchy. Trust a certificate issued by a CA certificate issued by a
CA
certificate issued by a CA certificate...7 more of same.

regards,
tt
317-510-5987


-----Original Message-----
From: Brian Rook [mailto:Brian.Rook@state.co.us] 
Sent: Thursday, December 09, 2004 5:44 PM
To: users@httpd.apache.org 
Subject: Re: [users@httpd] client cert authentication problem


Forgot to add my error log information in the last email:

[Thu Dec 09 10:51:04 2004] [error] Certificate Verification: Error
(18): self signed certificate
[Thu Dec 09 10:51:04 2004] [error] SSL handshake failed (server
dev.childsupport.state.co.us:443, client 165.127.154.64)
[Thu Dec 09 10:51:04 2004] [error] SSL Library Error: 336105650
error:140890B2:lib(20):func(137):reason(178)
[Thu Dec 09 10:52:19 2004] [error] Spurious SSL handshake interrupt
[Hint: Usually just one of those OpenSSL confusions!
?]
[Thu Dec 09 10:52:20 2004] [error] SSL handshake failed (server
dev.childsupport.state.co.us:443, client 165.127.158.212
)
[Thu Dec 09 10:52:20 2004] [error] SSL Library Error: 336105671
error:140890C7:lib(20):func(137):reason(199)

This is what the last entry looked like.

Looks like Apache _is_ trying to do some sort of certificate
validation.

>>> jorton@redhat.com 12/9/2004 1:20:27 PM >>>
On Thu, Dec 09, 2004 at 10:34:09AM -0700, Brian Rook wrote:
> Hello,
> 
> I added the following lines to my virtual host
> 
> <VirtualHost dev.childsupport.state.co.us:443>
>   ServerName dev.childsupport.state.co.us
>   SSLEngine on
> *>  SSLVerifyClient require
> *>  SSLVerifyDepth 10

>   SSLCertificateFile conf/ssl.crt/myserver.crt
>   SSLCertificateKeyFile conf/ssl.key/myserver.key
>   SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
downgrade-1.0 force-response-1.0
>   ProxyRemote  /*  http://myserver:8080/ 
>   ProxyPass / http://myserver:8080/ 
>   ProxyPassReverse / http://myserver:8080/ 
>  </VirtualHost>

You also have to configure the set of trusted CAs for you have issued
client certificates, using SSLCACertificateFile and ...Path - have you
done that?

http://httpd.apache.org/docs-2.0/mod/mod_ssl.html#sslcacertificatefile




What does the server error_log say?

joe

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org 
   "   from the digest: users-digest-unsubscribe@httpd.apache.org 
For additional commands, e-mail: users-help@httpd.apache.org 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org 
   "   from the digest: users-digest-unsubscribe@httpd.apache.org 
For additional commands, e-mail: users-help@httpd.apache.org 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org 
   "   from the digest: users-digest-unsubscribe@httpd.apache.org 
For additional commands, e-mail: users-help@httpd.apache.org 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org 
   "   from the digest: users-digest-unsubscribe@httpd.apache.org 
For additional commands, e-mail: users-help@httpd.apache.org 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org 
   "   from the digest: users-digest-unsubscribe@httpd.apache.org 
For additional commands, e-mail: users-help@httpd.apache.org 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message