Return-Path: 
 <users-return-96850-apmail-httpd-users-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-users-archive@www.apache.org
Received: (qmail 36274 invoked from network); 9 Sep 2010 08:10:44 -0000
Received: from unknown (HELO mail.apache.org) (140.211.11.3)
  by 140.211.11.9 with SMTP; 9 Sep 2010 08:10:44 -0000
Received: (qmail 15767 invoked by uid 500); 9 Sep 2010 08:10:42 -0000
Delivered-To: apmail-httpd-users-archive@httpd.apache.org
Received: (qmail 15460 invoked by uid 500); 9 Sep 2010 08:10:38 -0000
Mailing-List: contact users-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@httpd.apache.org
list-help: <mailto:users-help@httpd.apache.org>
list-unsubscribe: <mailto:users-unsubscribe@httpd.apache.org>
List-Post: <mailto:users@httpd.apache.org>
List-Id: <users.httpd.apache.org>
Delivered-To: mailing list users@httpd.apache.org
Received: (qmail 15452 invoked by uid 99); 9 Sep 2010 08:10:37 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 09 Sep 2010 08:10:37 +0000
X-ASF-Spam-Status: No, hits=0.7 required=10.0
	tests=RCVD_IN_DNSWL_NONE,SPF_NEUTRAL
X-Spam-Check-By: apache.org
Received-SPF: neutral (athena.apache.org: local policy)
Received: from [209.85.216.45] (HELO mail-qw0-f45.google.com) (209.85.216.45)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 09 Sep 2010 08:10:29 +0000
Received: by qwh5 with SMTP id 5so220520qwh.18
        for <users@httpd.apache.org>; Thu, 09 Sep 2010 01:10:07 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.224.47.66 with SMTP id m2mr188515qaf.392.1284019807541; Thu,
 09 Sep 2010 01:10:07 -0700 (PDT)
Received: by 10.229.98.16 with HTTP; Thu, 9 Sep 2010 01:10:07 -0700 (PDT)
X-Originating-IP: [188.28.119.49]
Date: Thu, 9 Sep 2010 09:10:07 +0100
Message-ID: <AANLkTikVzND6QO+gyHAMYHoeBLnzX6uYcz9WgsYM5D6K@mail.gmail.com>
From: Mark Wadham <mark@wadham.me>
To: users@httpd.apache.org
Content-Type: text/plain; charset=ISO-8859-1
Subject: [users@httpd] Client-side SSL certificate authentication

Hello,

I'm slowly going insane trying to get clientside SSL auth to work with
Apache 2.2.  I think it's mostly related to the recent openssl bug
which caused ssl renegotiation to be completely disabled.  Initial
configuration steps were:

1. Created ca crt/key pair
2. Created apache key/crt pair
3. Signed apache key/crt pair with the new ca
4. Created client crt/key pair
5. Signed client cert with ca
6. Exported client crt/key pair to .p12 format\
7. Installed client crt/key pair .p12 bundle into the browser

My vhost looks like this (slightly redacted for privacy reasons):

---------------------

<VirtualHost 127.0.0.1:443>
  CustomLog /var/log/apache2/CLIENT.mark-alogs combined
  ErrorLog /var/log/apache2/CLIENT.mark-elogs

  SSLEngine on
  SSLCertificateFile /etc/ssl/private/apache.crt
  SSLCertificateKeyFile /etc/ssl/private/apache.key

  DocumentRoot "/var/www/CLIENT/htdocs"
  ServerName mark
  DirectoryIndex     index.php

  SSLCACertificateFile /etc/ssl/private/ca.crt
  SSLOptions +FakeBasicAuth +ExportCertData

  RewriteEngine On

  # rewrite rules and aliases redacted

  <IfModule authn_dbd_module>
    DBDriver pgsql
    DBDParams "dbname=CLIENT user=mark"
    DBDPersist Off
    DBDMin  0
    DBDKeep 1
    DBDMax 1
    DBDExptime 5
  </IfModule>

  <Directory /var/www/CLIENT">
    SSLRequireSSL
    SSLVerifyClient optional
    SSLVerifyDepth 1

    # core authentication and mod_auth_basic configuration
    # for mod_authn_dbd
    AuthType Basic
    AuthName "mark"
    AuthBasicProvider dbd

    # core authorization configuration
    Require valid-user

    # mod_authn_dbd SQL query to authenticate a user
    AuthDBDUserPWQuery \
    "SELECT password FROM user WHERE username = %s"
  </Directory>
</VirtualHost>

-----------------------

This works in the sense that it forces the browser to select a
certificate when connecting, however the auth fails and in the logs I
get:

[Thu Sep 09 08:45:41 2010] [info] Initial (No.1) HTTPS request
received for child 1 (server mark:443)
[Thu Sep 09 08:45:41 2010] [info] Requesting connection re-negotiation
[Thu Sep 09 08:45:41 2010] [info] Awaiting re-negotiation handshake
[Thu Sep 09 08:45:41 2010] [error] Re-negotiation handshake failed:
Not accepted by client!?

which suggests to me that it's broken because renegotiation isn't
allowed, and the SSLVerifyClient directive in the Directory context
makes it think it needs to renegotiate because the Directory context
is different from the VirtualHost context.  If I move SSLVerifyClient
into the VirtualHost context the error goes away, but no client ssl
authentication is done at all.  If I put it in both contexts, the same
errors occurs, so it's trying to renegotiate even though both contexts
have the same directive.

I've spent hours crawling forums and google trying to figure this out
and I'm baffled, did the disabling of renegotiation basically prevent
client-side ssl auth from working or is there a way round this?  I'm
confused as to why SSLVerifyClient does nothing when used in the
VirtualHost context, could it be that I have something elsewhere in
the apache general config that disables it when used in this context?

Any help and advice would be much appreciated.

Thanks,
Mark

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org