httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From J-H Johansen <ondeman...@gmail.com>
Subject Re: [users@httpd] Mutual Authentication issue in 2.2.17 openssl 1.0.0d
Date Thu, 18 Aug 2011 11:04:36 GMT
On Sun, Aug 14, 2011 at 11:42 AM, paddy carroll <paddy.carroll@mac.com>wrote:

> Hi,
>
> I have spent too long staring at my crypto material and apache logs. I'm
> stuck.
> I have checked and also had a colleague check my crypto trust chain,
> certificates and keys more than once.
> I have a reverse proxy setup
>
> client --> firewall --> reverse proxy --> tomcat
>
> firewall presents all requests to reverse proxy as coming from the same
> address, but on different ports
> The server appears to be rejecting client negotiations after the discovery
> of our self signed root certificate, we have two certificates in the chain,
> a RooCA and a subca
> when I emulate the connection using openssl as a server on a different port
> it succeeds
>
> CLIENT FAILURE
>
> from client
> ++++++++++++++++++++++++
> $ openssl s_client -connect lltpdxc001:443 -CApath test-ssl.crt  -cert
> test.pem  -verify 3  -ssl3
> verify depth is 3
> CONNECTED(00000003)
> depth=2 /CN=TEST-Msad-Root-CA
> verify return:1
> depth=1 /DC=com/DC=horizonng/DC=internal/DC=Msad/CN=TEST-Msad-Sub-CA
> verify return:1
> depth=0 /CN=lltpdxc001
> verify return:1
> 70352:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad
> certificate:s3_pkt.c:1102:SSL alert number 42
> 70352:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
> failure:s3_pkt.c:539:
> ++++++++++++++++++++++++
> Server says
> ++++++++++++++++++++++++
> Sun Aug 14 10:20:34 2011] [debug] ssl_engine_kernel.c(1321): [client
> 172.22.10.5] Certificate Verification: depth: 2, subject:
> /CN=TEST-Msad-Root-CA, issuer: /CN=TEST-Msad-Root-CA
> Sun Aug 14 10:20:34 2011] [error] [client 172.22.10.5] Certificate
> Verification: Error (19): self signed certificate in certificate chain
> Sun Aug 14 10:20:34 2011] [debug] ssl_engine_kernel.c(1884): OpenSSL:
> Write: SSLv3 read client certificate B
> Sun Aug 14 10:20:34 2011] [debug] ssl_engine_kernel.c(1903): OpenSSL: Exit:
> error in SSLv3 read client certificate B
> Sun Aug 14 10:20:34 2011] [debug] ssl_engine_kernel.c(1903): OpenSSL: Exit:
> error in SSLv3 read client certificate B
> Sun Aug 14 10:20:34 2011] [info] [client 172.22.10.5] SSL library error 1
> in handshake (server lltpdxc001:443)
> Sun Aug 14 10:20:34 2011] [info] SSL Library Error: 336105650
> error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate
> returned
> Sun Aug 14 10:20:34 2011] [info] [client 172.22.10.5] Connection closed to
> child 6 with abortive shutdown (server lltpdxc001:443)
> +++++++++++++++++++++++++
> relevant server config from server-info
> +++++++++++++++++++++++++
> `   In file: /data/httpd/conf/extra/proxydefs/lltpest001_443.conf
>       1: <VirtualHost _default_:443>
>       2:   SSLEngine on
>       3:   SSLProxyEngine on
>    In file: /data/httpd/conf/extra/httpd-ssl.conf
>       1:   SSLProtocol -all +SSLv3 +TLSv1
>       2:   SSLProxyCipherSuite
> ADH-AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:DHE-DSS-RC4-SHA:KRB5-RC4-MD5:KRB5-RC4-SHA:RC4-SHA:RC4-MD5:ADH-RC4-MD5:RC2-CBC-MD5:RC4-MD5
>       3:   SSLCipherSuite
> ADH-AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:DHE-DSS-RC4-SHA:KRB5-RC4-MD5:KRB5-RC4-SHA:RC4-SHA:RC4-MD5:ADH-RC4-MD5:RC2-CBC-MD5:RC4-MD5
>       4:   SSLCertificateFile /data/httpd/conf/server.crt
>       5:   SSLCertificateKeyFile /data/httpd/conf/server.key
>       6:   SSLCertificateChainFile /data/httpd/conf/ssl.crt/server-ca.crt
>       7:   SSLCACertificatePath /data/httpd/conf/ssl.crt/
>      10:   SSLProxyVerify require
>      11:   SSLVerifyClient require
>      12:   SSLVerifyDepth 2
>      13:   SSLProxyVerifyDepth 2
>      14:   SSLCADNRequestPath /data/httpd/conf/ssl.crt/
>    In file: /data/httpd/conf/extra/proxydefs/lltpest001_443.conf
>       8:   <Location /EMDBEndpointWSInterface/>
>       9:     SSLRequireSSL
>        :   </Location>
>        : </VirtualHost>
> +++++++++++++++++++++++++++++++++
>
>
Add the -showcerts parameter to the openssl command and verify each and
every certificate you're using.
If you still can't find the problem try asking the same question on the openssl
mailing list (http://www.openssl.org/support/community.html).


