httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From J-H Johansen <ondeman...@gmail.com>
Subject Re: [users@httpd] Mutual Authentication issue in 2.2.17 openssl 1.0.0d
Date Sat, 20 Aug 2011 22:36:17 GMT
On Thu, Aug 18, 2011 at 5:44 PM, paddy carroll <paddy.carroll@mac.com>wrote:

> I don't accept it is an openssl issue.
> I have already verified that the client connection from openssl to the
> apache server is reporting the correct certificates, and likewise that the
> server is returning a correct unexpired certificate and CA chain to the
> client.
> It is not an openssl issue as openssl works when used at both ends it is an
> apache server issue that causes it to reject the client connection with:
> SSLv3
> server:
>
> client 172.22.10.5] Certificate Verification: Error (19): self signed
>> certificate in certificate chain
>
> client:
> SSL 3
> 11820:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad
> certificate:s3_pkt.c:1102:SSL alert number 42
> 11820:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
> failure:s3_pkt.c:539:
>
> TLS1
> 9124:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown
> ca:s3_pkt.c:1102:SSL alert number 48
> 9124:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
> failure:s3_pkt.c:539:
>
>
I've had some issues running Apache with SSLProxyEngine as well and was made
aware of a bug in mod_ssl where it fails to use the correct (or any) client
certificate for communicating with the server you're proxing to.

Take a look at this bugzilla bug report and see if it fits your problem:

https://issues.apache.org/bugzilla/show_bug.cgi?id=47134

I was using Apache 2.2.17 at the time as a rev.proxy communicating with a
client certificate to the server at the other end. I had to make a few
modifications to the mod_ssl code but after recompilation it worked as
intended (at least from my point of view).


