You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2014/01/24 14:21:34 UTC
[Bug 56061] New: IE11 with client side certificate fails to
authenticate
https://issues.apache.org/bugzilla/show_bug.cgi?id=56061
Bug ID: 56061
Summary: IE11 with client side certificate fails to
authenticate
Product: Apache httpd-2
Version: 2.2.26
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_ssl
Assignee: bugs@httpd.apache.org
Reporter: luke.huxley@cloudpay.net
Internet Explorer 11 with a client side certificate does not authenticate with
Apache 2.2.26.
IE 11 does allow the user to select their certificate but somewhere in the
handshake Apache 2.2.26 doesn't receive it.
IE 10 and older, Firefox and Chrome all play nice, it's only IE 11. When
TLSv1.2 is disabled in IE 11 Apache authenticates the client side certificate.
When Apache is downgraded to 2.2.19 and TLSv1.2 is enabled in IE 11 Apache
authenticates the client side certificate.
I enabled debug logging for SSL connections and we expect to see the following
when the certificate is selected by the user from Internet Explorer:
[Thu Jan 23 14:41:11 2014] [debug] ssl_engine_io.c(1897): OpenSSL: read
1455/2147 bytes from BIO#7f78b5741440 [mem: 7f78b578f6c5] (BIO dump follows)
But we see the following instead:
[Thu Jan 23 14:38:21 2014] [debug] ssl_engine_io.c(1939): OpenSSL: read 269/269
bytes from BIO#7f3a26f83b20 [mem: 7f3a26f73958] (BIO dump follows)
Where it only received 269 bytes instead of the 2147 bytes that makes up the
client side certificate.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 56061] IE11 with client side certificate fails to authenticate
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56061
Eric Covener <co...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |NEEDINFO
--- Comment #1 from Eric Covener <co...@gmail.com> ---
What is your servers certificate chain comprised of (signature alg)
What is the signature algorithm of your client certificate?
Can you confirm with wireshark that the client never put its certificate on the
wire?
I know IE10+ w/ TLS1.2 won't accept md2 or md5 anywhere in the servers cert
chain, and also that TLS1.2 has a way for peers to tell eachother what sigalgs
are acceptable. But I didn't think that was used for client cert selection.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 56061] IE11 with client side certificate fails to authenticate
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56061
--- Comment #8 from Luke Huxley <lu...@cloudpay.net> ---
I've test IE11 against a web server with a verified CA and site certificate and
also a self signed certificate that has a SHA1 signature that user certificates
will authenticate against.
IE11 successfully authenticates the user cert over TLS 1.2 against that self
signed SHA1 certificate.
It would seem the problem might be in the SHA > MD5 signed chain. Interesting
how Firefox with TLS 1.2 is able to authenticate the client side cert but IE11
is not.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 56061] IE11 with client side certificate fails to authenticate
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56061
--- Comment #6 from Ruediger Pluem <rp...@apache.org> ---
(In reply to Luke Huxley from comment #2)
> Created attachment 31252 [details]
> Wireshark TLS 1.2 handshake between IE 11 and Apache 2.2.26
>
> The root CA's signature algorithm is SHA1 with RSA but both the intermediate
> CA that validates the client certificate and the client certificates are MD5
> with RSA.
>
> I've compared a TLS 1.0 handshake between Firefox and my web server with a
> TLS 1.2 handshake between IE 11 and my web server and, although I can see
> the client certificate being sent from FF, I can not see IE 11 sending the
> client certificate.
>
> I've attached the Wireshark SSL packets between IE 11 and Apache 2.2.26 to
> this bug as I may be wrong and the client certificate is sent.
Looks like IE11 is not sending a client cert for whatever reason.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 56061] IE11 with client side certificate fails to authenticate
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56061
--- Comment #4 from Luke Huxley <lu...@cloudpay.net> ---
Without SSLVerifyClient, yes, TLS 1.2 will handshake. It's the end of the day
for me now but I will create an SHA1 only chain for client side validation to
see if that allow a handshake.
