You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Miguel Angel Tormo Alfaro <ml...@edicom.eu> on 2008/12/30 13:20:13 UTC
[users@httpd] Apache 2.2 asks for client certificate when it shouldn't
Hi all,
I recently installed an apache web server using version 2.2.9, and I'm having strange issues with the SSL behaviour. I don't need client certificate validation so I didn't use the directive SSLVerifyClient. However, as apache asked for a client certificate, I changed the SSLVerifyClient directive to 'none', with the same results.
I thought it could be a browser issue, however the same config in apache 2.0 doesn't behave this way. On the other hand I'm able to reproduce the problem with firefox 2, 3, seamonkey 1.1.7 and konqueror. I don't see anything related to this in the apache logs. I've done many tests and now I have no clue about why it keeps asking for a certificate. It should be noted though that apache asks for the certificate only once, if I don't restart the browser or delete cookies.
Are there other configuration directives in mod_ssl besides SSLVerifyClient that may influence this behaviour?
Some system information:
SO: Linux 2.6, 64 bit (Gentoo distribution)
Server Version: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.8h PHP/5.2.6-pl7-gentoo mod_jk/1.2.26
Any help is greatly appreciated. Thanks!
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache 2.2 asks for client certificate when it shouldn't
Posted by Miguel Angel Tormo Alfaro <ml...@edicom.eu>.
El Martes, 30 de Diciembre de 2008 17:53:42 krist.vanbesien@gmail.com escribió:
> On 12/30/08, Miguel Angel Tormo Alfaro <ml...@edicom.eu> wrote:
>
> > I thought it could be a browser issue, however the same config in apache 2.0
> > doesn't behave this way. On the other hand I'm able to reproduce the problem
> > with firefox 2, 3, seamonkey 1.1.7 and konqueror. I don't see anything
> > related to this in the apache logs. I've done many tests and now I have no
> > clue about why it keeps asking for a certificate. It should be noted though
> > that apache asks for the certificate only once, if I don't restart the
> > browser or delete cookies.
> > Are there other configuration directives in mod_ssl besides SSLVerifyClient
> > that may influence this behaviour?
>
> Which other SSL directives do you have in your config? Can you show it to us?
>
Thank you for your response. Here there are (taken from http://myserver/server-info)
mod_ssl.conf:
SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect builtin
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/var/run/ssl_scache(512000)
SSLSessionCacheTimeout 300
SSLMutex file:/var/run/ssl_mutex
Default virtual host conf file:
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/apache2/ssl/cert.pem
SSLCertificateKeyFile /etc/apache2/ssl/key.pem
SSLCertificateChainFile /etc/apache2/ssl/ips.crt
SSLVerifyClient none
And in the virtual host conf file:
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/cert.pem
SSLCertificateKeyFile /etc/apache2/ssl/key.pem
SSLCertificateChainFile /etc/apache2/ssl/ips.crt
SSLVerifyClient none
SSLOptions -ExportCertData -StdEnvVars +OptRenegotiate
I have been playing with those SSLOptions (adding / removing, etc), but none of them seem to affect this strange behaviour. I'm using name based virtualhosts (one IP), so one certificate for all of them (I'm not relying on SNI as many browsers don't support it yet). It is very difficult to try new things as the error seems to be very random. Today for instance I've done a bunch of tries and it only asked for the certificate once. I've tried from 4 different computers with different browsers.
On the other hand, may it be related to the SSLSessionCache?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache 2.2 asks for client certificate when it shouldn't
Posted by kr...@gmail.com.
On 12/30/08, Miguel Angel Tormo Alfaro <ml...@edicom.eu> wrote:
> I thought it could be a browser issue, however the same config in apache 2.0
> doesn't behave this way. On the other hand I'm able to reproduce the problem
> with firefox 2, 3, seamonkey 1.1.7 and konqueror. I don't see anything
> related to this in the apache logs. I've done many tests and now I have no
> clue about why it keeps asking for a certificate. It should be noted though
> that apache asks for the certificate only once, if I don't restart the
> browser or delete cookies.
> Are there other configuration directives in mod_ssl besides SSLVerifyClient
> that may influence this behaviour?
Which other SSL directives do you have in your config? Can you show it to us?
Krist
--
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org