> On 18 Aug 2011, at 12:04, J-H Johansen wrote:
>
> On Sun, Aug 14, 2011 at 11:42 AM, paddy carroll <paddy.carroll@mac.com>wrote:
>
>> Hi,
>>
>> I have spent too long staring at my crypto material and apache logs. I'm
>> stuck.
>> I have checked and also had a colleague check my crypto trust chain,
>> certificates and keys more than once.
>> I have a reverse proxy setup
>>
>> client --> firewall --> reverse proxy --> tomcat
>>
>> firewall presents all requests to reverse proxy as coming from the same
>> address, but on different ports
>> The server appears to be rejecting client negotiations after the discovery
>> of our self signed root certificate, we have two certificates in the chain,
>> a RooCA and a subca
>> when I emulate the connection using openssl as a server on a different
>> port it succeeds
>>
>> CLIENT FAILURE
>>
>> from client
>> ++++++++++++++++++++++++
>> $ openssl s_client -connect lltpdxc001:443 -CApath test-ssl.crt  -cert
>> test.pem  -verify 3  -ssl3
>> verify depth is 3
>> CONNECTED(00000003)
>> depth=2 /CN=TEST-Msad-Root-CA
>> verify return:1
>> depth=1 /DC=com/DC=horizonng/DC=internal/DC=Msad/CN=TEST-Msad-Sub-CA
>> verify return:1
>> depth=0 /CN=lltpdxc001
>> verify return:1
>> 70352:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad
>> certificate:s3_pkt.c:1102:SSL alert number 42
>> 70352:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
>> failure:s3_pkt.c:539:
>> ++++++++++++++++++++++++
>> Server says
>> ++++++++++++++++++++++++
>> Sun Aug 14 10:20:34 2011] [debug] ssl_engine_kernel.c(1321): [client
>> 172.22.10.5] Certificate Verification: depth: 2, subject:
>> /CN=TEST-Msad-Root-CA, issuer: /CN=TEST-Msad-Root-CA
>> Sun Aug 14 10:20:34 2011] [error] [client 172.22.10.5] Certificate
>> Verification: Error (19): self signed certificate in certificate chain
>> Sun Aug 14 10:20:34 2011] [debug] ssl_engine_kernel.c(1884): OpenSSL:
>> Write: SSLv3 read client certificate B
>> Sun Aug 14 10:20:34 2011] [debug] ssl_engine_kernel.c(1903): OpenSSL:
>> Exit: error in SSLv3 read client certificate B
>> Sun Aug 14 10:20:34 2011] [debug] ssl_engine_kernel.c(1903): OpenSSL:
>> Exit: error in SSLv3 read client certificate B
>> Sun Aug 14 10:20:34 2011] [info] [client 172.22.10.5] SSL library error 1
>> in handshake (server lltpdxc001:443)
>> Sun Aug 14 10:20:34 2011] [info] SSL Library Error: 336105650
>> error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate
>> returned
>> Sun Aug 14 10:20:34 2011] [info] [client 172.22.10.5] Connection closed to
>> child 6 with abortive shutdown (server lltpdxc001:443)
>> +++++++++++++++++++++++++
>> relevant server config from server-info
>> +++++++++++++++++++++++++
>> `   In file: /data/httpd/conf/extra/proxydefs/lltpest001_443.conf
>>       1: <VirtualHost _default_:443>
>>       2:   SSLEngine on
>>       3:   SSLProxyEngine on
>>    In file: /data/httpd/conf/extra/httpd-ssl.conf
>>       1:   SSLProtocol -all +SSLv3 +TLSv1
>>       2:   SSLProxyCipherSuite
>> ADH-AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:DHE-DSS-RC4-SHA:KRB5-RC4-MD5:KRB5-RC4-SHA:RC4-SHA:RC4-MD5:ADH-RC4-MD5:RC2-CBC-MD5:RC4-MD5
>>       3:   SSLCipherSuite
>> ADH-AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:DHE-DSS-RC4-SHA:KRB5-RC4-MD5:KRB5-RC4-SHA:RC4-SHA:RC4-MD5:ADH-RC4-MD5:RC2-CBC-MD5:RC4-MD5
>>       4:   SSLCertificateFile /data/httpd/conf/server.crt
>>       5:   SSLCertificateKeyFile /data/httpd/conf/server.key
>>       6:   SSLCertificateChainFile /data/httpd/conf/ssl.crt/server-ca.crt
>>       7:   SSLCACertificatePath /data/httpd/conf/ssl.crt/
>>      10:   SSLProxyVerify require
>>      11:   SSLVerifyClient require
>>      12:   SSLVerifyDepth 2
>>      13:   SSLProxyVerifyDepth 2
>>      14:   SSLCADNRequestPath /data/httpd/conf/ssl.crt/
>>    In file: /data/httpd/conf/extra/proxydefs/lltpest001_443.conf
>>       8:   <Location /EMDBEndpointWSInterface/>
>>       9:     SSLRequireSSL
>>        :   </Location>
>>        : </VirtualHost>
>> +++++++++++++++++++++++++++++++++
>>
>>
> Add the -showcerts parameter to the openssl command and verify each and
> every certificate you're using.
> If you still can't find the problem try asking the same question on the openssl
> mailing list (http://www.openssl.org/support/community.html).
>
>
>> EMULATED CLIENT SUCCESS
>>
>> +++++++++++++++++++++++++++++++++++++++++
>> from the server
>> +++++++++++++++++++++++++++++++++++++++++
>> [root@lltpdxc001 conf]# openssl s_server -cert server.crt -accept 40020
>> -CApath /data/httpd/conf/ssl.crt -Verify 2 -key server.key
>> verify depth is 2, must return a certificate
>> Using default temp DH parameters
>> ACCEPT
>> +++++++++++++++++++++++++++++++++++++++++
>> from the client
>> +++++++++++++++++++++++++++++++++++++++++
>>
>> $ openssl s_client -connect lltpdxc001:40020  -CApath test-ssl.crt  -cert
>> /home/carrollpg/test.pem
>> CONNECTED(00000003)
>> depth=2 /CN=TEST-Msad-Root-CA
>> verify return:1
>> depth=1 /DC=com/DC=horizonng/DC=internal/DC=Msad/CN=TEST-Msad-Sub-CA
>> verify return:1
>> depth=0 /CN=lltpdxc001
>> verify return:1
>> ---
>> Certificate chain
>>  0 s:/CN=lltpdxc001
>>   i:/DC=com/DC=horizonng/DC=internal/DC=Msad/CN=TEST-Msad-Sub-CA
>>  1 s:/DC=com/DC=horizonng/DC=internal/DC=Msad/CN=TEST-Msad-Sub-CA
>>   i:/CN=TEST-Msad-Root-CA
>>  2 s:/CN=TEST-Msad-Root-CA
>>   i:/CN=TEST-Msad-Root-CA
>> ---
>> Server certificate
>> -----BEGIN CERTIFICATE-----
>> MIIFbjCCBFagAwIBAgIKGMspqwAAAAAABj
>> .............
>> 9jo=
>> -----END CERTIFICATE-----
>> subject=/CN=lltpdxc001
>> issuer=/DC=com/DC=horizonng/DC=internal/DC=Msad/CN=TEST-Msad-Sub-CA
>> ---
>> No client certificate CA names sent
>> ---
>> SSL handshake has read 4429 bytes and written 4449 bytes
>> ---
>> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
>> Server public key is 1024 bit
>> Secure Renegotiation IS supported
>> Compression: NONE
>> Expansion: NONE
>> SSL-Session:
>>    Protocol  : TLSv1
>>    Cipher    : DHE-RSA-AES256-SHA
>>    Session-ID:
>> BB3AE2B7F2AB96802985F0C131C7AA51AD2D3673E82F12999418D788467A4506
>>    Session-ID-ctx:
>>    Master-Key:
>> DA5D9DED5CBCD6E57A687B87FAC0E034C2D7CD0DFFAA877847C5AB1E973C43BC2FB1D7A9B5C5135CC41FBCE9F037CC31
>>    Key-Arg   : None
>>    Start Time: 1313313462
>>    Timeout   : 300 (sec)
>>    Verify return code: 0 (ok)
>> ++++++++++++++++++++++++++++++++++++++++++
>>
>> Help!
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP Server Project.
>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>
>
> --
> Jens-Harald Johansen
> --
> There are 10 kinds of people in the world: Those who understand binary and
> those who don't...
>
>
> paddy carroll
> paddy.carroll@mac.com
>
>
>
>


-- 
Jens-Harald Johansen
--
There are 10 kinds of people in the world: Those who understand binary and
those who don't...

Mime
View raw message