httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "McGregor, Donald (Don) (CIV)" <mcgr...@nps.edu>
Subject [users@httpd] CAC Card Client Certificate Auth and Crypto Suites
Date Mon, 23 Mar 2015 19:22:23 GMT

I’m attempting to get smart cards (DoD CAC) working with apache 2.2 (CentOS 6).

It works on some browsers—Chrome, Safari—but not Firefox 36.0.3 and IE 11.0.9600.1760
on Windows 8.1. Firefox doesn’t work
on OS X, either. The root cause of the problem seems to be the SSL negotiation.

The SSLProtocol setting is this:

SSLProtocol All -SSLv2 -SSLv3 -TLSv1.2 -TLSv1.1

I started off allowing TLS 1.1 and 1.2 but this seemed to provoke complaints in the
protocol negotiation about downgrade attacks. Apparently the clients tried to downgrade
to TLS1 and the server thought there was some sort of attack going on
and terminated the negotiation. 

The above change got through the initial version negotiation, but then ran aground on 
this, with info level debugging on:


[Mon Mar 23 12:08:08 2015] [info] Seeding PRNG with 144 bytes of entropy
[Mon Mar 23 12:08:08 2015] [info] [client 172.20.82.139] SSL library error 1 in handshake
(server localhost.localdomain:443)
[Mon Mar 23 12:08:08 2015] [info] SSL Library Error: 336109761 error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no
shared cipher Too restrictive SSLCipherSuite or using DSA server certificate?
[Mon Mar 23 12:08:08 2015] [info] [client 172.20.82.139] Connection closed to child 2 with
abortive shutdown (server localhost.localdomain:443)


The cipher suite is highly (i.e., too) accommodating:

SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

So:

Anyone seen this before? What should the SSLProtocol and CipherSuite settings be to allow
client certificate authentication while maintaining reasonable security? Alternatively, what
should the client settings on the browsers be? I have very limited control over the client
settings  but it would be nice to know.

httpd-2.2.15-39.el6.centos.x86_64
openssl-1.0.1e-30.el6_6.5.x86_64




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Mime
View raw message