Return-Path: 
 <users-return-68450-apmail-httpd-users-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-users-archive@www.apache.org
Received: (qmail 4388 invoked from network); 28 Nov 2006 20:03:38 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2)
  by minotaur.apache.org with SMTP; 28 Nov 2006 20:03:38 -0000
Received: (qmail 67984 invoked by uid 500); 28 Nov 2006 20:03:35 -0000
Delivered-To: apmail-httpd-users-archive@httpd.apache.org
Received: (qmail 67955 invoked by uid 500); 28 Nov 2006 20:03:35 -0000
Mailing-List: contact users-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@httpd.apache.org
list-help: <mailto:users-help@httpd.apache.org>
list-unsubscribe: <mailto:users-unsubscribe@httpd.apache.org>
List-Post: <mailto:users@httpd.apache.org>
List-Id: <users.httpd.apache.org>
Delivered-To: mailing list users@httpd.apache.org
Received: (qmail 67944 invoked by uid 99); 28 Nov 2006 20:03:35 -0000
Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 28 Nov 2006 12:03:35 -0800
X-ASF-Spam-Status: No, hits=-0.0 required=10.0
	tests=SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (herse.apache.org: domain of sergeyfd@gmail.com designates
 64.233.166.183 as permitted sender)
Received: from [64.233.166.183] (HELO py-out-1112.google.com) (64.233.166.183)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 28 Nov 2006 12:03:21 -0800
Received: by py-out-1112.google.com with SMTP id u77so1370096pyb
        for <users@httpd.apache.org>; Tue, 28 Nov 2006 12:03:00 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
        s=beta; d=gmail.com;
        h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
        b=QSS7rjgFOtoX/CnVmBGpUbReHf7McO0QVbBkxyUfidOf67K/aYG7fkzmpeV/cSTZJKhhxvD76dtR+Ar9yCLPdB+v+teg02akN+Te6bm+aiWANOGN2ZeCXb6MNr+2JQwNS73ozEqZicrZQC2rgWEgM7LmkEmsvgz8e3S4LnGtHgU=
Received: by 10.35.125.16 with SMTP id c16mr2328261pyn.1164744180235;
        Tue, 28 Nov 2006 12:03:00 -0800 (PST)
Received: by 10.35.113.1 with HTTP; Tue, 28 Nov 2006 12:03:00 -0800 (PST)
Message-ID: <868cbbaa0611281203p7dd6261bhec9c317dd0883df2@mail.gmail.com>
Date: Tue, 28 Nov 2006 13:03:00 -0700
From: "Serge Dubrouski" <sergeyfd@gmail.com>
To: users@httpd.apache.org
In-Reply-To: <456C902E.3060205@aa.usno.navy.mil>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <456C902E.3060205@aa.usno.navy.mil>
X-Virus-Checked: Checked by ClamAV on apache.org
Subject: Re: [users@httpd] apache client authentication problem (somewhat
 long)

Your client submits certificate signed by CA which certificate you
don't have in your SSLCACertificatePath. Actually it looks like you
incorrectly configured it. You have:

SSLCACertificateFile /etc/httpd/conf/ssl.crt/root.crt
SSLCACertificatePath /etc/httpd/conf/ssl.crt

You should use just one of those options. If you use
SSLCACertificateFile your file (stacked pem) should have certificates
for all CA that issue certificates for you clients. If you use
SSLCACertificatePath place all certs into that directory and create
links like it's described here:

http://www.redhat.com/docs/manuals/stronghold/Stronghold-4.0-Manual/SH4_HTML/authenc.html





