You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Jose Jerez <jo...@juntadeandalucia.es> on 2011/06/29 10:45:16 UTC
[users@httpd] SSLVerifyClient within
Hello folks,
I'm having trouble with the apache configuration in one of my virtual hosts
and I'm starting to wonder if what I'm trying is a supported configuration.
I'm setting up an SSL vhost with a <Location> directive, so that when a
request is made for that location the client certificate is requested, or is
supposed to because what really happens is that an error is shown in the
browser (ssl_error_handshake_failure_alert in firefox) and in the apache logs
(Re-negotiation request failed).
The environment where it is installed is: Linux SLES10, apache 2.2.3 and
SLES11, apache 2.2.10
The vhost configuration is:
###################################################################
<IfDefine SSL>
<IfDefine !NOSSL>
<VirtualHost 10.241.128.121:443>
DocumentRoot "/srv/www/vhosts/portaladriano"
ServerName portaladriano-pre.justicia.junta-andalucia.es:443
ServerAdmin gtsl.ius@juntadeandalucia.es
ErrorLog /var/log/apache2/ws121-error_log
TransferLog /var/log/apache2/ws121-access_log
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM
SSLCertificateFile /etc/apache2/ssl.crt/padrianop.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/padrianop.key
SSLCACertificateFile /etc/apache2/ssl.crt/fnmt.crt
<Location "/Fispenco/">
SSLOptions +stdEnvVars +ExportCertData
SSLVerifyClient require
SSLVerifyDepth 2
</Location>
<Directory "/srv/www/vhosts/portaladriano">
Options FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
</IfDefine>
##################################################################
The reason to use a <Location> instead of a <Directory> is because, in the
production servers, the URL within the directive is jk mounted from a tomcat
server.
Accessing the parts outside the <Location> works without any problem, the ssl
connection is made and the requested content is shown.
For example accessing the URL
https://10.241.128.121/DilPenHU.html
shows the html page perfectly, but accessing
https://10.241.128.121/Fispenco/fispenco.htm
returns the error mentioned before.
Funny thing is that this same configuration is working in one of my test
servers (SLES10, apache 2.2.3), the first one that was set up. And on top of
that a few of my colleagues, not many, get the client certificate request when
accessing the URL in the <Location> directive, in the servers where the
vhost configuration is "mostly" not working.
Also tried to access the URL with curl and this is what I get:
#######################################################################
# curl -v --cacert ca.cert https://portaladriano-pre.justicia.junta-andalucia.es/Fispenco/fispenco.htm
* About to connect() to portaladriano-pre.justicia.junta-andalucia.es port 443 (#0)
* Trying 10.241.128.121... connected
* Connected to portaladriano-pre.justicia.junta-andalucia.es (10.241.128.121) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: ca.cert
CApath: /etc/ssl/certs/
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using DHE-RSA-AES256-SHA
* Server certificate:
* subject: /C=es/O=Junta de Andalucia/OU=ius/CN=portaladriano-pre.justicia.junta-andalucia.es/emailAddress=gtsl.ius@juntadeandalucia.es
* start date: 2009-06-23 10:29:23 GMT
* expire date: 2024-06-23 10:29:23 GMT
* common name: portaladriano-pre.justicia.junta-andalucia.es (matched)
* issuer: /C=es/O=junta-andalucia/OU=ius/CN=AC para la Administracion de Justicia en la Junta de Andalucia
* SSL certificate verify ok.
> GET /Fispenco/fispenco.htm HTTP/1.1
> User-Agent: curl/7.18.1 (i686-suse-linux-gnu) libcurl/7.18.1 OpenSSL/0.9.8g zlib/1.2.3 libidn/1.8
> Host: portaladriano-pre.justicia.junta-andalucia.es
> Accept: */*
>
* SSLv3, TLS alert, Server hello (2):
* Empty reply from server
* Connection #0 to host portaladriano-pre.justicia.junta-andalucia.es left intact
curl: (52) Empty reply from server
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):
#######################################################################
Any clues about what might be happening here?
Thanks.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] SSLVerifyClient within
Posted by Tom Evans <te...@googlemail.com>.
On Wed, Jun 29, 2011 at 9:45 AM, Jose Jerez
<jo...@juntadeandalucia.es> wrote:
> Hello folks,
>
> I'm having trouble with the apache configuration in one of my virtual hosts
> and I'm starting to wonder if what I'm trying is a supported configuration.
>
> I'm setting up an SSL vhost with a <Location> directive, so that when a
> request is made for that location the client certificate is requested, or is
> supposed to because what really happens is that an error is shown in the
> browser (ssl_error_handshake_failure_alert in firefox) and in the apache logs
> (Re-negotiation request failed).
