You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by "McGregor, Donald (Don) (CIV)" <mc...@nps.edu> on 2014/05/30 06:00:39 UTC
[users@httpd] CAC Card Authentication
I'm attempting to get CAC card authentication working with Apache httpd-2.2.3-85 on Centos 5. CAC cards are the DoD variant of smart cards. The SSL connection is failing (Chrome error: ERR_SSL_PROTOCOL_ERROR) and I'm having problems diagnosing exactly where the problem is.
The objective is to confirm that the user has in his possession a valid CAC card--at this point I don't need to extract the contents of the client certificate into environment variables and do a SSLFakeBasicAuth. If they have a valid CAC card, they should be able to reach the page.
Subdirectory I want CAC authentication in:
Code:
<Directory /var/www/html/cac>
SSLVerifyDepth 10
SSLVerifyClient require
</Directory>
SSL settings:
Code:
SSLEngine on
SSLProtocol all -SSLv2
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
SSLCertificateFile /etc/httpd/keys/myCertificate.crt
SSLCertificateKeyFile /etc/httpd/keys/myCertificate.key
SSLCertificateChainFile /etc/pki/tls/certs/allDoDCerts.pem
SSLCACertificateFile /etc/pki/tls/certs/allDoDCerts.pem
SSLCARevocationFile /etc/pki/tls/crls/allCrls.pem
Non-CAC https works. Client certificate authentication for CAC cards fails.
I've retrieved the CRL list. allDoDCerts.pem is the PEM encoded, concatenated, root and intermediate certificates for the DoD CAs. I'm testing the client side on windows 8.1. In IE 11 I'm presented with a list of candidate certificates (showing that the OS and browser are contacting the smart card, and that the SSLCACertificateFile is doing its job of providing the client with a list of candidate CAs) and enter a PIN to access the card, suggesting the certificate is being retrieved from the card. The SSL connection then fails to be established.
I can set up my own CA, add the CA's cert to the SSLCACertificateFile and SSLCAChainFile, create a certificate from that CA, and that works after I add a PKCS#12 file to Firefox.
What can I do to trouble shoot exactly where this problem resides? Ideally this would be some magic that allowed me to see the client or the server failing to authenticate a certificate, so I could see exactly where the problem is.
Re: [users] Re: [users@httpd] CAC Card Authentication
Posted by Steven Siebert <sm...@gmail.com>.
What version of OpenSSL are you running? I normally wouldn't be
concerned about a bug in an older version of OpenSSL...but I can
fathom people downgrading to pre-heartbleed versions to "be sure" its
safe.
>> [Sun Jun 01 20:42:26 2014] [error] Certificate Verification: Error (20): unable to get local issuer certificate
This may indicate that you don't have *all* the root CAs for the CAC
card...can you verify that the issuer for your CAC certificate is in
the SSLCACertificateFile?
On Sun, Jun 1, 2014 at 11:47 PM, McGregor, Donald (Don) (CIV)
<mc...@nps.edu> wrote:
>
> On Jun 1, 2014, at 6:18 AM, Steven Siebert <sm...@gmail.com> wrote:
>
>
> On Fri, May 30, 2014 at 12:00 AM, McGregor, Donald (Don) (CIV)
> <mc...@nps.edu> wrote:
>>
>> ERR_SSL_P
>
>
>
> Can you provide the (sanitized) apache error_log when you try mutual auth?
>
> S
>
>
> Using IE client on Windows 8.1:
>
> [Sun Jun 01 20:40:35 2014] [error] Certificate Verification: Error (20):
> unable to get local issuer certificate
> [Sun Jun 01 20:40:35 2014] [error] Re-negotiation handshake failed: Not
> accepted by client!?
> [Sun Jun 01 20:40:35 2014] [error] Re-negotiation handshake failed: Not
> accepted by client!?
>
> Using Chrome client on Windows 8.1:
>
> [Sun Jun 01 20:42:10 2014] [error] Re-negotiation handshake failed: Not
> accepted by client!?
> [Sun Jun 01 20:42:15 2014] [error] Re-negotiation handshake failed: Not
> accepted by client!?
> [Sun Jun 01 20:42:26 2014] [error] Certificate Verification: Error (20):
> unable to get local issuer certificate
> [Sun Jun 01 20:42:26 2014] [error] Re-negotiation handshake failed: Not
> accepted by client!?
>
> As I said, the standard https seems to work in non-CAC enabled directories.
> From Chrome on OSX
> for the lock icon:
>
> "The identity of this website has been verified by DOD CA-27 but does not
> have public audit records."
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users] Re: [users@httpd] CAC Card Authentication
Posted by "McGregor, Donald (Don) (CIV)" <mc...@nps.edu>.