On 11/28/06, Bill Tangren <bjt@aa.usno.navy.mil> wrote:
> I posted this on the Redhat Enterprise Linux 4 (Nahant) list, but I didn't get
> sufficient help to solve my problem, so I'm trying here. I apologize in advance
> if any of you have seen this before.
>
>
>
> I am having a problem with client authentication with apache and openssl. I have
> been ordered to get this working, or I will have to be shut down. I think this
> is a complex problem (because my web site is somewhat complex, at least for me)
> but I will try to simplify it as much as possible.
>
> I am trying to set up a test directory that requires client authentication,
> while the parent directory (which is used for web email) does not. I also have
> non-encrypted web sites, and that may be what is bollixing up this process, I
> don't know.
>
> When I use Internet Explorer to access this test directory, I am successfully
> presented with the certificate, and required to provide my client certificate.
> After I do so, however, I get a
>
> "The page cannot be displayed. The page is currently unavailable..."
>
> Nothing shows up in /var/log/httpd/ssl_error_log, or in
> /var/log/httpd/ssl_access_log. However, /var/log/httpd/webmail_error_log shows this:
>
> [Wed Nov 22 11:00:56 2006] [error] Certificate Verification: Error (20): unable
> to get local issuer certificate
> [Wed Nov 22 11:00:56 2006] [error] Re-negotiation handshake failed: Not accepted
> by client!?
>
> /var/log/httpd/webmail_access_log indicates an apache 103 error:
>
> schwarzschild.usno.navy.mil - - [22/Nov/2006:11:00:55 -0500] "GET /pkitest/
> HTTP/1.0" 103 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;
> .NET CLR 1.1.4322; .NET CLR 1.0.3705; .NET CLR 2.0.50727)"
>
> I've never heard of a 103 error. The apache error codes seem to start in the
> 200's (http://bignosebird.com/apache/a5.shtml).
>
> Googling comes up with this:
>
> <http://www.mail-archive.com/modssl-users@modssl.org/msg17064.html>
>
> which indicated a number of things, which I tried without success.
>
> Googling on the renegotiation handshake error yielded quite a bit on use of
> KeepAlive, but I don't use it, and turning it on didn't help.
>
> There are other, simpler, web sites here at work that only have this client
> authentication, and they were able to implement it without trouble. They are,
> however, on a fedora core 5 system running apache 2.2.x.
>
> I run httpd-2.0.52-28 and openssl-0.9.7a-43.14 on a RHEL ES 4 system. My
> *httpd.conf* contains (in part)
>
> <VirtualHost aa.usno.navy.mil:443>
>     ServerAdmin bjt@aa.usno.navy.mil
>     ServerName aa.usno.navy.mil
>     ErrorLog /var/log/httpd/webmail_error_log
>     CustomLog /var/log/httpd/webmail_access_log combined
>     TransferLog /var/log/httpd/access_log
>     SSLEngine on
>     SSLCertificateFile    /etc/httpd/conf/ssl.crt/AA_PKI.crt
>     SSLCertificateKeyFile /etc/httpd/conf/ssl.key/AA_PKI.key
>     SSLCACertificateFile  /etc/httpd/conf/ssl.crt/root.crt
>     SSLVerifyClient none
>
>     <Files ~ "\.(cgi|shtml)$">
>        SSLOptions +StdEnvVars
>     </Files>
>
>     ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
>     <Directory "/var/www/cgi-bin">
>        SSLOptions +StdEnvVars
>        AllowOverride None
>        Options None
>        Order allow,deny
>        Allow from all
>     </Directory>
>
>     <Directory "/var/www/html/pkitest">
>        Options Indexes FollowSymLinks MultiViews Includes
>        AllowOverride None
>        Order allow,deny
>        Allow from all
>        SSLRequireSSL
>        SSLVerifyClient require
>        SSLVerifyDepth 10
>     </Directory>
>
>     SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown \
>        downgrade-1.0 force-response-1.0
>     CustomLog /etc/httpd/logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x \
>        %{SSL_CIPHER}x \"%r\" %b"
>
>     DocumentRoot /var/www/html
>     <Directory "/var/www">
>        Options -Indexes FollowSymLinks MultiViews Includes
>        AllowOverride None
>        Order allow,deny
>        Allow from all
>     </Directory>
>     Alias /webmail /usr/share/squirrelmail
> </VirtualHost>
>
>
> My *ssl.conf* contains
>
> LoadModule ssl_module modules/mod_ssl.so
> Listen 443
> AddType application/x-x509-ca-cert .crt
> AddType application/x-pkcs7-crl    .crl
> SSLPassPhraseDialog  builtin
> SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
> SSLSessionCacheTimeout  300
> SSLMutex default
> SSLRandomSeed startup file:/dev/urandom  256
> SSLRandomSeed connect builtin
> SSLCryptoDevice builtin
>
> <VirtualHost _default_:443>
>
> ServerName aa.usno.navy.mil:443
> ServerAdmin bjt@aa.usno.navy.mil
> RewriteEngine on
> RewriteRule ^https://aa/$ https://aa.usno.navy.mil/
> ErrorLog logs/ssl_error_log
> TransferLog logs/ssl_access_log
> LogLevel warn
> SSLEngine on
> SSLProtocol all -SSLv2
> SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
> SSLCertificateFile /etc/httpd/conf/ssl.crt/AA_PKI.crt
> SSLCertificateKeyFile /etc/httpd/conf/ssl.key/AA_PKI.key
> SSLCACertificateFile /etc/httpd/conf/ssl.crt/root.crt
> SSLCACertificatePath /etc/httpd/conf/ssl.crt
> SSLVerifyClient optional
> SSLVerifyDepth  10
> <Files ~ "\.(cgi|shtml|phtml|php3?)$">
>      SSLOptions +StdEnvVars
> </Files>
> <Directory "/var/www/cgi-bin">
>      SSLOptions +StdEnvVars
> </Directory>
> SetEnvIf User-Agent ".*MSIE.*" \
>           nokeepalive ssl-unclean-shutdown \
>           downgrade-1.0 force-response-1.0
> CustomLog logs/ssl_request_log \
>            "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
>
> </VirtualHost>
>
> Can anyone help?
>
> TIA,
>
> Bill Tangren
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org