httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "McGregor, Donald (Don) (CIV)" <mcgr...@nps.edu>
Subject [users@httpd] CAC Card Authentication
Date Fri, 30 May 2014 04:00:39 GMT
I'm attempting to get CAC card authentication working with Apache httpd-2.2.3-85 on Centos
5. CAC cards are the DoD variant of smart cards. The SSL connection is failing (Chrome error:
ERR_SSL_PROTOCOL_ERROR) and I'm having problems diagnosing exactly where the problem is.

The objective is to confirm that the user has in his possession a valid CAC card--at this
point I don't need to extract the contents of the client certificate into environment variables
and do a SSLFakeBasicAuth. If they have a valid CAC card, they should be able to reach the
page.

Subdirectory I want CAC authentication in:

Code:
<Directory /var/www/html/cac>
SSLVerifyDepth 10
SSLVerifyClient require
</Directory>


SSL settings:

Code:
SSLEngine on
SSLProtocol all -SSLv2
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
SSLCertificateFile /etc/httpd/keys/myCertificate.crt
SSLCertificateKeyFile /etc/httpd/keys/myCertificate.key
SSLCertificateChainFile /etc/pki/tls/certs/allDoDCerts.pem
SSLCACertificateFile /etc/pki/tls/certs/allDoDCerts.pem
SSLCARevocationFile /etc/pki/tls/crls/allCrls.pem

Non-CAC https works. Client certificate authentication for CAC cards fails.

I've retrieved the CRL list. allDoDCerts.pem is the PEM encoded, concatenated, root and intermediate
certificates for the DoD CAs. I'm testing the client side on windows 8.1. In IE 11 I'm presented
with a list of candidate certificates (showing that the OS and browser are contacting the
smart card, and that the SSLCACertificateFile is doing its job of providing the client with
a list of candidate CAs) and enter a PIN to access the card, suggesting the certificate is
being retrieved from the card. The SSL connection then fails to be established.

I can set up my own CA, add the CA's cert to the SSLCACertificateFile and SSLCAChainFile,
create a certificate from that CA, and that works after I add a PKCS#12 file to Firefox.

What can I do to trouble shoot exactly where this problem resides? Ideally this would be some
magic that allowed me to see the client or the server failing to authenticate a certificate,
so I could see exactly where the problem is.

Mime
View raw message