If it turns out that SHA1 > MD5 signature chain is the a cause then my problem
is that we've distributed a couple of hundred user certificates over several
years generated from that intermediate CA and will have to redo all of those
client certificates.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 56061] IE11 with client side certificate fails to authenticate
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56061
--- Comment #7 from Luke Huxley <lu...@cloudpay.net> ---
Created attachment 31275
--> https://issues.apache.org/bugzilla/attachment.cgi?id=31275&action=edit
Wireshark of Firefox with TLS 1.2
I've attached a Wireshark packet capture of Firefox negotiating with Apache
2.2.26 with TLS 1.2 successfully, this problem seems to be related to IE11
only.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 56061] IE11 with client side certificate fails to authenticate
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56061
--- Comment #5 from Ruediger Pluem <rp...@apache.org> ---
(In reply to Luke Huxley from comment #0)
> Internet Explorer 11 with a client side certificate does not authenticate
> with Apache 2.2.26.
>
> IE 11 does allow the user to select their certificate but somewhere in the
> handshake Apache 2.2.26 doesn't receive it.
>
> IE 10 and older, Firefox and Chrome all play nice, it's only IE 11. When
> TLSv1.2 is disabled in IE 11 Apache authenticates the client side
> certificate. When Apache is downgraded to 2.2.19 and TLSv1.2 is enabled in
> IE 11 Apache authenticates the client side certificate.
>
Are you sure that you use TLSv1.2 with 2.2.19? IMHO TLSv1.2 is not support with
2.2.19
Also can you compare the logs when you use FF with TLSv1.2 and 2.2.26 to IE11
with TLSv1.2 and 2.2.26?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 56061] IE11 with client side certificate fails to authenticate
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56061
--- Comment #11 from Eric Covener <co...@gmail.com> ---
In a related thread it was mentioned that changing the order of supported
signature algorithms might help some IE/Applet SSL errors. This is possible
with http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslopensslconfcmd
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 56061] IE11 with client side certificate fails to authenticate
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56061
--- Comment #3 from Eric Covener <co...@gmail.com> ---
(In reply to Luke Huxley from comment #2)
> Created attachment 31252 [details]
> Wireshark TLS 1.2 handshake between IE 11 and Apache 2.2.26
>
> The root CA's signature algorithm is SHA1 with RSA but both the intermediate
> CA that validates the client certificate and the client certificates are MD5
> with RSA.
Can you even handshake w/o client authentication from IE11 with that cert chain
under TLS1.2?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 56061] IE11 with client side certificate fails to authenticate
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56061
--- Comment #10 from Luke Huxley <lu...@cloudpay.net> ---
Thanks Eric, hopefully Microsoft will move faster than their normal pace on
this.
My way of connecting to Microsoft is through their Internet Explorer feedback
site, Microsoft Connect:
http://connect.microsoft.com/IE/feedback/details/812229/client-side-certificates-no-longer-being-presented-to-web-server-intermittent
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 56061] IE11 with client side certificate fails to authenticate
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56061
Eric Covener <co...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEEDINFO |RESOLVED
Resolution|--- |INVALID
--- Comment #9 from Eric Covener <co...@gmail.com> ---
marking as invalid for httpd, if some investigation with MSIE turns up a httpd
protocol bug, please reopen.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 56061] IE11 with client side certificate fails to authenticate
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56061
--- Comment #2 from Luke Huxley <lu...@cloudpay.net> ---
Created attachment 31252
--> https://issues.apache.org/bugzilla/attachment.cgi?id=31252&action=edit
Wireshark TLS 1.2 handshake between IE 11 and Apache 2.2.26
The root CA's signature algorithm is SHA1 with RSA but both the intermediate CA
that validates the client certificate and the client certificates are MD5 with
RSA.
I've compared a TLS 1.0 handshake between Firefox and my web server with a TLS
1.2 handshake between IE 11 and my web server and, although I can see the
client certificate being sent from FF, I can not see IE 11 sending the client
certificate.
I've attached the Wireshark SSL packets between IE 11 and Apache 2.2.26 to this
bug as I may be wrong and the client certificate is sent.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org