You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by chima s <ch...@gmail.com> on 2013/03/07 06:54:57 UTC
[users@httpd] SSL Mutual Authentication
Hi All,
We have setup SSL mutual authentication as per document and it is
working fine. But while checking packet flow using tcpdump, we found
server is requesting the client certificate twice. Is this normal ?.or
i am missing something. Because in RFC, it is mentioned only one
request.
Below is the SSL Configuration for SSL Client authentication:
SSLVerifyClient require
SSLVerifyDepth 2
SSLCACertificateFile "/usr/local/src/CA/ca.pem"
Apache Version:
We tried on both 2.4.3 and 2.2.24
OpenSSL:
OpenSSL 1.0.0
Browser:
IE - 8 & 9
Firefox - 19
Regards
Chima
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] SSL Mutual Authentication
Posted by chima s <ch...@gmail.com>.
HI Eric,
the tcpdump shows 2 connection.
Please find the connection dump,
1 0.000000 192.168.78.64 10.250.250.188 TCP 68 14104 >
https [SYN] Seq=0 Win=8192 Len=0 MSS=1260 WS=4 SACK_PERM=1
2 0.000151 10.250.250.188 192.168.78.64 TCP 68 https >
14104 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 SACK_PERM=1 WS=128
3 0.261678 192.168.78.64 10.250.250.188 TCP 68 33717 >
https [SYN] Seq=0 Win=8192 Len=0 MSS=1260 WS=4 SACK_PERM=1
4 0.261785 10.250.250.188 192.168.78.64 TCP 68 https >
33717 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 SACK_PERM=1 WS=128
5 0.264488 192.168.78.64 10.250.250.188 TCP 62 14104 >
https [ACK] Seq=1 Ack=1 Win=66780 Len=0
6 0.265358 192.168.78.64 10.250.250.188 TLSv1 204 Client
Hello
7 0.265442 10.250.250.188 192.168.78.64 TCP 56 https >
14104 [ACK] Seq=1 Ack=149 Win=6912 Len=0
8 0.276847 10.250.250.188 192.168.78.64 TLSv1 1316 Server
Hello
9 0.276890 10.250.250.188 192.168.78.64 TLSv1 791
Certificate
10 0.527661 192.168.78.64 10.250.250.188 TCP 62 33717 >
https [ACK] Seq=1 Ack=1 Win=66780 Len=0
11 0.529070 192.168.78.64 10.250.250.188 TLSv1 204 Client
Hello
12 0.529177 10.250.250.188 192.168.78.64 TCP 56 https >
33717 [ACK] Seq=1 Ack=149 Win=6912 Len=0
13 0.538247 10.250.250.188 192.168.78.64 TLSv1 1316
Server Hello
14 0.538277 10.250.250.188 192.168.78.64 TLSv1 791
Certificate
15 0.543441 192.168.78.64 10.250.250.188 TCP 62 14104 >
https [ACK] Seq=149 Ack=1996 Win=66780 Len=0
16 0.807656 192.168.78.64 10.250.250.188 TCP 62 33717 >
https [ACK] Seq=149 Ack=1996 Win=66780 Len=0
17 2.240939 192.168.78.64 10.250.250.188 TCP 1316 [TCP
segment of a reassembled PDU]
18 2.241001 192.168.78.64 10.250.250.188 TLSv1 242
Certificate, Client Key Exchange, Certificate Verify
19 2.241030 10.250.250.188 192.168.78.64 TCP 56 https >
14104 [ACK] Seq=1996 Ack=1595 Win=12416 Len=0
20 2.249191 10.250.250.188 192.168.78.64 TLSv1 1298 New
Session Ticket, Change Cipher Spec, Encrypted Handshake Message
21 2.253185 192.168.78.64 10.250.250.188 TCP 1316 [TCP
segment of a reassembled PDU]
22 2.253431 192.168.78.64 10.250.250.188 TLSv1 242
Certificate, Client Key Exchange, Certificate Verify
23 2.253462 10.250.250.188 192.168.78.64 TCP 56 https >
33717 [ACK] Seq=1996 Ack=1595 Win=12416 Len=0
24 2.261121 10.250.250.188 192.168.78.64 TLSv1 1298 New
Session Ticket, Change Cipher Spec, Encrypted Handshake Message
25 2.515923 192.168.78.64 10.250.250.188 TLSv1 402
Application Data, Application Data
26 2.517877 10.250.250.188 192.168.78.64 TLSv1 626
Application Data, Application Data
27 2.518507 10.250.250.188 192.168.78.64 TCP 56 https >
14104 [FIN, ACK] Seq=3808 Ack=1941 Win=14976 Len=0
28 2.727484 192.168.78.64 10.250.250.188 TCP 62 33717 >
https [ACK] Seq=1595 Ack=3238 Win=65536 Len=0
29 2.783812 192.168.78.64 10.250.250.188 TCP 62 14104 >
https [ACK] Seq=1941 Ack=3809 Win=66780 Len=0
While calling single URL, why there was 2 connections. This happens when we
try to connect from java applications also.
Thanks & Regards
Chima
On Thu, Mar 7, 2013 at 11:16 PM, Eric Covener <co...@gmail.com> wrote:
> On Thu, Mar 7, 2013 at 12:08 PM, chima s <ch...@gmail.com> wrote:
> > Hi Eric,
> >
> > Its single connection. Just testing with single browser and calling the
> > default SSL home page.
>
> Please be more clear. Does your packet trace show two tcp connections
> are made, or one?
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Re: [users@httpd] SSL Mutual Authentication
Posted by Eric Covener <co...@gmail.com>.
On Thu, Mar 7, 2013 at 12:08 PM, chima s <ch...@gmail.com> wrote:
> Hi Eric,
>
> Its single connection. Just testing with single browser and calling the
> default SSL home page.
Please be more clear. Does your packet trace show two tcp connections
are made, or one?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] SSL Mutual Authentication
Posted by chima s <ch...@gmail.com>.
Hi Eric,
Its single connection. Just testing with single browser and calling the
default SSL home page.
Regards,
Chima
On Thu, Mar 7, 2013 at 9:29 PM, Eric Covener <co...@gmail.com> wrote:
> On Thu, Mar 7, 2013 at 12:54 AM, chima s <ch...@gmail.com> wrote:
> > Hi All,
> >
> > We have setup SSL mutual authentication as per document and it is
> > working fine. But while checking packet flow using tcpdump, we found
> > server is requesting the client certificate twice. Is this normal ?.or
> > i am missing something. Because in RFC, it is mentioned only one
> > request.
> >
>
> If it's two requests over two connections, it's normal.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Re: [users@httpd] SSL Mutual Authentication
Posted by Eric Covener <co...@gmail.com>.
On Thu, Mar 7, 2013 at 12:54 AM, chima s <ch...@gmail.com> wrote:
> Hi All,
>
> We have setup SSL mutual authentication as per document and it is
> working fine. But while checking packet flow using tcpdump, we found
> server is requesting the client certificate twice. Is this normal ?.or
> i am missing something. Because in RFC, it is mentioned only one
> request.
>
If it's two requests over two connections, it's normal.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org