httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Anne Blankert <anne.blank...@geodan.nl>
Subject Re: Re[2]: [users@httpd] SSL - How client certificates are verified?
Date Wed, 26 Aug 2015 10:15:35 GMT
The problem is not in the client certificate but in the issuer certicates
aka known as the certificate chain.
I was able to solve the problem by adding the following line in my Apache
server configuration:

SSLCACertificateFile /etc/ssl/certs/clientcertificatechain.pem

where file 'clientcertificatechain.pem' contains all the intermediate
certificates for the client certificate.



2015-08-26 11:44 GMT+02:00 Sterpu Victor <victor@caido.ro>:

> The certificates are already on the server.
>
> ------ Original Message ------
> From: "Marat Khalili" <mkh@rqc.ru>
> To: users@httpd.apache.org
> Sent: 8/26/2015 11:34:24 AM
> Subject: Re: [users@httpd] SSL - How client certificates are verified?
>
>
> I'm only guessing, but maybe manually adding all necessary intermediate
> certificates to your server will help?
>
> --
>
> With Best Regards,
> Marat Khalili
>
>
> On 26/08/15 09:31, Sterpu Victor wrote:
>
> I installed apache 2.4.16 and I have activated SSLOCSPEnable on a virtual
> domain but the page is not loading at all with OCSPEnabled(without OCSP is
> working).
>
> The error is:
> SSL Library Error: error:27069065:OCSP
> routines:OCSP_basic_verify:certificate verify error (Verify error:unable to
> get local issuer certificate)
> AH02039: Certificate Verification: Error (50): application verification
> failure
> AH01925: failed to verify the OCSP response
> I would use SSLOCSPOverrideResponder
> <http://httpd.apache.org/docs/trunk/mod/mod_ssl.html#sslocspoverrideresponder>
but
> I have 4 different OCSP servers depending on the CA.
> I checked the certificates and in the section Authority Information
> Access there is a URL to the OCSP server.
> This is the information from one of the certificates:
>
> [1]Authority Info Access
> Access Method=On-line Certificate Status Protocol (1.3.6.1.5.5.7.48.1)
> Alternative Name:
> URL=http://ocsp.certsign.ro/ocsp
>
> ocsp.digisign.ro is answering on port 80.
> Could be a problem with SSLOCSPEnable that is not auto extracting the
> OCSP URL?
>
> My configuration is:
>     SSLEngine on
>     SSLCertificateFile    /etc/ssl/card.casnt.ro/server.crt
>     SSLCertificateKeyFile /etc/ssl/card.casnt.ro/server.key
>     SSLCACertificateFile  /etc/ssl/certs/RO/All_Certs.pem
>
>     SSLVerifyClient require
>     SSLVerifyDepth 10
>     SSLOptions +StdEnvVars +ExportCertData
>     SSLOCSPEnable On
>
> Thank you.
>
> ------ Original Message ------
> From: "Marat Khalili" <mkh@rqc.ru>
> To: users@httpd.apache.org
> Sent: 8/23/2015 8:16:06 PM
> Subject: Re: [users@httpd] SSL - How client certificates are verified?
>
>
> In this case, could you please post the results when you get the
> SSLOCSPEnable fixed? I'm particularly interested in performance.
>
> --
>
> With Best Regards,
> Marat Khalili
>
>
> On 23/08/2015 19:57, Sterpu Victor wrote:
>
> There are 4 CAs, at least 1 uses OCSP(only 1 I called).
> I hope all of them use OCSP, I don't know the legislation but it seems
> normal to be required by law.
>
> ------ Original Message ------
> From: "Marat Khalili" <mkh@rqc.ru>
> To: users@httpd.apache.org
> Sent: 8/23/2015 7:51:14 PM
> Subject: Re: [users@httpd] SSL - How client certificates are verified?
>
>
> Oh, I see. In this case you will have to check the status of their
> certificates. Still, I suspect all of the tokens are issued by one CA.
> Probably it is better to ask this CA for their procedures: do they use OCSP
> or just publish CRLs.
>
> --
>
> With Best Regards,
> Marat Khalili
>
>
> On 23/08/2015 19:41, Sterpu Victor wrote:
>
> All clients already have PKCS11 tokens.
> It would be too complicated for them to get used with something else.
>
> ------ Original Message ------
> From: "Marat Khalili" <mkh@rqc.ru>
> To: users@httpd.apache.org
> Sent: 8/23/2015 7:34:07 PM
> Subject: Re: [users@httpd] SSL - How client certificates are verified?
>
>
