You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Jiangsu Kumquat <x...@mynetblog.com> on 2023/07/10 00:52:15 UTC
[users@httpd] Apache2 certificate authentication
I'm stuck. I am trying to use certificate authentication to restrict access
to a directory. I'm using my own certificate authority that I created using
the commands below.
I'm running Apache2 on Debian linux.
*** CA KEYS
create CA private key
openssl genpkey -algorithm RSA -out ca.key -pkeyopt rsa_keygen_bits:4096
create CA self signed certificate
openssl req -new -x509 -key ca.key -out ca.crt
sign client CSR
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key
-CAcreateserial -out client.crt
*** CLIENT KEYS
generate client private key
openssl genpkey -algorithm RSA -out private_key.key -pkeyopt
rsa_keygen_bits:4096
generate certificate signing request (CSR)
openssl req -new -key private_key.key -out client.csr
generate pkcs12 client certificate
openssl pkcs12 -export -out certificate.p12 -inkey private_key.key -in
client.crt
*** Apache2 config
(This is inside a virtual host block)
# This is the CA.crt file I generated above
SSLCACertificateFile /etc/apache2/ssl-client/ca.crt
<Directory /var/www/html/secure>
SSLRequireSSL
# SSLVerifyClient require
SSLVerifyClient optional_no_ca
SSLVerifyDepth 2
SSLOptions +StdEnvVars +ExportCertData
# SSLRequire %{SSL_CLIENT_S_DN_CN} == ""
</Directory>
I imported the pkcs12 client certificate I generated above into my Firefox
browser.
When I access:
https://example.com/secure
I get this error:
Forbidden
You don't have permission to access this resource.Reason: Cannot perform
Post-Handshake Authentication.
I'm not sure where to go from here. I don't know how to get past this error
message.
Re: [users@httpd] Re: Apache2 certificate authentication
Posted by Landon <x...@mynetblog.com>.
On Tue, Jul 25, 2023 at 2:46 PM Daniel Ferradal <df...@apache.org>
wrote:
>
>
>
>
>>> [Mon Jul 10 03:20:37.629596 2023] [ssl:error] [pid 2410] [client
>>> 192.168.0.5:64817] AH10158: cannot perform post-handshake authentication
>>> [Mon Jul 10 03:20:37.629633 2023] [ssl:error] [pid 2410] SSL Library
>>> Error: error:0A000117:SSL routines::extension not received
>>>
>>
> This has nothing to do with your certificates, but with TLS protocol.
>
> This is TLSv1.3 no doubt, you just have to go to "about:config" in firefox
> and enable post-handshake authentication and that's why apache is telling
> you that the extension is not being received as in firefox not sending it.
> (look for handshake keyword).
>
> When a directory configuration is different from general TLS
> configuration, such as when requiring a certificate in a subdirectory, a
> renegotiation occurs.
>
> Being TLSv1.3, browsers such as Firefox have it disabled by default. If
> your apache server only allows TLSv1.2 you won't have this issue. As per
> the reason why browsers are doing this, can't remember it exactly what it
> is, a google search should shed some light I guess.
>
> --
> Daniel Ferradal
> HTTPD Project
> #httpd help at Libera.Chat
>
The issue is discussed here...
https://stackoverflow.com/questions/73590620/delayed-certificate-in-tls-1-3
It references RFC 8446...
https://www.rfc-editor.org/rfc/rfc8446#section-4.2.6
And when I enable that "about:config" option in Firefox, does that work
correctly with TLSv1.3?
RFC 7540 explicitly forbids renegotiation after the actual HTTP/2 protocol
(inside the TLS) has been started.
https://www.rfc-editor.org/rfc/rfc7540#section-9.2.1
Landon
Re: [users@httpd] Re: Apache2 certificate authentication
Posted by Daniel Ferradal <df...@apache.org>.
>> [Mon Jul 10 03:20:37.629596 2023] [ssl:error] [pid 2410] [client
>> 192.168.0.5:64817] AH10158: cannot perform post-handshake authentication
>> [Mon Jul 10 03:20:37.629633 2023] [ssl:error] [pid 2410] SSL Library
>> Error: error:0A000117:SSL routines::extension not received
>>
>
This has nothing to do with your certificates, but with TLS protocol.
