You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Karan Mengi <Ka...@infosys.com> on 2015/06/09 09:29:26 UTC

[users@httpd] Issue with Mutual SSL Authentication

Hi Team,

we are facing issues while performing Mutual SSL Authentication between Apache HTTPD Proxy and Server (using BW as Server)

Scenario is: HTTP Client --- (http connection)---> Apache HTTPD --- (https connection) --->HTTPS Server.

Server side authentication is working fine on both Linux and Windows environment. However, Mutual SSL authentication is only working on Windows, and facing issues while implementing same logic on Linux.
On Windows we are using the latest Apache HTTPD Proxy version 2.4.10. And for Linux we are using Apache HTTPD Proxy version 2.2.26.

The problem appears to be that HTTPD does not include the issuer details while presenting its certificate to the server, so probably its failing chain verification. We have tried many options found on the net like including the flag "SSLOptions +ExportCertData", but nothing seems to help.

On Linux HTTPD is not sending the full certificate details back to the server

Please find below the Logs for both Windows(success) and Linux(error) Environments:

Windows

Server version: Apache/2.4.10 (Win64)
Apache Lounge VC11 Server built:   Jul 17 2014 12:58:29

Logs:

[Wed Jun 03 16:21:18.307618 2015] [ssl:debug] [pid 6580:tid 964] ssl_engine_kernel.c(1517): [remote 127.0.0.1:9099] AH02277: Proxy client certificate callback: (Proxy:hostname) AH02278: no acceptable CA list, sending [subject: CN=Proxy,OU=ITS,O=XXXXX,L=XXXXX,ST=XXXXX,C=XXXXX / issuer: CN=XXXXX,DC=testcore,DC=test,DC=dir,DC=XXXXX,DC=com / serial: 247B895600020000890B / notbefore: Apr 19 04:24:18 2015 GMT / notafter: Apr 18 04:24:18 2017 GMT]
[Wed Jun 03 16:21:18.441632 2015] [ssl:debug] [pid 6580:tid 964] ssl_engine_kernel.c(1836): [remote 127.0.0.1:9099] AH02041: Protocol: TLSv1, Cipher: XXXXX
[Wed Jun 03 16:21:18.441632 2015] [ssl:debug] [pid 6580:tid 964] ssl_util_ssl.c(343): AH02412: [Proxy_Server:hostname] Cert matches for name 'Server' [subject: CN=Server,OU=ITS,O=XXXXX,L=XXXXX,ST=XXXXX,C=XXXXX / issuer: CN=XXXXXCA1,DC=testcore,DC=test,DC=dir,DC=XXXXX,DC=com / serial: 24884F6A00020000890F / notbefore: Apr 19 04:38:15 2015 GMT / notafter: Apr 18 04:38:15 2017 GMT]


Linux

Server version: Apache/2.2.26 (Unix)
Server built:   Jul 18 2014 10:26:47

Logs:

[Thu Jun 04 13:00:49 2015] [debug] mod_proxy_http.c(56): proxy: HTTP: canonicalising URL //Server_URL
[Thu Jun 04 13:00:49 2015] [debug] proxy_util.c(1513): [client 10.75.19.54] proxy: https: found worker https://Server_URL for https://Server_URL
[Thu Jun 04 13:00:49 2015] [debug] mod_proxy.c(1036): Running scheme https handler (attempt 0)
[Thu Jun 04 13:00:49 2015] [debug] mod_proxy_http.c(1974): proxy: HTTP: serving URL https://Server_URL
[Thu Jun 04 13:00:49 2015] [debug] proxy_util.c(2018): proxy: HTTPS: has acquired connection for (Server)
[Thu Jun 04 13:00:49 2015] [debug] proxy_util.c(2074): proxy: connecting https://Server_URL to Server:hostname
[Thu Jun 04 13:00:49 2015] [debug] proxy_util.c(2200): proxy: connected /WSDL-service0.serviceagent/PortTypeEndpoint0 to Server:hostname
[Thu Jun 04 13:00:49 2015] [debug] proxy_util.c(2451): proxy: HTTPS: fam 2 socket created to connect to Server
[Thu Jun 04 13:00:49 2015] [debug] proxy_util.c(2583): proxy: HTTPS: connection complete to Server:hostname
[Thu Jun 04 13:00:49 2015] [info] [client 10.75.19.54] Connection to child 0 established (Server:hostname)
[Thu Jun 04 13:00:49 2015] [info] Seeding PRNG with 144 bytes of entropy
[Thu Jun 04 13:00:49 2015] [debug] ssl_engine_io.c(1090): [client 0.0.0.0] SNI extension for SSL Proxy request set to 'Server'
[Thu Jun 04 13:00:49 2015] [debug] ssl_engine_kernel.c(1915): OpenSSL: Handshake: start
[Thu Jun 04 13:00:49 2015] [debug] ssl_engine_kernel.c(1923): OpenSSL: Loop: before/connect initialization
[Thu Jun 04 13:00:49 2015] [debug] ssl_engine_kernel.c(1923): OpenSSL: Loop: SSLv2/v3 write client hello A
[Thu Jun 04 13:00:49 2015] [debug] ssl_engine_io.c(1939): OpenSSL: read 7/7 bytes from BIO#7f1409de9600 [mem: 7f1409deebe0] (BIO dump follows)

