You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by David Gessel <ge...@blackrosetech.com> on 2014/05/21 17:01:31 UTC
[users@httpd] subjectAltName and SNI results in 403 error
I'm getting an odd error with a slightly edge Apache Subject Name
Identifier (SNI) configuration: the SSL negotiation concludes correctly,
but I get a 403 error, as if I was using a non-SNI compatible browser
when I access an SNI domain with a subjectAltName (SAN) cert
(SSLStrictSNIVHostCheck off is set in httpd-ssl.conf)
As the SSL negotiation concludes without warnings, I believe the SSL
certificates are set up at least superficially correctly and the SNI
identification handshake has happened successfully because the expected
domain-specific cert is presented and available in the client, however,
Apache refuses send the page content, instead returning a 403 error.
I've anonymized the following, but the server is live and successfully
serving SNI identified CACert signed domains, StartSSL signed domains
with CAMs of the form sub1.domain.tld, DNS:sub2.domain.tld, and
unsuccessfully serving CACert signed CAM identified domains of the form
DNS:domain1.tld,DNS:domain2.tld.
I suspect that Apache is barfing on the domain identifier not matching
the CN in the cert or something along those lines (though I believe CN
should be ignored if SAN is set, though perhaps Apache isn't respecting
this?)
Some additional detail:
I've modified openssl.cnf to reflect
http://wiki.cacert.org/FAQ/subjectAltName and executed the following
commands to generate the certificate:
# setenv OPENSSL /usr/local/bin/openssl
# setenv OPENSSL_CONF /etc/ssl/openssl_CACaltnames.cnf
# setenv identifier [your key identifier like "SANcert"]
# openssl genrsa -out "$identifier"-encrypted-key.key 4096
# openssl req -new -key "$identifier"-encrypted-key.key -sha512 -out
"$identifier"-req.csr
# openssl req -in "$identifier"-req.csr -text -noout | less
# less "$identifier"-req.csr
paste the -req key in at CAcert.org
submit for class 3 cert (high security) signing and submit the form the
paste the result into the cert.pem
# ee "$identifier"-cert.pem
paste in signed cert and check it
# openssl x509 -in "$identifier"-cert.pem -text -noout | less
# openssl rsa -in "$identifier"-encrypted-key.key -out
"$identifier"-unencrypted-key.pem
# chmod 400 "$identifier"-unencrypted-key.pem
Then configured httpd-vhosts.conf for a sample domain where "multicert"
is the identifier for the subjectAltName enabled cert.
<VirtualHost 10.0.0.10:80>
ServerName domain1.org
ServerAlias *.domain1.org www.domain1.org
ServerAdmin admin@domain1.com
DocumentRoot /usr/local/www/data-dist/domain1
ErrorLog /var/log/domain1-error_log
CustomLog /var/log/domain1-access_log combined
<Directory /usr/local/www/data-dist/domain1>
Options Indexes FollowSymLinks MultiViews
AllowOverride all
Require all granted
</Directory>
</VirtualHost>
<VirtualHost 10.0.0.10:443>
ServerName domain1.org
ServerAlias *.domain1.org www.domain1.org
ServerAdmin admin@domain1.com
DocumentRoot /usr/local/www/data-dist/domain1
SSLEngine On
SSLCertificateFile /usr/local/etc/ca/multicert-cert.pem
SSLCertificateKeyFile
/usr/local/etc/ca/multicert-unencrypted-key.pem
SSLCertificateChainFile /usr/local/etc/ca/CAcert_chain.pem
Header set Strict-Transport-Security "max-age=31536000;
includeSubDomains"
ErrorLog /var/log/domain1-error_log
CustomLog /var/log/domain1-access_log combined
<Directory /usr/local/www/data-dist/ea>
Options Indexes FollowSymLinks MultiViews
AllowOverride all
Require all granted
</Directory>
</VirtualHost>
Visiting http://domain1.org yields an expected result
Visiting https://domain1.org triggers the usual warnings and then results in
Access forbidden!
You don't have permission to access the requested directory. There is
either no index document or the directory is read-protected.
If you think this is a server error, please contact the webmaster.
Error 403
www.domain1.org
Apache/2.4.9 (FreeBSD) OpenSSL/1.0.1g PHP/5.5.12
httpd-vhosts.conf also includes the following CACert certified domain
(with a non subjectAltName enabled certificate)
<VirtualHost 10.0.0.10:80>
ServerName gooddomain.com
ServerAdmin admin@domain1.com
DocumentRoot /usr/local/www/data-dist/brt
ServerAlias *.gooddomain.com www.gooddomain.com
ErrorLog /var/log/gooddomain-error_log
CustomLog /var/log/gooddomain-access_log combined
ScriptAlias /cgi-prg /www/cgi-prg
</VirtualHost>
<VirtualHost 10.0.0.10:443>
ServerName gooddomain.com
ServerAdmin admin@domain1.com
DocumentRoot /usr/local/www/data-dist/brt
ServerAlias *.gooddomain.com www.gooddomain.com
SSLEngine On
SSLCertificateFile /usr/local/etc/ca/brt.com-cert.pem
SSLCertificateKeyFile /usr/local/etc/ca/brt.com-unencrypted-key.pem
SSLCertificateChainFile /usr/local/etc/ca/CAcert_chain.pem
Header set Strict-Transport-Security "max-age=31536000;
includeSubDomains"
ErrorLog /var/log/gooddomain-error_log
CustomLog /var/log/gooddomain-access_log combined
ScriptAlias /cgi-prg /www/cgi-prg
</VirtualHost>
Same server, same CA, same config - just a non SAN cert. This works fine
http://gooddomain.com fine
https://gooddomain.com fine
The issued SAN cert looks like:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 145200 (0x23730)
Signature Algorithm: sha512WithRSAEncryption
Issuer: O=CAcert Inc., OU=http://www.CAcert.org, CN=CAcert
Class 3 Root
Validity
Not Before: May 20 18:55:44 2014 GMT
Not After : May 19 18:55:44 2016 GMT
Subject: CN=www.gooddomain.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (4096 bit)
Modulus (4096 bit):
... (modhex removed)
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage: critical
Digital Signature, Key Encipherment, Key Agreement
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server
Authentication, Netscape Server Gated Crypto, Microsoft Server Gated Crypto
Authority Information Access:
OCSP - URI:http://ocsp.cacert.org/
X509v3 CRL Distribution Points:
URI:http://crl.cacert.org/class3-revoke.crl
X509v3 Subject Alternative Name:
DNS:www.gooddomain.com, othername:<unsupported>,
DNS:*.gooddomain.com, othername:<unsupported>, DNS:domain1.org,
othername:<unsupported>, DNS:*.domain1.org, othername:<unsupported>,
DNS:gooddomain.com, othername:<unsupported>, DNS:domain2.com,
othername:<unsupported>, DNS:*.domain2.com, othername:<unsupported>
Signature Algorithm: sha512WithRSAEncryption
... (sig hex removed)
I've tried with self-signed and with CACert and after several days of
trial and error, have run out of ideas. Any hints (other than
generating per-domain certs, which seems to work fine).
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org