httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Berube, Steve (HP Software)" <steve.ber...@hp.com>
Subject RE: [users@httpd] Requesting help with Smart Card Client Certificate Authentication issue.
Date Thu, 29 Oct 2009 15:12:18 GMT
Was wondering if anyone else had ideas here. I have a strace (Microsoft tool) of the trace,
but my expertise in analyzing that is lacking.


-----Original Message-----
From: Berube, Steve (HP Software) 
Sent: Tuesday, October 27, 2009 10:31 AM
To: users@httpd.apache.org
Subject: RE: [users@httpd] Requesting help with Smart Card Client Certificate Authentication
issue.

Ok quick update, I did that test and unfortunately no change in behavior. I can't access /
now (as expected) but still no prompt for certificate. Other systems that work continue to
work. Firefox no issue, one windows 7 IE system, no issue.

I am installing wireshark now.


-----Original Message-----
From: Berube, Steve (HP Software) 
Sent: Tuesday, October 27, 2009 10:28 AM
To: users@httpd.apache.org
Subject: RE: [users@httpd] Requesting help with Smart Card Client Certificate Authentication
issue.

So for testing, are you asking I move SSLVerifyClient + SSLVerifyDepth to the entire virtual
host directive?

e.g.
<VirtualHost _default_:443>

#   General setup for the virtual host
DocumentRoot "C:/Program Files/Apache Software Foundation/Apache2.2/htdocs"
ServerName rd-db.cnd.hp.com:443
ServerAdmin admin@rd-db.hp.com
ErrorLog "C:/Program Files/Apache Software Foundation/Apache2.2/logs/error.log"
TransferLog "C:/Program Files/Apache Software Foundation/Apache2.2/logs/access.log"

#   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
SSLEngine on
SSLVerifyClient require
SSLVerifyDepth 10

<Location />
	SSLOptions +StdEnvVars
</location>

-----Original Message-----
From: Eric Covener [mailto:covener@gmail.com] 
Sent: Tuesday, October 27, 2009 10:26 AM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Requesting help with Smart Card Client Certificate Authentication
issue.

On Tue, Oct 27, 2009 at 10:21 AM, Berube, Steve (HP Software)
<steve.berube@hp.com> wrote:
> My test originally was this
> <Location />
>     SSLVerifyClient require
>
>     SSLVerifyDepth 10
>
>     SSLOptions +StdEnvVars
> </location>
>
> Same issue whether based on a directory or using the root location.
> I'm still trying to figure out why one and only IE works, but no others.
> I've tried HTTP Analyzer plugin for IE which only shows a single error (nothing else)
>
> ERROR_INTERNET_SECURITY_CHANNEL_ERROR
>
> Nothing else at all in the trace.
>
> If I go to the root url (which is SSL Enabled, but no client verify)
>
> I will try your suggestion of wireshark.

Putting it in <Location /> is still the more complicated case of:

handshake without request for client authentication
read request
server-driven renegotiation of the handshake with client authentication request
*hope IE prompts*

SSLVerifyClient is accepted in <VirtualHost> context, which should
cause the initial handshake to ask for a client cert.

>
>
> -----Original Message-----
> From: Eric Covener [mailto:covener@gmail.com]
> Sent: Tuesday, October 27, 2009 10:17 AM
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] Requesting help with Smart Card Client Certificate Authentication
issue.
>
> On Mon, Oct 26, 2009 at 10:36 PM, Berube, Steve (HP Software)
> <steve.berube@hp.com> wrote:
>> <Directory "C:/Program Files/Apache Software Foundation/Apache2.2/cgi-bin">
>>
>>     SSLVerifyClient require
>>
>>     SSLVerifyDepth 10
>>
>>     SSLOptions +StdEnvVars
>>
>> </Directory>
>
>
> Can you simplify your testing by setting this outside of per-directory
> config?  Have you used wireshark to see if Apache is sending the
> proper list of trusted certificates that line up with whoever signed
> your certs in your HW device?
>
> Perhaps http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcertificatechainfile
> or  http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcacertificatepath
> might help?
>
> --
> Eric Covener
> covener@gmail.com
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>



-- 
Eric Covener
covener@gmail.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message