Thu Jun 04 13:00:49 2015] [debug] ssl_engine_kernel.c(1923): OpenSSL: Loop: SSLv3 read server hello A
[Thu Jun 04 13:00:49 2015] [debug] ssl_engine_kernel.c(1322): [client 0.0.0.0] Certificate Verification: depth: 3, subject: /CN=XXXXX XXXXX, issuer: /CN=XXXXX
[Thu Jun 04 13:00:49 2015] [debug] ssl_engine_kernel.c(1322): [client 0.0.0.0] Certificate Verification: depth: 2, subject: /CN=XXXXX, issuer: /CN=XXXXX
[Thu Jun 04 13:00:49 2015] [debug] ssl_engine_kernel.c(1322): [client 0.0.0.0] Certificate Verification: depth: 1, subject: /DC=com/DC=XXXXX/DC=dir/DC=test/DC=testcore/CN=XXXXX, issuer: /CN=XXXXX
[Thu Jun 04 13:00:49 2015] [debug] ssl_engine_kernel.c(1322): [client 0.0.0.0] Certificate Verification: depth: 0, subject: /C=XXXXX/ST=XXXXX/L=XXXXX/O=XXXXX/OU=ITS/CN=Server, issuer: /DC=com/DC=XXXXX/DC=dir/DC=test/DC=testcore/CN=XXXXX
[Thu Jun 04 13:00:49 2015] [debug] ssl_engine_kernel.c(1923): OpenSSL: Loop: SSLv3 read server certificate A
[Thu Jun 04 13:00:49 2015] [debug] ssl_engine_kernel.c(1923): OpenSSL: Loop: SSLv3 read server key exchange A
[Thu Jun 04 13:00:49 2015] [debug] ssl_engine_kernel.c(1923): OpenSSL: Loop: SSLv3 read server certificate request A
[Thu Jun 04 13:00:49 2015] [debug] ssl_engine_kernel.c(1923): OpenSSL: Loop: SSLv3 read server done A
[Thu Jun 04 13:00:49 2015] [debug] ssl_engine_kernel.c(1687): Proxy client certificate callback: (Proxy:hostname) entered
[Thu Jun 04 13:00:49 2015] [debug] ssl_engine_kernel.c(1657): Proxy client certificate callback: (Proxy:hostname)) no acceptable CA list, sending /C=XXXXX/ST=XXXXX/L=XXXXX/O=XXXXX/OU=ITS/CN=Proxy

[Thu Jun 04 13:00:49 2015] [debug] ssl_engine_kernel.c(1923): OpenSSL: Loop: SSLv3 write client certificate A
[Thu Jun 04 13:00:49 2015] [debug] ssl_engine_kernel.c(1923): OpenSSL: Loop: SSLv3 write client key exchange A
[Thu Jun 04 13:00:49 2015] [debug] ssl_engine_kernel.c(1923): OpenSSL: Loop: SSLv3 write certificate verify A
[Thu Jun 04 13:00:49 2015] [debug] ssl_engine_kernel.c(1923): OpenSSL: Loop: SSLv3 write change cipher spec A
[Thu Jun 04 13:00:49 2015] [debug] ssl_engine_kernel.c(1923): OpenSSL: Loop: SSLv3 write finished A
[Thu Jun 04 13:00:49 2015] [debug] ssl_engine_kernel.c(1923): OpenSSL: Loop: SSLv3 flush data
[Thu Jun 04 13:00:49 2015] [debug] ssl_engine_io.c(1939): OpenSSL: read 5/5 bytes from BIO#7f1409de9600 [mem: 7f1409deebe3] (BIO dump follows)

[Thu Jun 04 13:00:49 2015] [debug] ssl_engine_kernel.c(1928): OpenSSL: Read: SSLv3 read finished A
[Thu Jun 04 13:00:49 2015] [debug] ssl_engine_kernel.c(1947): OpenSSL: Exit: failed in SSLv3 read finished A
[Thu Jun 04 13:00:49 2015] [info] [client 0.0.0.0] SSL Proxy connect failed
[Thu Jun 04 13:00:49 2015] [info] SSL Library Error: 336151570 error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate Subject CN in certificate not server name or identical to CA!?
[Thu Jun 04 13:00:49 2015] [info] [client 0.0.0.0] Connection closed to child 0 with abortive shutdown (server Proxy:hostname)
[Thu Jun 04 13:00:49 2015] [error] (502)Unknown error 502: proxy: pass request body failed to 0.0.0.0:hostname (Server)
[Thu Jun 04 13:00:49 2015] [error] [client 0.0.0.0] proxy: Error during SSL Handshake with remote server returned by /myapp
[Thu Jun 04 13:00:49 2015] [error] proxy: pass request body failed to 0.0.0.0:hostname (Server) from 0.0.0.0 ()
[Thu Jun 04 13:00:49 2015] [debug] proxy_util.c(2036): proxy: HTTPS: has released connection for (Server)


PS: IP, server, certificates and Proxy details are removed from the logs.

Thanks in advance
Karan

Re: [users@httpd] Issue with Mutual SSL Authentication

Posted by Yann Ylavic <yl...@gmail.com>.

On Tue, Jun 9, 2015 at 9:29 AM, Karan Mengi <Ka...@infosys.com> wrote:
>
> The problem appears to be that HTTPD does not include the issuer details
> while presenting its certificate to the server, so probably its failing
> chain verification. We have tried many options found on the net like
> including the flag “SSLOptions +ExportCertData”, but nothing seems to help.

Did you try SSLProxyMachineCertificateChainFile?
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslproxymachinecertificatechainfile

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org