You are viewing a plain text version of this content. The canonical link for it is here.
Posted to solr-user@lucene.apache.org by Espen Rise Halstensen <er...@dips.no> on 2017/02/15 10:43:17 UTC
SSL using signed client certificate not working
Hi,
I have some problems with client certificates. By the look of it, it works with
curl and safari prompts for and accepts my certificate. Does not work with Edge,
Firefox or Chrome. The certificates are requested from our CA.
When requesting https://s02/solr in the browser, it doesn't
prompt for certificate and I get the following error message in Chrome:
>This site can't provide a secure connection
>s02 didn't accept your login certificate, or one may not have been provided.
>Try contacting the system admin.
When debugging with wireshark I can see the s01t9 certificate in the
"certificate request"-part of the handshake, but the browser answers without certificate.
Setup as follows:
solr.in.sh:
SOLR_SSL_KEY_STORE=etc/keystore.jks
SOLR_SSL_KEY_STORE_PASSWORD=secret
SOLR_SSL_TRUST_STORE=etc/truststore.jks
SOLR_SSL_TRUST_STORE_PASSWORD=secret
SOLR_SSL_NEED_CLIENT_AUTH=true
SOLR_SSL_WANT_CLIENT_AUTH=false
Content of truststore.jks:
[solruser@s02 etc]# keytool -list -keystore /opt/solr-6.4.0/server/etc/truststore.jks -storepass secret
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
s01t9, 15.feb.2017, trustedCertEntry,
Certificate fingerprint (SHA1): CF:BD:02:71:64:F0:BA:65:71:10:A1:23:42:34:E0:3C:37:75:E1:BF
Curl(returns html of admin page with -L option):
curl -v -E s01t9.pem:secret --cacert rootca.pem 'https://vs02/solr'
* Hostname was NOT found in DNS cache
* Trying 10.0.121.132...
* Connected to s02 (10.0.121.132) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: rootca.pem
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Request CERT (13):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS handshake, CERT verify (15):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using AES256-SHA256
* Server certificate:
* subject: CN=s01t9
* start date: 2017-01-09 11:31:49 GMT
* expire date: 2022-01-08 11:31:49 GMT
* subjectAltName: s02 matched
* issuer: DC=local; DC=com; CN=Root CA
* SSL certificate verify ok.
> GET /solr HTTP/1.1
> User-Agent: curl/7.35.0
> Host: s02
> Accept: */*
>
< HTTP/1.1 302 Found
< Location: https://s02 /solr/
< Content-Length: 0
<
* Connection #0 to host s02 left intact
Thanks,
Espen
Re: SSL using signed client certificate not working
Posted by Kevin Risden <co...@gmail.com>.
It sounds like Edge, Firefox, and Chrome aren't setup on your computer to
do client authentication. You can set need client authentication to false
and use want client authentication in solr.in.sh. This will allow browsers
that don't present a client certificate to work. Otherwise you need to
configure your browsers.
Client authentication is an extra part of SSL and not usually required.
Kevin Risden
On Feb 15, 2017 4:43 AM, "Espen Rise Halstensen" <er...@dips.no> wrote:
>
> Hi,
>
> I have some problems with client certificates. By the look of it, it works
> with
> curl and safari prompts for and accepts my certificate. Does not work with
> Edge,
> Firefox or Chrome. The certificates are requested from our CA.
>
> When requesting https://s02/solr in the browser, it doesn't
> prompt for certificate and I get the following error message in Chrome:
> >This site can't provide a secure connection
> >s02 didn't accept your login certificate, or one may not have been
> provided.
> >Try contacting the system admin.
>
> When debugging with wireshark I can see the s01t9 certificate in the
> "certificate request"-part of the handshake, but the browser answers
> without certificate.
>
>
> Setup as follows:
>
> solr.in.sh:
> SOLR_SSL_KEY_STORE=etc/keystore.jks
> SOLR_SSL_KEY_STORE_PASSWORD=secret
> SOLR_SSL_TRUST_STORE=etc/truststore.jks
> SOLR_SSL_TRUST_STORE_PASSWORD=secret
> SOLR_SSL_NEED_CLIENT_AUTH=true
> SOLR_SSL_WANT_CLIENT_AUTH=false
>
> Content of truststore.jks:
> [solruser@s02 etc]# keytool -list -keystore /opt/solr-6.4.0/server/etc/truststore.jks
> -storepass secret
>
> Keystore type: JKS
> Keystore provider: SUN
>
> Your keystore contains 1 entry
>
> s01t9, 15.feb.2017, trustedCertEntry,
> Certificate fingerprint (SHA1): CF:BD:02:71:64:F0:BA:65:71:10:
> A1:23:42:34:E0:3C:37:75:E1:BF
>
>
>
> Curl(returns html of admin page with -L option):
>
> curl -v -E s01t9.pem:secret --cacert rootca.pem 'https://vs02/solr'
> * Hostname was NOT found in DNS cache
> * Trying 10.0.121.132...
> * Connected to s02 (10.0.121.132) port 443 (#0)
> * successfully set certificate verify locations:
> * CAfile: rootca.pem
> CApath: /etc/ssl/certs
> * SSLv3, TLS handshake, Client hello (1):
> * SSLv3, TLS handshake, Server hello (2):
> * SSLv3, TLS handshake, CERT (11):
> * SSLv3, TLS handshake, Request CERT (13):
> * SSLv3, TLS handshake, Server finished (14):
> * SSLv3, TLS handshake, CERT (11):
> * SSLv3, TLS handshake, Client key exchange (16):
> * SSLv3, TLS handshake, CERT verify (15):
> * SSLv3, TLS change cipher, Client hello (1):
> * SSLv3, TLS handshake, Finished (20):
> * SSLv3, TLS change cipher, Client hello (1):
> * SSLv3, TLS handshake, Finished (20):
> * SSL connection using AES256-SHA256
> * Server certificate:
> * subject: CN=s01t9
> * start date: 2017-01-09 11:31:49 GMT
> * expire date: 2022-01-08 11:31:49 GMT
> * subjectAltName: s02 matched
> * issuer: DC=local; DC=com; CN=Root CA
> * SSL certificate verify ok.
> > GET /solr HTTP/1.1
> > User-Agent: curl/7.35.0
> > Host: s02
> > Accept: */*
> >
> < HTTP/1.1 302 Found
> < Location: https://s02 /solr/
> < Content-Length: 0
> <
> * Connection #0 to host s02 left intact
>
> Thanks,
> Espen
>