You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Christopher Ljungblad <ch...@gmail.com> on 2008/04/08 21:51:54 UTC

[users@httpd] Client certificate - handshake failed

Hi,
We are using Apache httpd 2.2.3 on Red hat linux and have a problem with our
client certificates.

In the ssl.conf file we have a configured a Virtual Host that listens to
port 444 that requires the client to verify a certificate.

<VirtualHost *:444>
<Location /servlets/*>
        SSLVerifyClient require
        SSLVerifyDepth 1
        SSLCACertificateFile /etc/pki/tls/certs/xxxxx_users.cer
</Location>

This works out fine, the client certificate can be choosen in the browser
and I can fill in the password and click "ok".
But the certificate is not validated correctly and the ssl_error log says:

[Tue Apr 08 15:25:23 2008] [error] Re-negotiation handshake failed: Not
accepted by client!?

What am I missing? I got this working in Tomcat using the exact same
certificate. Is there a way to keep the client certificate
handling in Tomcat.

Regards
/Christopher

Re: [users@httpd] Client certificate - handshake failed

Posted by Serge Dubrouski <se...@gmail.com>.

On Tue, Apr 8, 2008 at 2:40 PM, Christopher Ljungblad
<ch...@gmail.com> wrote:
> Thanks for quick reply Serge,
>
> I'm still a bit confused and can not really address the problem, so
>
> I also checked the ssl access_log where I got these 2 messages:
>
> 192.168.0.254 - - [08/Apr/2008:22:27:59 +0200] "POST
> /servlets/nexus.seam?action=authenticate&client=nexus-personal_4 HTTP/1.1"
> 403 -
>
> 192.168.0.254 - - [08/Apr/2008:22:28:00 +0200] "POST
> /servlets/nexus.seam?action=authenticate&client=nexus-personal_4 HTTP/1.1"
> 500 3012
>
> And in my java code where I usually (using Tomcat and a keystore) can fetch
> the certificates I got a null-pointer exception (certs is now null)
>
> X509Certificate[] certs =
> (X509Certificate[])req.getAttribute("javax.servlet.request.X509Certificate");
>
> How do I know that the Apache httpd correctly gets the certificates?

You shall be able to pick the up in your application.
> How do I fetch the certficate in my java application (Tomcat)?

Use mod_jk with appropriate configuration. Something like this:

JkWorkersFile      /opt/web/tomcat/conf/jk/workers.properties
JkLogFile          /opt/web/logs/http/mod_jk.log
JkLogLevel         info
JkLogStampFormat   "[%a %b %d %H:%M:%S %Y] "
JkOptions          +ForwardKeySize +ForwardURICompat -ForwardDirectories
JkRequestLogFormat "%w %V %T"

# Should mod_jk send SSL information to Tomcat (default is On)
JkExtractSSL On
# What is the indicator for SSL (default is HTTPS)
JkHTTPSIndicator HTTPS
# What is the indicator for SSL session (default is SSL_SESSION_ID)
JkSESSIONIndicator SSL_SESSION_ID
# What is the indicator for client SSL cipher suit (default is SSL_CIPHER)
JkCIPHERIndicator SSL_CIPHER
# What is the indicator for the client SSL certificated (default is SSL_CLIENT_C
ERT)
JkCERTSIndicator SSL_CLIENT_CERT


So far this is the only method that worked for me. Sorry, I'm not a
Java developer and can't give you info on how to retrieve client certs
in Java.
>  Any other suggestions what is going wrong are highly appreciated.

Check this https://issues.apache.org/bugzilla/show_bug.cgi?id=12355
for more details on this problem.

>
> Cheers
> Chris
>
>
>
>
>
> On Tue, Apr 8, 2008 at 9:54 PM, Serge Dubrouski <se...@gmail.com> wrote:
>
> >
> >
> >
> > Just ignore them, they are generated when client switches between
> > locations with different SSLVerifyClient options set.
> >
> >
> >
> >
> > On Tue, Apr 8, 2008 at 1:51 PM, Christopher Ljungblad
> > <ch...@gmail.com> wrote:
> > > Hi,
> > > We are using Apache httpd 2.2.3 on Red hat linux and have a problem with
> our
> > > client certificates.
> > >
> > > In the ssl.conf file we have a configured a Virtual Host that listens to
> > > port 444 that requires the client to verify a certificate.
> > >
> > > <VirtualHost *:444>
> > > <Location /servlets/*>
> > >         SSLVerifyClient require
> > >         SSLVerifyDepth 1
> > >         SSLCACertificateFile /etc/pki/tls/certs/xxxxx_users.cer
> > > </Location>
> > >
> > > This works out fine, the client certificate can be choosen in the
> browser
> > > and I can fill in the password and click "ok".
> > >  But the certificate is not validated correctly and the ssl_error log
> says:
> > >
> > > [Tue Apr 08 15:25:23 2008] [error] Re-negotiation handshake failed: Not
> > > accepted by client!?
> > >
> > > What am I missing? I got this working in Tomcat using the exact same
> > > certificate. Is there a way to keep the client certificate
> > >  handling in Tomcat.
> > >
> > > Regards
> > > /Christopher
> > >
> > >
> >
> >
> >
> > --
> > Serge Dubrouski.
> >
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
> >
>
>
>