On Jun 1, 2014, at 6:18 AM, Steven Siebert <sm...@gmail.com>> wrote:
On Fri, May 30, 2014 at 12:00 AM, McGregor, Donald (Don) (CIV) <mc...@nps.edu>> wrote:
ERR_SSL_P
Can you provide the (sanitized) apache error_log when you try mutual auth?
S
Using IE client on Windows 8.1:
[Sun Jun 01 20:40:35 2014] [error] Certificate Verification: Error (20): unable to get local issuer certificate
[Sun Jun 01 20:40:35 2014] [error] Re-negotiation handshake failed: Not accepted by client!?
[Sun Jun 01 20:40:35 2014] [error] Re-negotiation handshake failed: Not accepted by client!?
Using Chrome client on Windows 8.1:
[Sun Jun 01 20:42:10 2014] [error] Re-negotiation handshake failed: Not accepted by client!?
[Sun Jun 01 20:42:15 2014] [error] Re-negotiation handshake failed: Not accepted by client!?
[Sun Jun 01 20:42:26 2014] [error] Certificate Verification: Error (20): unable to get local issuer certificate
[Sun Jun 01 20:42:26 2014] [error] Re-negotiation handshake failed: Not accepted by client!?
As I said, the standard https seems to work in non-CAC enabled directories. From Chrome on OSX
for the lock icon:
"The identity of this website has been verified by DOD CA-27 but does not have public audit records."
Re: [users@httpd] CAC Card Authentication
Posted by Steven Siebert <sm...@gmail.com>.
On Fri, May 30, 2014 at 12:00 AM, McGregor, Donald (Don) (CIV) <
mcgredo@nps.edu> wrote:
> ERR_SSL_P
Can you provide the (sanitized) apache error_log when you try mutual auth?
S
Re: [users@httpd] CAC Card Authentication
Posted by "McGregor, Donald (Don) (CIV)" <mc...@nps.edu>.
What’s the incantation for doing debugging on the client certs from a smart card in curl?
The google hits seem to be outdated.
On May 29, 2014, at 11:06 PM, Jason Pyeron <jp...@pdinc.us>> wrote:
-----Original Message-----
From: McGregor, Donald (Don) (CIV)
Sent: Friday, May 30, 2014 0:01
I'm attempting to get CAC card authentication working with
Apache httpd-2.2.3-85 on Centos 5. CAC cards are the DoD
Here is what I tell my employees and contractors to do first.
Get is working with soft certs. You will need a CA cert, a server cert and a
client cert. Then you will have test cases (and errors) you can share.
variant of smart cards. The SSL connection is failing (Chrome
error: ERR_SSL_PROTOCOL_ERROR) and I'm having problems
diagnosing exactly where the problem is.
The objective is to confirm that the user has in his
possession a valid CAC card--at this point I don't need to
extract the contents of the client certificate into
environment variables and do a SSLFakeBasicAuth. If they have
a valid CAC card, they should be able to reach the page.
Subdirectory I want CAC authentication in:
Code:
<Directory /var/www/html/cac>
SSLVerifyDepth 10
SSLVerifyClient require
</Directory>
SSL settings:
Code:
SSLEngine on
SSLProtocol all -SSLv2
SSLHonorCipherOrder On
SSLCipherSuite
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES
:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
SSLCertificateFile /etc/httpd/keys/myCertificate.crt
SSLCertificateKeyFile /etc/httpd/keys/myCertificate.key
SSLCertificateChainFile /etc/pki/tls/certs/allDoDCerts.pem
SSLCACertificateFile /etc/pki/tls/certs/allDoDCerts.pem
SSLCARevocationFile /etc/pki/tls/crls/allCrls.pem
And if you are working on an accredited DoD system, you will need to run in FIPS
140 mode, which is not supported by mod_ssl, you will have to use mod_nss.
Non-CAC https works. Client certificate authentication for
CAC cards fails.
I've retrieved the CRL list. allDoDCerts.pem is the PEM
encoded, concatenated, root and intermediate certificates for
the DoD CAs. I'm testing the client side on windows 8.1. In
IE 11 I'm presented with a list of candidate certificates
(showing that the OS and browser are contacting the smart
card, and that the SSLCACertificateFile is doing its job of
providing the client with a list of candidate CAs) and enter
a PIN to access the card, suggesting the certificate is being
retrieved from the card. The SSL connection then fails to be
established.
I can set up my own CA, add the CA's cert to the
SSLCACertificateFile and SSLCAChainFile, create a certificate
from that CA, and that works after I add a PKCS#12 file to Firefox.
Debug this from curl, it will make your life easier.
Ironically, IE does a nice job of presenting the server status too. Change the
require to optional, and verify the server is sending a "proper" chain.