> EMULATED CLIENT SUCCESS
>
> +++++++++++++++++++++++++++++++++++++++++
> from the server
> +++++++++++++++++++++++++++++++++++++++++
> [root@lltpdxc001 conf]# openssl s_server -cert server.crt -accept 40020
> -CApath /data/httpd/conf/ssl.crt -Verify 2 -key server.key
> verify depth is 2, must return a certificate
> Using default temp DH parameters
> ACCEPT
> +++++++++++++++++++++++++++++++++++++++++
> from the client
> +++++++++++++++++++++++++++++++++++++++++
>
> $ openssl s_client -connect lltpdxc001:40020  -CApath test-ssl.crt  -cert
> /home/carrollpg/test.pem
> CONNECTED(00000003)
> depth=2 /CN=TEST-Msad-Root-CA
> verify return:1
> depth=1 /DC=com/DC=horizonng/DC=internal/DC=Msad/CN=TEST-Msad-Sub-CA
> verify return:1
> depth=0 /CN=lltpdxc001
> verify return:1
> ---
> Certificate chain
>  0 s:/CN=lltpdxc001
>   i:/DC=com/DC=horizonng/DC=internal/DC=Msad/CN=TEST-Msad-Sub-CA
>  1 s:/DC=com/DC=horizonng/DC=internal/DC=Msad/CN=TEST-Msad-Sub-CA
>   i:/CN=TEST-Msad-Root-CA
>  2 s:/CN=TEST-Msad-Root-CA
>   i:/CN=TEST-Msad-Root-CA
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> MIIFbjCCBFagAwIBAgIKGMspqwAAAAAABj
> .............
> 9jo=
> -----END CERTIFICATE-----
> subject=/CN=lltpdxc001
> issuer=/DC=com/DC=horizonng/DC=internal/DC=Msad/CN=TEST-Msad-Sub-CA
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 4429 bytes and written 4449 bytes
> ---
> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
> Server public key is 1024 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
>    Protocol  : TLSv1
>    Cipher    : DHE-RSA-AES256-SHA
>    Session-ID:
> BB3AE2B7F2AB96802985F0C131C7AA51AD2D3673E82F12999418D788467A4506
>    Session-ID-ctx:
>    Master-Key:
> DA5D9DED5CBCD6E57A687B87FAC0E034C2D7CD0DFFAA877847C5AB1E973C43BC2FB1D7A9B5C5135CC41FBCE9F037CC31
>    Key-Arg   : None
>    Start Time: 1313313462
>    Timeout   : 300 (sec)
>    Verify return code: 0 (ok)
> ++++++++++++++++++++++++++++++++++++++++++
>
> Help!
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>


-- 
Jens-Harald Johansen
--
There are 10 kinds of people in the world: Those who understand binary and
those who don't...

Mime
View raw message