-- 
Serge Dubrouski.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Client certificate - handshake failed

Posted by Christopher Ljungblad <ch...@gmail.com>.

Thanks for quick reply Serge,

I'm still a bit confused and can not really address the problem, so

I also checked the ssl access_log where I got these 2 messages:

192.168.0.254 - - [08/Apr/2008:22:27:59 +0200] "POST
/servlets/nexus.seam?action=authenticate&client=nexus-personal_4 HTTP/1.1"
403 -

192.168.0.254 - - [08/Apr/2008:22:28:00 +0200] "POST
/servlets/nexus.seam?action=authenticate&client=nexus-personal_4 HTTP/1.1"
500 3012

And in my java code where I usually (using Tomcat and a keystore) can fetch
the certificates I got a null-pointer exception (certs is now null)

X509Certificate[] certs =
(X509Certificate[])req.getAttribute("javax.servlet.request.X509Certificate");

How do I know that the Apache httpd correctly gets the certificates?
How do I fetch the certficate in my java application (Tomcat)?
Any other suggestions what is going wrong are highly appreciated.

Cheers
Chris



On Tue, Apr 8, 2008 at 9:54 PM, Serge Dubrouski <se...@gmail.com> wrote:

> Just ignore them, they are generated when client switches between
> locations with different SSLVerifyClient options set.
>
> On Tue, Apr 8, 2008 at 1:51 PM, Christopher Ljungblad
> <ch...@gmail.com> wrote:
> > Hi,
> > We are using Apache httpd 2.2.3 on Red hat linux and have a problem with
> our
> > client certificates.
> >
> > In the ssl.conf file we have a configured a Virtual Host that listens to
> > port 444 that requires the client to verify a certificate.
> >
> > <VirtualHost *:444>
> > <Location /servlets/*>
> >         SSLVerifyClient require
> >         SSLVerifyDepth 1
> >         SSLCACertificateFile /etc/pki/tls/certs/xxxxx_users.cer
> > </Location>
> >
> > This works out fine, the client certificate can be choosen in the
> browser
> > and I can fill in the password and click "ok".
> >  But the certificate is not validated correctly and the ssl_error log
> says:
> >
> > [Tue Apr 08 15:25:23 2008] [error] Re-negotiation handshake failed: Not
> > accepted by client!?
> >
> > What am I missing? I got this working in Tomcat using the exact same
> > certificate. Is there a way to keep the client certificate
> >  handling in Tomcat.
> >
> > Regards
> > /Christopher
> >
> >
>
>
>
> --
> Serge Dubrouski.
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

<ch...@gmail.com>

Re: [users@httpd] Client certificate - handshake failed

Posted by Serge Dubrouski <se...@gmail.com>.

Just ignore them, they are generated when client switches between
locations with different SSLVerifyClient options set.

On Tue, Apr 8, 2008 at 1:51 PM, Christopher Ljungblad
<ch...@gmail.com> wrote:
> Hi,
> We are using Apache httpd 2.2.3 on Red hat linux and have a problem with our
> client certificates.
>
> In the ssl.conf file we have a configured a Virtual Host that listens to
> port 444 that requires the client to verify a certificate.
>
> <VirtualHost *:444>
> <Location /servlets/*>
>         SSLVerifyClient require
>         SSLVerifyDepth 1
>         SSLCACertificateFile /etc/pki/tls/certs/xxxxx_users.cer
> </Location>
>
> This works out fine, the client certificate can be choosen in the browser
> and I can fill in the password and click "ok".
>  But the certificate is not validated correctly and the ssl_error log says:
>
> [Tue Apr 08 15:25:23 2008] [error] Re-negotiation handshake failed: Not
> accepted by client!?
>
> What am I missing? I got this working in Tomcat using the exact same
> certificate. Is there a way to keep the client certificate
>  handling in Tomcat.
>
> Regards
> /Christopher
>
>



-- 
Serge Dubrouski.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org