What can I do to trouble shoot exactly where this problem
resides? Ideally this would be some magic that allowed me to
see the client or the server failing to authenticate a
certificate, so I could see exactly where the problem is.
Sorry for the half answers, its late.
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
- -
- Jason Pyeron PD Inc. http://www.pdinc.us<http://www.pdinc.us/> -
- Principal Consultant 10 West 24th Street #100 -
- +1 (443) 269-1555 x333 Baltimore, Maryland 21218 -
- -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This message is copyright PD Inc, subject to license 20080407P00.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org<ma...@httpd.apache.org>
For additional commands, e-mail: users-help@httpd.apache.org<ma...@httpd.apache.org>
[users] Re: [users@httpd] CAC Card Authentication
Posted by Tom Browder <to...@gmail.com>.
On Fri, May 30, 2014 at 1:06 AM, Jason Pyeron <jp...@pdinc.us> wrote:
>> -----Original Message-----
>> From: McGregor, Donald (Don) (CIV)
...
>> I'm attempting to get CAC card authentication working with
>> Apache httpd-2.2.3-85 on Centos 5. CAC cards are the DoD
...
> And if you are working on an accredited DoD system, you will need to run in FIPS
> 140 mode, which is not supported by mod_ssl, you will have to use mod_nss.
Doesn't Apache 2.4.9 mod_ssl support FIPS?
-Tom
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] CAC Card Authentication
Posted by Jason Pyeron <jp...@pdinc.us>.
> -----Original Message-----
> From: McGregor, Donald (Don) (CIV)
> Sent: Friday, May 30, 2014 0:01
>
> I'm attempting to get CAC card authentication working with
> Apache httpd-2.2.3-85 on Centos 5. CAC cards are the DoD
Here is what I tell my employees and contractors to do first.
Get is working with soft certs. You will need a CA cert, a server cert and a
client cert. Then you will have test cases (and errors) you can share.
> variant of smart cards. The SSL connection is failing (Chrome
> error: ERR_SSL_PROTOCOL_ERROR) and I'm having problems
> diagnosing exactly where the problem is.
>
> The objective is to confirm that the user has in his
> possession a valid CAC card--at this point I don't need to
> extract the contents of the client certificate into
> environment variables and do a SSLFakeBasicAuth. If they have
> a valid CAC card, they should be able to reach the page.
>
> Subdirectory I want CAC authentication in:
>
>
> Code:
> <Directory /var/www/html/cac>
> SSLVerifyDepth 10
> SSLVerifyClient require
> </Directory>
>
>
> SSL settings:
>
>
> Code:
> SSLEngine on
> SSLProtocol all -SSLv2
> SSLHonorCipherOrder On
> SSLCipherSuite
> ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES
> :ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
> SSLCertificateFile /etc/httpd/keys/myCertificate.crt
> SSLCertificateKeyFile /etc/httpd/keys/myCertificate.key
> SSLCertificateChainFile /etc/pki/tls/certs/allDoDCerts.pem
> SSLCACertificateFile /etc/pki/tls/certs/allDoDCerts.pem
> SSLCARevocationFile /etc/pki/tls/crls/allCrls.pem
>
And if you are working on an accredited DoD system, you will need to run in FIPS
140 mode, which is not supported by mod_ssl, you will have to use mod_nss.
> Non-CAC https works. Client certificate authentication for
> CAC cards fails.
>
> I've retrieved the CRL list. allDoDCerts.pem is the PEM
> encoded, concatenated, root and intermediate certificates for
> the DoD CAs. I'm testing the client side on windows 8.1. In
> IE 11 I'm presented with a list of candidate certificates
> (showing that the OS and browser are contacting the smart
> card, and that the SSLCACertificateFile is doing its job of
> providing the client with a list of candidate CAs) and enter
> a PIN to access the card, suggesting the certificate is being
> retrieved from the card. The SSL connection then fails to be
> established.
>
>
> I can set up my own CA, add the CA's cert to the
> SSLCACertificateFile and SSLCAChainFile, create a certificate
> from that CA, and that works after I add a PKCS#12 file to Firefox.
Debug this from curl, it will make your life easier.
Ironically, IE does a nice job of presenting the server status too. Change the
require to optional, and verify the server is sending a "proper" chain.
>
> What can I do to trouble shoot exactly where this problem
> resides? Ideally this would be some magic that allowed me to
> see the client or the server failing to authenticate a
> certificate, so I could see exactly where the problem is.
>
>
Sorry for the half answers, its late.
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
- -
- Jason Pyeron PD Inc. http://www.pdinc.us -
- Principal Consultant 10 West 24th Street #100 -
- +1 (443) 269-1555 x333 Baltimore, Maryland 21218 -
- -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This message is copyright PD Inc, subject to license 20080407P00.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org