> I see. However, accepting clients certificates from the world recognized
> authorities is both more expensive (for clients) and more risky than
> running your own CA (recognized only by your server). If you personally
> know all your clients it is easier to issue them certificates directly, and
> revoke them by yourself too if needed.
>
> --
>
> With Best Regards,
> Marat Khalili
>
>
> On 23/08/2015 18:56, Sterpu Victor wrote:
>
> I want to make a page that will authenticate only with PKCS11 tokens.
> These tokens contain only certificates from a recognized authority.
> OCSP would be usefull if the token has been declared lost or stolen.
> But I don't want to make things too complicated.
>
>
> ------ Original Message ------
> From: "Marat Khalili" <mkh@rqc.ru>
> To: users@httpd.apache.org
> Sent: 8/23/2015 6:51:02 PM
> Subject: Re: [users@httpd] SSL - How client certificates are verified?
>
>
> Hello, what is your scenario? If you issue (sign) client certificates
> yourself, Apache can correctly verify it against local CRL (certificate
> revocation list) file (server restart may be required after file update).
> There's information in the net concerning OCSP support for client
> authentication in newer versions of Apache (google SSLOCSPEnable), but I
> can see no real use for it save for some very complicated systems.
>
> --
>
> With Best Regards,
> Marat Khalili
>
>
> On 23/08/2015 09:51, Sterpu Victor wrote:
>
> Hello
>
> I have a web page that asks for client certificate.
> These are the options for this:
>
> SSLVerifyClient require
> SSLVerifyDepth 10
>
> How does SSLVerifyClient  verifies the client certificate?
> This option protects against certificates manual made with a fake
> public-private key pair?
> So can someoane make a certificate identical with the original, attach
> another set of public and private keys and pretend to be someoane else?
>
> Thank you
>
>
> ------------------------------
> [image: Avast logo] <https://www.avast.com/antivirus>
>
> This email has been checked for viruses by Avast antivirus software.
> www.avast.com <https://www.avast.com/antivirus>
>
>
>
> *DISCLAIMER: Acest mesaj de posta electronica si documentele aferente sunt
> confidentiale. Este interzisa distribuirea, dezvaluirea sau orice alt mod
> de utilizare a lor. Daca nu sunteti destinatarul acestui mesaj, este
> interzis sa actionati in baza acestor informatii. Citirea, copierea,
> distribuirea, dezvaluirea sau utilizarea in alt mod a informatiei continute
> in acest mesaj constituie o incalcare a legii. Daca ati primit mesajul din
> greseala, va rugam sa il distrugeti, anuntand expeditorul de eroarea
> comisa. Intrucat nu poate fi garantat faptul ca posta electronica este un
> mod sigur si lipsit de erori de transmitere a informatiilor, este
> responsabilitatea dvs. sa va asigurati ca mesajul (inclusiv documentele
> alaturate lui) este validat si autorizat spre a fi utilizat in mediul dvs.*
>
>
>
>
> ------------------------------
> [image: Avast logo] <https://www.avast.com/antivirus>
>
> This email has been checked for viruses by Avast antivirus software.
> www.avast.com <https://www.avast.com/antivirus>
>
>
>
> *DISCLAIMER: Acest mesaj de posta electronica si documentele aferente sunt
> confidentiale. Este interzisa distribuirea, dezvaluirea sau orice alt mod
> de utilizare a lor. Daca nu sunteti destinatarul acestui mesaj, este
> interzis sa actionati in baza acestor informatii. Citirea, copierea,
> distribuirea, dezvaluirea sau utilizarea in alt mod a informatiei continute
> in acest mesaj constituie o incalcare a legii. Daca ati primit mesajul din
> greseala, va rugam sa il distrugeti, anuntand expeditorul de eroarea
> comisa. Intrucat nu poate fi garantat faptul ca posta electronica este un
> mod sigur si lipsit de erori de transmitere a informatiilor, este
> responsabilitatea dvs. sa va asigurati ca mesajul (inclusiv documentele
> alaturate lui) este validat si autorizat spre a fi utilizat in mediul dvs.*
>
>
>
>
> ------------------------------
> [image: Avast logo] <https://www.avast.com/antivirus>
>