>
> The environment where it is installed is: Linux SLES10, apache 2.2.3 and
> SLES11, apache 2.2.10
>
> The vhost configuration is:
>
> ###################################################################
> <IfDefine SSL>
> <IfDefine !NOSSL>
>
> <VirtualHost 10.241.128.121:443>
>
> DocumentRoot "/srv/www/vhosts/portaladriano"
> ServerName portaladriano-pre.justicia.junta-andalucia.es:443
> ServerAdmin gtsl.ius@juntadeandalucia.es
> ErrorLog /var/log/apache2/ws121-error_log
> TransferLog /var/log/apache2/ws121-access_log
>
> SSLEngine on
>
> SSLProtocol all -SSLv2
>
> SSLCipherSuite HIGH:MEDIUM
>
> SSLCertificateFile /etc/apache2/ssl.crt/padrianop.crt
> SSLCertificateKeyFile /etc/apache2/ssl.key/padrianop.key
> SSLCACertificateFile /etc/apache2/ssl.crt/fnmt.crt
>
> <Location "/Fispenco/">
> SSLOptions +stdEnvVars +ExportCertData
> SSLVerifyClient require
> SSLVerifyDepth 2
> </Location>
>
> <Directory "/srv/www/vhosts/portaladriano">
> Options FollowSymLinks
> AllowOverride None
> Order allow,deny
> Allow from all
> </Directory>
> </VirtualHost>
> </IfDefine>
> ##################################################################
>
> The reason to use a <Location> instead of a <Directory> is because, in the
> production servers, the URL within the directive is jk mounted from a tomcat
> server.
>
> Accessing the parts outside the <Location> works without any problem, the ssl
> connection is made and the requested content is shown.
>
> For example accessing the URL
>
> https://10.241.128.121/DilPenHU.html
>
> shows the html page perfectly, but accessing
>
> https://10.241.128.121/Fispenco/fispenco.htm
>
> returns the error mentioned before.
>
> Funny thing is that this same configuration is working in one of my test
> servers (SLES10, apache 2.2.3), the first one that was set up. And on top of
> that a few of my colleagues, not many, get the client certificate request when
> accessing the URL in the <Location> directive, in the servers where the
> vhost configuration is "mostly" not working.
>
> Also tried to access the URL with curl and this is what I get:
>
> #######################################################################
> # curl -v --cacert ca.cert https://portaladriano-pre.justicia.junta-andalucia.es/Fispenco/fispenco.htm
> * About to connect() to portaladriano-pre.justicia.junta-andalucia.es port 443 (#0)
> * Trying 10.241.128.121... connected
> * Connected to portaladriano-pre.justicia.junta-andalucia.es (10.241.128.121) port 443 (#0)
> * successfully set certificate verify locations:
> * CAfile: ca.cert
> CApath: /etc/ssl/certs/
> * SSLv3, TLS handshake, Client hello (1):
> * SSLv3, TLS handshake, Server hello (2):
> * SSLv3, TLS handshake, CERT (11):
> * SSLv3, TLS handshake, Server key exchange (12):
> * SSLv3, TLS handshake, Server finished (14):
> * SSLv3, TLS handshake, Client key exchange (16):
> * SSLv3, TLS change cipher, Client hello (1):
> * SSLv3, TLS handshake, Finished (20):
> * SSLv3, TLS change cipher, Client hello (1):
> * SSLv3, TLS handshake, Finished (20):
> * SSL connection using DHE-RSA-AES256-SHA
> * Server certificate:
> * subject: /C=es/O=Junta de Andalucia/OU=ius/CN=portaladriano-pre.justicia.junta-andalucia.es/emailAddress=gtsl.ius@juntadeandalucia.es
> * start date: 2009-06-23 10:29:23 GMT
> * expire date: 2024-06-23 10:29:23 GMT
> * common name: portaladriano-pre.justicia.junta-andalucia.es (matched)
> * issuer: /C=es/O=junta-andalucia/OU=ius/CN=AC para la Administracion de Justicia en la Junta de Andalucia
> * SSL certificate verify ok.
>> GET /Fispenco/fispenco.htm HTTP/1.1
>> User-Agent: curl/7.18.1 (i686-suse-linux-gnu) libcurl/7.18.1 OpenSSL/0.9.8g zlib/1.2.3 libidn/1.8
>> Host: portaladriano-pre.justicia.junta-andalucia.es
>> Accept: */*
>>
> * SSLv3, TLS alert, Server hello (2):
> * Empty reply from server
> * Connection #0 to host portaladriano-pre.justicia.junta-andalucia.es left intact
> curl: (52) Empty reply from server
> * Closing connection #0
> * SSLv3, TLS alert, Client hello (1):
> #######################################################################
>
> Any clues about what might be happening here?
>
> Thanks.
>
I had similar issues when trying to setup this sort of thing myself.
My solution was to use 'SSLVerifyClient optional', to apply to the
whole vhost, and then put in the appropriate SSLRequire statement
where I wanted the certificates verified.
So in this example, anything not served from '/errors/*' requires a
valid client certificate. If you don't have one, show the appropriate
error page from /errors/.
<VirtualHost *:443>
ServerName foo
SSLEngine on
SSLCertificateFile /etc/ssl/apache.crt
SSLCertificateKeyFile /etc/ssl/apache.key
SSLCACertificateFile /etc/ssl/ca.crt
SSLVerifyClient optional
ErrorDocument 403 /errors/certneeded.html
Alias /errors /usr/local/etc/apache22/errors
<LocationMatch ^(?!/errors/)>
SSLRequire %{SSL_CLIENT_VERIFY} eq "SUCCESS"
SSLVerifyClient optional
</LocationMatch>
SSLVerifyDepth 1
SSLCARevocationFile /etc/ssl/ca.crl
SSLUserName SSL_CLIENT_S_DN_Email
</VirtualHost>
Cheers
Tom
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org