httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From paddy carroll <paddy.carr...@mac.com>
Subject [users@httpd] Mutual Authentication issue in 2.2.17 openssl 1.0.0d
Date Sun, 14 Aug 2011 09:42:32 GMT
Hi,

I have spent too long staring at my crypto material and apache logs. I'm stuck. 
I have checked and also had a colleague check my crypto trust chain, certificates and keys
more than once.
I have a reverse proxy setup

client --> firewall --> reverse proxy --> tomcat

firewall presents all requests to reverse proxy as coming from the same address, but on different
ports
The server appears to be rejecting client negotiations after the discovery of our self signed
root certificate, we have two certificates in the chain, a RooCA and a subca
when I emulate the connection using openssl as a server on a different port it succeeds

CLIENT FAILURE

from client
++++++++++++++++++++++++
$ openssl s_client -connect lltpdxc001:443 -CApath test-ssl.crt  -cert test.pem  -verify 3
 -ssl3
verify depth is 3
CONNECTED(00000003)
depth=2 /CN=TEST-Msad-Root-CA
verify return:1
depth=1 /DC=com/DC=horizonng/DC=internal/DC=Msad/CN=TEST-Msad-Sub-CA
verify return:1
depth=0 /CN=lltpdxc001
verify return:1
70352:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate:s3_pkt.c:1102:SSL
alert number 42
70352:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:539:
++++++++++++++++++++++++
Server says
++++++++++++++++++++++++
Sun Aug 14 10:20:34 2011] [debug] ssl_engine_kernel.c(1321): [client 172.22.10.5] Certificate
Verification: depth: 2, subject: /CN=TEST-Msad-Root-CA, issuer: /CN=TEST-Msad-Root-CA
Sun Aug 14 10:20:34 2011] [error] [client 172.22.10.5] Certificate Verification: Error (19):
self signed certificate in certificate chain
Sun Aug 14 10:20:34 2011] [debug] ssl_engine_kernel.c(1884): OpenSSL: Write: SSLv3 read client
certificate B
Sun Aug 14 10:20:34 2011] [debug] ssl_engine_kernel.c(1903): OpenSSL: Exit: error in SSLv3
read client certificate B
Sun Aug 14 10:20:34 2011] [debug] ssl_engine_kernel.c(1903): OpenSSL: Exit: error in SSLv3
read client certificate B
Sun Aug 14 10:20:34 2011] [info] [client 172.22.10.5] SSL library error 1 in handshake (server
lltpdxc001:443)
Sun Aug 14 10:20:34 2011] [info] SSL Library Error: 336105650 error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no
certificate returned
Sun Aug 14 10:20:34 2011] [info] [client 172.22.10.5] Connection closed to child 6 with abortive
shutdown (server lltpdxc001:443)
+++++++++++++++++++++++++
relevant server config from server-info
+++++++++++++++++++++++++
`   In file: /data/httpd/conf/extra/proxydefs/lltpest001_443.conf
       1: <VirtualHost _default_:443>
       2:   SSLEngine on
       3:   SSLProxyEngine on
    In file: /data/httpd/conf/extra/httpd-ssl.conf
       1:   SSLProtocol -all +SSLv3 +TLSv1
       2:   SSLProxyCipherSuite ADH-AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:DHE-DSS-RC4-SHA:KRB5-RC4-MD5:KRB5-RC4-SHA:RC4-SHA:RC4-MD5:ADH-RC4-MD5:RC2-CBC-MD5:RC4-MD5
       3:   SSLCipherSuite ADH-AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:DHE-DSS-RC4-SHA:KRB5-RC4-MD5:KRB5-RC4-SHA:RC4-SHA:RC4-MD5:ADH-RC4-MD5:RC2-CBC-MD5:RC4-MD5
       4:   SSLCertificateFile /data/httpd/conf/server.crt
       5:   SSLCertificateKeyFile /data/httpd/conf/server.key
       6:   SSLCertificateChainFile /data/httpd/conf/ssl.crt/server-ca.crt
       7:   SSLCACertificatePath /data/httpd/conf/ssl.crt/
      10:   SSLProxyVerify require
      11:   SSLVerifyClient require
      12:   SSLVerifyDepth 2
      13:   SSLProxyVerifyDepth 2
      14:   SSLCADNRequestPath /data/httpd/conf/ssl.crt/
    In file: /data/httpd/conf/extra/proxydefs/lltpest001_443.conf
       8:   <Location /EMDBEndpointWSInterface/>
       9:     SSLRequireSSL 
        :   </Location>
        : </VirtualHost> 
+++++++++++++++++++++++++++++++++

EMULATED CLIENT SUCCESS

+++++++++++++++++++++++++++++++++++++++++
from the server
+++++++++++++++++++++++++++++++++++++++++
[root@lltpdxc001 conf]# openssl s_server -cert server.crt -accept 40020 -CApath /data/httpd/conf/ssl.crt
-Verify 2 -key server.key
verify depth is 2, must return a certificate
Using default temp DH parameters
ACCEPT
+++++++++++++++++++++++++++++++++++++++++
from the client
+++++++++++++++++++++++++++++++++++++++++

$ openssl s_client -connect lltpdxc001:40020  -CApath test-ssl.crt  -cert /home/carrollpg/test.pem
CONNECTED(00000003)
depth=2 /CN=TEST-Msad-Root-CA
verify return:1
depth=1 /DC=com/DC=horizonng/DC=internal/DC=Msad/CN=TEST-Msad-Sub-CA
verify return:1
depth=0 /CN=lltpdxc001
verify return:1
---
Certificate chain
 0 s:/CN=lltpdxc001
   i:/DC=com/DC=horizonng/DC=internal/DC=Msad/CN=TEST-Msad-Sub-CA
 1 s:/DC=com/DC=horizonng/DC=internal/DC=Msad/CN=TEST-Msad-Sub-CA
   i:/CN=TEST-Msad-Root-CA
 2 s:/CN=TEST-Msad-Root-CA
   i:/CN=TEST-Msad-Root-CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFbjCCBFagAwIBAgIKGMspqwAAAAAABj
.............
9jo=
-----END CERTIFICATE-----
subject=/CN=lltpdxc001
issuer=/DC=com/DC=horizonng/DC=internal/DC=Msad/CN=TEST-Msad-Sub-CA
---
No client certificate CA names sent
---
SSL handshake has read 4429 bytes and written 4449 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: BB3AE2B7F2AB96802985F0C131C7AA51AD2D3673E82F12999418D788467A4506
    Session-ID-ctx:
    Master-Key: DA5D9DED5CBCD6E57A687B87FAC0E034C2D7CD0DFFAA877847C5AB1E973C43BC2FB1D7A9B5C5135CC41FBCE9F037CC31
    Key-Arg   : None
    Start Time: 1313313462
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
++++++++++++++++++++++++++++++++++++++++++

Help!

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message