This is TLSv1.3 no doubt, you just have to go to "about:config" in firefox
and enable post-handshake authentication and that's why apache is telling
you that the extension is not being received as in firefox not sending it.
(look for handshake keyword).
When a directory configuration is different from general TLS configuration,
such as when requiring a certificate in a subdirectory, a renegotiation
occurs.
Being TLSv1.3, browsers such as Firefox have it disabled by default. If
your apache server only allows TLSv1.2 you won't have this issue. As per
the reason why browsers are doing this, can't remember it exactly what it
is, a google search should shed some light I guess.
--
Daniel Ferradal
HTTPD Project
#httpd help at Libera.Chat
Re: [users@httpd] Re: Apache2 certificate authentication
Posted by Florian Schwalm <fl...@flo-films.de>.
I'm not sure if this command for signing the client certificate is correct as I don't see your corresponding openssl config and if it sets the correct keyUsage and extensions:
sign client CSR
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt
I usually use this command and it works fine:
openssl ca -config intermediate/openssl.cnf -extensions usr_cert -days 375 -notext -md sha256 -in intermediate/csr/www.example.com.csr.pem -out intermediate/certs/www.example.com.cert.pem
With this openssl.cnf
```
# OpenSSL intermediate CA configuration file.
# Copy to `/root/ca/intermediate/openssl.cnf`.
[ ca ]
# `man ca`
default_ca = CA_default
[ CA_default ]
# Directory and file locations.
dir = /root/ca/intermediate
certs = $dir/certs
crl_dir = $dir/crl
new_certs_dir = $dir/newcerts
database = $dir/index.txt
serial = $dir/serial
RANDFILE = $dir/private/.rand
# The root key and root certificate.
private_key = $dir/private/intermediate.key.pem
certificate = $dir/certs/intermediate.cert.pem
# For certificate revocation lists.
crlnumber = $dir/crlnumber
crl = $dir/crl/intermediate.crl.pem
crl_extensions = crl_ext
default_crl_days = 30
# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha256
name_opt = ca_default
cert_opt = ca_default
default_days = 375
preserve = no
policy = policy_loose
[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of `man ca`.
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_loose ]
# Allow the intermediate CA to sign a more diverse range of certificates.
# See the POLICY FORMAT section of the `ca` man page.
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
# Options for the `req` tool (`man req`).
default_bits = 2048
distinguished_name = req_distinguished_name
string_mask = utf8only
# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha256
# Extension to add when the -x509 option is used.
x509_extensions = v3_ca
[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
0.organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
emailAddress = Email Address
# Optionally, specify some defaults.
countryName_default = GB
stateOrProvinceName_default = England
localityName_default =
0.organizationName_default = Alice Ltd
organizationalUnitName_default =
emailAddress_default =
[ v3_ca ]
# Extensions for a typical CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ usr_cert ]
# Extensions for client certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection
[ server_cert ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
[ crl_ext ]
# Extension for CRLs (`man x509v3_config`).
authorityKeyIdentifier=keyid:always
[ ocsp ]
# Extension for OCSP signing certificates (`man ocsp`).
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning
```
I suggest looking here for further information, I followed this guide and it works fine:
https://jamielinux.com/docs/openssl-certificate-authority/index.html
Am 10. Juli 2023 05:27:35 MESZ schrieb Jiangsu Kumquat <x...@mynetblog.com>:
>I just tried accessing the "/secure/" directory in Edge and got the same
>error message after importing my pkcs12 certificate.
>
>I forgot to include the Apache2 error logs...
>
>[Mon Jul 10 03:20:37.629596 2023] [ssl:error] [pid 2410] [client
>192.168.0.5:64817] AH10158: cannot perform post-handshake authentication
>[Mon Jul 10 03:20:37.629633 2023] [ssl:error] [pid 2410] SSL Library Error:
>error:0A000117:SSL routines::extension not received
>
>On Sun, Jul 9, 2023 at 6:52 PM Jiangsu Kumquat <x...@mynetblog.com> wrote:
>
>>
>> I'm stuck. I am trying to use certificate authentication to restrict
>> access to a directory. I'm using my own certificate authority that I
>> created using the commands below.
>>
>> I'm running Apache2 on Debian linux.
