You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by chima s <ch...@gmail.com> on 2013/03/07 06:54:57 UTC

[users@httpd] SSL Mutual Authentication

Hi All,

We have setup SSL mutual authentication as per document and it is
working fine. But while checking packet flow using tcpdump, we found
server is requesting the client certificate twice. Is this normal ?.or
i am missing something. Because in RFC, it is mentioned only one
request.

Below is the SSL Configuration for SSL Client authentication:
SSLVerifyClient require
SSLVerifyDepth  2
SSLCACertificateFile "/usr/local/src/CA/ca.pem"

Apache Version:
We tried on both 2.4.3 and 2.2.24

OpenSSL:
OpenSSL 1.0.0

Browser:
IE - 8 & 9
Firefox - 19

Regards
Chima

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] SSL Mutual Authentication

Posted by chima s <ch...@gmail.com>.

HI Eric,

the tcpdump shows 2 connection.

Please find the connection dump,

1    0.000000    192.168.78.64    10.250.250.188    TCP    68    14104 >
https [SYN] Seq=0 Win=8192 Len=0 MSS=1260 WS=4 SACK_PERM=1
2    0.000151    10.250.250.188    192.168.78.64    TCP    68    https >
14104 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 SACK_PERM=1 WS=128
3    0.261678    192.168.78.64    10.250.250.188    TCP    68    33717 >
https [SYN] Seq=0 Win=8192 Len=0 MSS=1260 WS=4 SACK_PERM=1
4    0.261785    10.250.250.188    192.168.78.64    TCP    68    https >
33717 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 SACK_PERM=1 WS=128
5    0.264488    192.168.78.64    10.250.250.188    TCP    62    14104 >
https [ACK] Seq=1 Ack=1 Win=66780 Len=0
6    0.265358    192.168.78.64    10.250.250.188    TLSv1    204    Client
Hello
7    0.265442    10.250.250.188    192.168.78.64    TCP    56    https >
14104 [ACK] Seq=1 Ack=149 Win=6912 Len=0
8    0.276847    10.250.250.188    192.168.78.64    TLSv1    1316    Server
Hello
9    0.276890    10.250.250.188    192.168.78.64    TLSv1    791
Certificate
10    0.527661    192.168.78.64    10.250.250.188    TCP    62    33717 >
https [ACK] Seq=1 Ack=1 Win=66780 Len=0
11    0.529070    192.168.78.64    10.250.250.188    TLSv1    204    Client
Hello
12    0.529177    10.250.250.188    192.168.78.64    TCP    56    https >
33717 [ACK] Seq=1 Ack=149 Win=6912 Len=0
13    0.538247    10.250.250.188    192.168.78.64    TLSv1    1316
Server Hello
14    0.538277    10.250.250.188    192.168.78.64    TLSv1    791
Certificate
15    0.543441    192.168.78.64    10.250.250.188    TCP    62    14104 >
https [ACK] Seq=149 Ack=1996 Win=66780 Len=0
16    0.807656    192.168.78.64    10.250.250.188    TCP    62    33717 >
https [ACK] Seq=149 Ack=1996 Win=66780 Len=0
17    2.240939    192.168.78.64    10.250.250.188    TCP    1316    [TCP
segment of a reassembled PDU]
18    2.241001    192.168.78.64    10.250.250.188    TLSv1    242
Certificate, Client Key Exchange, Certificate Verify
19    2.241030    10.250.250.188    192.168.78.64    TCP    56    https >
14104 [ACK] Seq=1996 Ack=1595 Win=12416 Len=0
20    2.249191    10.250.250.188    192.168.78.64    TLSv1    1298    New
Session Ticket, Change Cipher Spec, Encrypted Handshake Message
21    2.253185    192.168.78.64    10.250.250.188    TCP    1316    [TCP
segment of a reassembled PDU]
22    2.253431    192.168.78.64    10.250.250.188    TLSv1    242
Certificate, Client Key Exchange, Certificate Verify
23    2.253462    10.250.250.188    192.168.78.64    TCP    56    https >
33717 [ACK] Seq=1996 Ack=1595 Win=12416 Len=0
24    2.261121    10.250.250.188    192.168.78.64    TLSv1    1298    New
Session Ticket, Change Cipher Spec, Encrypted Handshake Message
25    2.515923    192.168.78.64    10.250.250.188    TLSv1    402
Application Data, Application Data
26    2.517877    10.250.250.188    192.168.78.64    TLSv1    626
Application Data, Application Data
27    2.518507    10.250.250.188    192.168.78.64    TCP    56    https >
14104 [FIN, ACK] Seq=3808 Ack=1941 Win=14976 Len=0
28    2.727484    192.168.78.64    10.250.250.188    TCP    62    33717 >
https [ACK] Seq=1595 Ack=3238 Win=65536 Len=0
29    2.783812    192.168.78.64    10.250.250.188    TCP    62    14104 >
https [ACK] Seq=1941 Ack=3809 Win=66780 Len=0

While calling single URL, why there was 2 connections. This happens when we
try to connect from java applications also.

Thanks & Regards
Chima

On Thu, Mar 7, 2013 at 11:16 PM, Eric Covener <co...@gmail.com> wrote:

> On Thu, Mar 7, 2013 at 12:08 PM, chima s <ch...@gmail.com> wrote:
> > Hi Eric,
> >
> > Its single connection. Just testing with single browser and calling the
> > default SSL home page.
>
> Please be more clear. Does your packet trace show two tcp connections
> are made, or one?
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

Re: [users@httpd] SSL Mutual Authentication

Posted by Eric Covener <co...@gmail.com>.

On Thu, Mar 7, 2013 at 12:08 PM, chima s <ch...@gmail.com> wrote:
> Hi Eric,
>
> Its single connection. Just testing with single browser and calling the
> default SSL home page.

Please be more clear. Does your packet trace show two tcp connections
are made, or one?

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] SSL Mutual Authentication

Posted by chima s <ch...@gmail.com>.

Hi Eric,

Its single connection. Just testing with single browser and calling the
default SSL home page.

Regards,
Chima



On Thu, Mar 7, 2013 at 9:29 PM, Eric Covener <co...@gmail.com> wrote:

> On Thu, Mar 7, 2013 at 12:54 AM, chima s <ch...@gmail.com> wrote:
> > Hi All,
> >
> > We have setup SSL mutual authentication as per document and it is
> > working fine. But while checking packet flow using tcpdump, we found
> > server is requesting the client certificate twice. Is this normal ?.or
> > i am missing something. Because in RFC, it is mentioned only one
> > request.
> >
>
> If it's two requests over two connections, it's normal.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

Re: [users@httpd] SSL Mutual Authentication

Posted by Eric Covener <co...@gmail.com>.

On Thu, Mar 7, 2013 at 12:54 AM, chima s <ch...@gmail.com> wrote:
> Hi All,
>
> We have setup SSL mutual authentication as per document and it is
> working fine. But while checking packet flow using tcpdump, we found
> server is requesting the client certificate twice. Is this normal ?.or
> i am missing something. Because in RFC, it is mentioned only one
> request.
>

If it's two requests over two connections, it's normal.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org