> This email has been checked for viruses by Avast antivirus software.
> www.avast.com <https://www.avast.com/antivirus>
>
>
>
> *DISCLAIMER: Acest mesaj de posta electronica si documentele aferente sunt
> confidentiale. Este interzisa distribuirea, dezvaluirea sau orice alt mod
> de utilizare a lor. Daca nu sunteti destinatarul acestui mesaj, este
> interzis sa actionati in baza acestor informatii. Citirea, copierea,
> distribuirea, dezvaluirea sau utilizarea in alt mod a informatiei continute
> in acest mesaj constituie o incalcare a legii. Daca ati primit mesajul din
> greseala, va rugam sa il distrugeti, anuntand expeditorul de eroarea
> comisa. Intrucat nu poate fi garantat faptul ca posta electronica este un
> mod sigur si lipsit de erori de transmitere a informatiilor, este
> responsabilitatea dvs. sa va asigurati ca mesajul (inclusiv documentele
> alaturate lui) este validat si autorizat spre a fi utilizat in mediul dvs.*
>
>
>
>
> ------------------------------
> [image: Avast logo] <https://www.avast.com/antivirus>
>
> This email has been checked for viruses by Avast antivirus software.
> www.avast.com <https://www.avast.com/antivirus>
>
>
>
> *DISCLAIMER: Acest mesaj de posta electronica si documentele aferente sunt
> confidentiale. Este interzisa distribuirea, dezvaluirea sau orice alt mod
> de utilizare a lor. Daca nu sunteti destinatarul acestui mesaj, este
> interzis sa actionati in baza acestor informatii. Citirea, copierea,
> distribuirea, dezvaluirea sau utilizarea in alt mod a informatiei continute
> in acest mesaj constituie o incalcare a legii. Daca ati primit mesajul din
> greseala, va rugam sa il distrugeti, anuntand expeditorul de eroarea
> comisa. Intrucat nu poate fi garantat faptul ca posta electronica este un
> mod sigur si lipsit de erori de transmitere a informatiilor, este
> responsabilitatea dvs. sa va asigurati ca mesajul (inclusiv documentele
> alaturate lui) este validat si autorizat spre a fi utilizat in mediul dvs.*
>
>
>
>
> ------------------------------
> [image: Avast logo] <https://www.avast.com/antivirus>
>
> This email has been checked for viruses by Avast antivirus software.
> www.avast.com <https://www.avast.com/antivirus>
>
>
>
> *DISCLAIMER: Acest mesaj de posta electronica si documentele aferente sunt
> confidentiale. Este interzisa distribuirea, dezvaluirea sau orice alt mod
> de utilizare a lor. Daca nu sunteti destinatarul acestui mesaj, este
> interzis sa actionati in baza acestor informatii. Citirea, copierea,
> distribuirea, dezvaluirea sau utilizarea in alt mod a informatiei continute
> in acest mesaj constituie o incalcare a legii. Daca ati primit mesajul din
> greseala, va rugam sa il distrugeti, anuntand expeditorul de eroarea
> comisa. Intrucat nu poate fi garantat faptul ca posta electronica este un
> mod sigur si lipsit de erori de transmitere a informatiilor, este
> responsabilitatea dvs. sa va asigurati ca mesajul (inclusiv documentele
> alaturate lui) este validat si autorizat spre a fi utilizat in mediul dvs.*
>
>
>
>
> ------------------------------
> [image: Avast logo] <https://www.avast.com/antivirus>
>
> This email has been checked for viruses by Avast antivirus software.
> www.avast.com <https://www.avast.com/antivirus>
>
>
>
> *DISCLAIMER: Acest mesaj de posta electronica si documentele aferente sunt
> confidentiale. Este interzisa distribuirea, dezvaluirea sau orice alt mod
> de utilizare a lor. Daca nu sunteti destinatarul acestui mesaj, este
> interzis sa actionati in baza acestor informatii. Citirea, copierea,
> distribuirea, dezvaluirea sau utilizarea in alt mod a informatiei continute
> in acest mesaj constituie o incalcare a legii. Daca ati primit mesajul din
> greseala, va rugam sa il distrugeti, anuntand expeditorul de eroarea
> comisa. Intrucat nu poate fi garantat faptul ca posta electronica este un
> mod sigur si lipsit de erori de transmitere a informatiilor, este
> responsabilitatea dvs. sa va asigurati ca mesajul (inclusiv documentele
> alaturate lui) este validat si autorizat spre a fi utilizat in mediul dvs.*
>
>

Mime
View raw message