[users@httpd] subjectAltName and SNI results in 403 error

[David Gessel <ge...@blackrosetech.com>]

I'm getting an odd error with a slightly edge Apache Subject Name 
Identifier (SNI) configuration: the SSL negotiation concludes correctly, 
but I get a 403 error, as if I was using a non-SNI compatible browser 
when I access an SNI domain with a subjectAltName  (SAN) cert 
(SSLStrictSNIVHostCheck off is set in httpd-ssl.conf)

As the SSL negotiation concludes without warnings, I believe the SSL 
certificates are set up at least superficially correctly and the SNI 
identification handshake has happened successfully because the expected 
domain-specific cert is presented and available in the client, however, 
Apache refuses send the page content, instead returning a 403 error.

I've anonymized the following, but the server is live and successfully 
serving SNI identified CACert signed domains, StartSSL signed domains 
with CAMs of the form sub1.domain.tld, DNS:sub2.domain.tld, and 
unsuccessfully serving CACert signed CAM identified domains of the form 
DNS:domain1.tld,DNS:domain2.tld.

I suspect that Apache is barfing on the domain identifier not matching 
the CN in the cert or something along those lines (though I believe CN 
should be ignored if SAN is set, though perhaps Apache isn't respecting 
this?)

Some additional detail:


I've modified openssl.cnf to reflect 
http://wiki.cacert.org/FAQ/subjectAltName and executed the following 
commands to generate the certificate:

# setenv OPENSSL /usr/local/bin/openssl
# setenv OPENSSL_CONF /etc/ssl/openssl_CACaltnames.cnf
# setenv identifier [your key identifier like "SANcert"]

# openssl genrsa -out "$identifier"-encrypted-key.key 4096
# openssl req -new -key "$identifier"-encrypted-key.key -sha512 -out 
"$identifier"-req.csr

# openssl req -in "$identifier"-req.csr -text -noout | less

# less "$identifier"-req.csr

paste the -req key in at CAcert.org
submit for class 3 cert (high security) signing and submit the form the 
paste the result into the cert.pem

# ee "$identifier"-cert.pem

paste in signed cert and check it

# openssl x509 -in "$identifier"-cert.pem -text -noout | less

# openssl rsa -in "$identifier"-encrypted-key.key -out 
"$identifier"-unencrypted-key.pem
# chmod 400 "$identifier"-unencrypted-key.pem


Then configured httpd-vhosts.conf for a sample domain where "multicert" 
is the identifier for the subjectAltName enabled cert.

<VirtualHost 10.0.0.10:80>
     ServerName domain1.org
     ServerAlias *.domain1.org www.domain1.org
     ServerAdmin admin@domain1.com
     DocumentRoot /usr/local/www/data-dist/domain1
     ErrorLog /var/log/domain1-error_log
     CustomLog /var/log/domain1-access_log combined
     <Directory /usr/local/www/data-dist/domain1>
         Options Indexes FollowSymLinks MultiViews
         AllowOverride all
         Require all granted
     </Directory>
</VirtualHost>

<VirtualHost 10.0.0.10:443>
     ServerName domain1.org
     ServerAlias *.domain1.org www.domain1.org
     ServerAdmin admin@domain1.com
     DocumentRoot /usr/local/www/data-dist/domain1
     SSLEngine On
         SSLCertificateFile /usr/local/etc/ca/multicert-cert.pem
         SSLCertificateKeyFile 
/usr/local/etc/ca/multicert-unencrypted-key.pem
         SSLCertificateChainFile /usr/local/etc/ca/CAcert_chain.pem
         Header set Strict-Transport-Security "max-age=31536000; 
includeSubDomains"
     ErrorLog /var/log/domain1-error_log
     CustomLog /var/log/domain1-access_log combined
     <Directory /usr/local/www/data-dist/ea>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride all
        Require all granted
     </Directory>
</VirtualHost>

Visiting http://domain1.org yields an expected result
Visiting https://domain1.org triggers the usual warnings and then results in

Access forbidden!

You don't have permission to access the requested directory. There is 
either no index document or the directory is read-protected.

If you think this is a server error, please contact the webmaster.
Error 403
www.domain1.org
Apache/2.4.9 (FreeBSD) OpenSSL/1.0.1g PHP/5.5.12

httpd-vhosts.conf also includes the following CACert certified domain 
(with a non subjectAltName enabled certificate)

<VirtualHost 10.0.0.10:80>
     ServerName gooddomain.com
     ServerAdmin admin@domain1.com
     DocumentRoot /usr/local/www/data-dist/brt
     ServerAlias *.gooddomain.com www.gooddomain.com
     ErrorLog /var/log/gooddomain-error_log
     CustomLog /var/log/gooddomain-access_log combined
     ScriptAlias /cgi-prg /www/cgi-prg
</VirtualHost>

<VirtualHost 10.0.0.10:443>
     ServerName gooddomain.com
     ServerAdmin admin@domain1.com
     DocumentRoot /usr/local/www/data-dist/brt
     ServerAlias *.gooddomain.com www.gooddomain.com
         SSLEngine On
         SSLCertificateFile /usr/local/etc/ca/brt.com-cert.pem
         SSLCertificateKeyFile /usr/local/etc/ca/brt.com-unencrypted-key.pem
         SSLCertificateChainFile /usr/local/etc/ca/CAcert_chain.pem
         Header set Strict-Transport-Security "max-age=31536000; 
includeSubDomains"
     ErrorLog /var/log/gooddomain-error_log
     CustomLog /var/log/gooddomain-access_log combined
     ScriptAlias /cgi-prg /www/cgi-prg
</VirtualHost>

Same server, same CA, same config - just a non SAN cert.  This works fine

http://gooddomain.com  fine
https://gooddomain.com fine


The issued SAN cert looks like:
Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 145200 (0x23730)
         Signature Algorithm: sha512WithRSAEncryption
         Issuer: O=CAcert Inc., OU=http://www.CAcert.org, CN=CAcert 
Class 3 Root
         Validity
             Not Before: May 20 18:55:44 2014 GMT
             Not After : May 19 18:55:44 2016 GMT
         Subject: CN=www.gooddomain.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
             RSA Public Key: (4096 bit)
                 Modulus (4096 bit):
                     ... (modhex removed)
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: critical
                 CA:FALSE
             X509v3 Key Usage: critical
                 Digital Signature, Key Encipherment, Key Agreement
             X509v3 Extended Key Usage:
                 TLS Web Client Authentication, TLS Web Server 
Authentication, Netscape Server Gated Crypto, Microsoft Server Gated Crypto
             Authority Information Access:
                 OCSP - URI:http://ocsp.cacert.org/

             X509v3 CRL Distribution Points:
                 URI:http://crl.cacert.org/class3-revoke.crl

             X509v3 Subject Alternative Name:
                 DNS:www.gooddomain.com, othername:<unsupported>, 
DNS:*.gooddomain.com, othername:<unsupported>, DNS:domain1.org, 
othername:<unsupported>, DNS:*.domain1.org, othername:<unsupported>, 
DNS:gooddomain.com, othername:<unsupported>, DNS:domain2.com, 
othername:<unsupported>, DNS:*.domain2.com, othername:<unsupported>
     Signature Algorithm: sha512WithRSAEncryption
         ... (sig hex removed)

I've tried with self-signed and with CACert and after several days of 
trial and error, have run out of ideas.  Any hints (other than 
generating per-domain certs, which seems to work fine).

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org