>>
>> *** CA KEYS
>>
>> create CA private key
>> openssl genpkey -algorithm RSA -out ca.key -pkeyopt rsa_keygen_bits:4096
>>
>> create CA self signed certificate
>> openssl req -new -x509 -key ca.key -out ca.crt
>>
>> sign client CSR
>> openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key
>> -CAcreateserial -out client.crt
>>
>>
>> *** CLIENT KEYS
>>
>> generate client private key
>> openssl genpkey -algorithm RSA -out private_key.key -pkeyopt
>> rsa_keygen_bits:4096
>>
>> generate certificate signing request (CSR)
>> openssl req -new -key private_key.key -out client.csr
>>
>> generate pkcs12 client certificate
>> openssl pkcs12 -export -out certificate.p12 -inkey private_key.key -in
>> client.crt
>>
>>
>>
>> *** Apache2 config
>>
>> (This is inside a virtual host block)
>>
>> # This is the CA.crt file I generated above
>> SSLCACertificateFile /etc/apache2/ssl-client/ca.crt
>>
>> <Directory /var/www/html/secure>
>> SSLRequireSSL
>> # SSLVerifyClient require
>> SSLVerifyClient optional_no_ca
>> SSLVerifyDepth 2
>> SSLOptions +StdEnvVars +ExportCertData
>> # SSLRequire %{SSL_CLIENT_S_DN_CN} == ""
>> </Directory>
>>
>> I imported the pkcs12 client certificate I generated above into my Firefox
>> browser.
>>
>> When I access:
>> https://example.com/secure
>>
>> I get this error:
>>
>> Forbidden
>> You don't have permission to access this resource.Reason: Cannot perform
>> Post-Handshake Authentication.
>>
>>
>> I'm not sure where to go from here. I don't know how to get past this
>> error message.
>>
>>
>>
>>
>>
[users@httpd] Re: Apache2 certificate authentication
Posted by Jiangsu Kumquat <x...@mynetblog.com>.
I just tried accessing the "/secure/" directory in Edge and got the same
error message after importing my pkcs12 certificate.
I forgot to include the Apache2 error logs...
[Mon Jul 10 03:20:37.629596 2023] [ssl:error] [pid 2410] [client
192.168.0.5:64817] AH10158: cannot perform post-handshake authentication
[Mon Jul 10 03:20:37.629633 2023] [ssl:error] [pid 2410] SSL Library Error:
error:0A000117:SSL routines::extension not received
On Sun, Jul 9, 2023 at 6:52 PM Jiangsu Kumquat <x...@mynetblog.com> wrote:
>
> I'm stuck. I am trying to use certificate authentication to restrict
> access to a directory. I'm using my own certificate authority that I
> created using the commands below.
>
> I'm running Apache2 on Debian linux.
>
> *** CA KEYS
>
> create CA private key
> openssl genpkey -algorithm RSA -out ca.key -pkeyopt rsa_keygen_bits:4096
>
> create CA self signed certificate
> openssl req -new -x509 -key ca.key -out ca.crt
>
> sign client CSR
> openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key
> -CAcreateserial -out client.crt
>
>
> *** CLIENT KEYS
>
> generate client private key
> openssl genpkey -algorithm RSA -out private_key.key -pkeyopt
> rsa_keygen_bits:4096
>
> generate certificate signing request (CSR)
> openssl req -new -key private_key.key -out client.csr
>
> generate pkcs12 client certificate
> openssl pkcs12 -export -out certificate.p12 -inkey private_key.key -in
> client.crt
>
>
>
> *** Apache2 config
>
> (This is inside a virtual host block)
>
> # This is the CA.crt file I generated above
> SSLCACertificateFile /etc/apache2/ssl-client/ca.crt
>
> <Directory /var/www/html/secure>
> SSLRequireSSL
> # SSLVerifyClient require
> SSLVerifyClient optional_no_ca
> SSLVerifyDepth 2
> SSLOptions +StdEnvVars +ExportCertData
> # SSLRequire %{SSL_CLIENT_S_DN_CN} == ""
> </Directory>
>
> I imported the pkcs12 client certificate I generated above into my Firefox
> browser.
>
> When I access:
> https://example.com/secure
>
> I get this error:
>
> Forbidden
> You don't have permission to access this resource.Reason: Cannot perform
> Post-Handshake Authentication.
>
>
> I'm not sure where to go from here. I don't know how to get past this
> error message.
>
>
>
>
>