httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Berube, Steve (HP Software)" <steve.ber...@hp.com>
Subject RE: [users@httpd] Requesting help with Smart Card Client Certificate Authentication issue.
Date Fri, 30 Oct 2009 17:17:52 GMT
Hi all;
I was able to resolve this.
The issue apparently was in the CAstore on the apache server. I'm not sure if there was a
corrupt entry in there, or a duplicate. But something was causing the issue. I created a fresh
CA store with one cert, the one matching the root of the client cert and all worked!


-----Original Message-----
From: Berube, Steve (HP Software) 
Sent: Tuesday, October 27, 2009 7:27 AM
To: users@httpd.apache.org
Subject: RE: [users@httpd] Requesting help with Smart Card Client Certificate Authentication
issue.

Hi there, thank you for the reply. Yes I have that in there. In fact apache 2.2 ships with
that by default. 
Here is mine directly from httpd-ssl.conf

I pasted a good portion of the file so you can see its context.

<Directory "C:/Program Files/Apache Software Foundation/Apache2.2/cgi-bin">
    SSLRequire %{SSL_CLIENT_S_DN_O} eq "Hewlett-Packard Company"
    SSLVerifyClient require
    SSLVerifyDepth 10
    SSLOptions +StdEnvVars +OptRenegotiate
</Directory>

#   SSL Protocol Adjustments:
#   The safe and default but still SSL/TLS standard compliant shutdown
#   approach is that mod_ssl sends the close notify alert but doesn't wait for
#   the close notify alert from client. When you need a different shutdown
#   approach you can use one of the following variables:
#   o ssl-unclean-shutdown:
#     This forces an unclean shutdown when the connection is closed, i.e. no
#     SSL close notify alert is send or allowed to received.  This violates
#     the SSL/TLS standard but is needed for some brain-dead browsers. Use
#     this when you receive I/O errors because of the standard approach where
#     mod_ssl sends the close notify alert.
#   o ssl-accurate-shutdown:
#     This forces an accurate shutdown when the connection is closed, i.e. a
#     SSL close notify alert is send and mod_ssl waits for the close notify
#     alert of the client. This is 100% SSL/TLS standard compliant, but in
#     practice often causes hanging connections with brain-dead browsers. Use
#     this only for browsers where you know that their SSL implementation
#     works correctly. 
#   Notice: Most problems of broken clients are also related to the HTTP
#   keep-alive facility, so you usually additionally want to disable
#   keep-alive for those clients, too. Use variable "nokeepalive" for this.
#   Similarly, one has to force some clients to use HTTP/1.0 to workaround
#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
#   "force-response-1.0" for this.
BrowserMatch ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

#   Per-Server Logging:
#   The home of a custom SSL log file. Use this when you want a
#   compact non-error SSL logfile on a virtual host basis.
CustomLog "C:/Program Files/Apache Software Foundation/Apache2.2/logs/ssl_request.log" \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>                                  

-----Original Message-----
From: Toomas Aas [mailto:toomas.aas@raad.tartu.ee] 
Sent: Tuesday, October 27, 2009 1:44 AM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Requesting help with Smart Card Client Certificate Authentication
issue.

Berube, Steve (HP Software) wrote:

> Now, here is where gets interesting. What should happen is the client 
> should prompt for a client certificate from the smart card reader and 
> ask the user for their pin.
> 
> On firefox 3.5.3 it prompts the user for their smartcard pin as long as 
> the Security Device for ActivClient is installed. Works great!
> 
> IE 8.0 on Windows 7 didn't work, after rebuilding the system it works now.
> 
> All the other systems (tested 10) running IE will not work. 

This may be a SSL handshake issue. Do you have something like this in your 
SSL virtualhost:

BrowserMatch ".*MSIE.*" \
          nokeepalive ssl-unclean-shutdown \
          downgrade-1.0 force-response-1.0

If not, try adding it.

It seems to me that something in this area was changed recently in Apache, 
because after upgrading from 2.2.9 to 2.2.13 I had to add similar 
directive even for Firefox, which worked fine before.

--
Toomas Aas

... The truth is out there. Does anyone know the URL?

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message