httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Serge Dubrouski" <serge...@gmail.com>
Subject Re: [users@httpd] Client certificate - handshake failed
Date Tue, 08 Apr 2008 20:53:10 GMT
On Tue, Apr 8, 2008 at 2:40 PM, Christopher Ljungblad
<christopher.ljungblad@gmail.com> wrote:
> Thanks for quick reply Serge,
>
> I'm still a bit confused and can not really address the problem, so
>
> I also checked the ssl access_log where I got these 2 messages:
>
> 192.168.0.254 - - [08/Apr/2008:22:27:59 +0200] "POST
> /servlets/nexus.seam?action=authenticate&client=nexus-personal_4 HTTP/1.1"
> 403 -
>
> 192.168.0.254 - - [08/Apr/2008:22:28:00 +0200] "POST
> /servlets/nexus.seam?action=authenticate&client=nexus-personal_4 HTTP/1.1"
> 500 3012
>
> And in my java code where I usually (using Tomcat and a keystore) can fetch
> the certificates I got a null-pointer exception (certs is now null)
>
> X509Certificate[] certs =
> (X509Certificate[])req.getAttribute("javax.servlet.request.X509Certificate");
>
> How do I know that the Apache httpd correctly gets the certificates?

You shall be able to pick the up in your application.
> How do I fetch the certficate in my java application (Tomcat)?

Use mod_jk with appropriate configuration. Something like this:

JkWorkersFile      /opt/web/tomcat/conf/jk/workers.properties
JkLogFile          /opt/web/logs/http/mod_jk.log
JkLogLevel         info
JkLogStampFormat   "[%a %b %d %H:%M:%S %Y] "
JkOptions          +ForwardKeySize +ForwardURICompat -ForwardDirectories
JkRequestLogFormat "%w %V %T"

# Should mod_jk send SSL information to Tomcat (default is On)
JkExtractSSL On
# What is the indicator for SSL (default is HTTPS)
JkHTTPSIndicator HTTPS
# What is the indicator for SSL session (default is SSL_SESSION_ID)
JkSESSIONIndicator SSL_SESSION_ID
# What is the indicator for client SSL cipher suit (default is SSL_CIPHER)
JkCIPHERIndicator SSL_CIPHER
# What is the indicator for the client SSL certificated (default is SSL_CLIENT_C
ERT)
JkCERTSIndicator SSL_CLIENT_CERT


So far this is the only method that worked for me. Sorry, I'm not a
Java developer and can't give you info on how to retrieve client certs
in Java.
>  Any other suggestions what is going wrong are highly appreciated.

Check this https://issues.apache.org/bugzilla/show_bug.cgi?id=12355
for more details on this problem.

>
> Cheers
> Chris
>
>
>
>
>
> On Tue, Apr 8, 2008 at 9:54 PM, Serge Dubrouski <sergeyfd@gmail.com> wrote:
>
> >
> >
> >
> > Just ignore them, they are generated when client switches between
> > locations with different SSLVerifyClient options set.
> >
> >
> >
> >
> > On Tue, Apr 8, 2008 at 1:51 PM, Christopher Ljungblad
> > <christopher.ljungblad@gmail.com> wrote:
> > > Hi,
> > > We are using Apache httpd 2.2.3 on Red hat linux and have a problem with
> our
> > > client certificates.
> > >
> > > In the ssl.conf file we have a configured a Virtual Host that listens to
> > > port 444 that requires the client to verify a certificate.
> > >
> > > <VirtualHost *:444>
> > > <Location /servlets/*>
> > >         SSLVerifyClient require
> > >         SSLVerifyDepth 1
> > >         SSLCACertificateFile /etc/pki/tls/certs/xxxxx_users.cer
> > > </Location>
> > >
> > > This works out fine, the client certificate can be choosen in the
> browser
> > > and I can fill in the password and click "ok".
> > >  But the certificate is not validated correctly and the ssl_error log
> says:
> > >
> > > [Tue Apr 08 15:25:23 2008] [error] Re-negotiation handshake failed: Not
> > > accepted by client!?
> > >
> > > What am I missing? I got this working in Tomcat using the exact same
> > > certificate. Is there a way to keep the client certificate
> > >  handling in Tomcat.
> > >
> > > Regards
> > > /Christopher
> > >
> > >
> >
> >
> >
> > --
> > Serge Dubrouski.
> >
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
> >
>
>
>



-- 
Serge Dubrouski.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message