You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by "Colpaert, Robert" <ro...@logica.com> on 2011/02/01 15:25:28 UTC

[users@httpd] Apache SSL Client authentication for BEA Weblogic Client

Hi everybody,

I am currently configuring client authentication using SSL and ldap on our apache server.
I'm sorry to say we have a pretty old apache version, but unfortunately we will not be able to upgrade this in the near future.

Apache version: 2.2.3

Our server hosts a website that is protected with ssl/https and uses the path <domain>/emp/. This server also provides an access point to several webservices which can be accessed through: <domain>/b2b/batch/

Configuration:

1.    We have a self signed server certificate which is used for encrypting the connection and it is configured as follows:
# Our server certificate and key
SSLCertificateFile /u01/env/SIT01/ssl/certs/server.crt
SSLCertificateKeyFile /u01/env/SIT01/ssl/private/server.key

# Server certificate CA chain; Side effect: client certificates from these CA's will also be accepted
SSLCertificateChainFile /u01/env/SIT01/ssl/ca/cachain.crt

# Enable SSLv3 and TLSv1, but not SSLv2
SSLProtocol all -SSLv2

SSLEngine on
SSLProxyEngine on

2.    We want to enable client authentication only if the url matches <domain>/b2b/batch. This part is only used for authenticating a user since we do not encrypt the responses using the client's public key. We configured this part as described below:
<Location /b2b/batch/>
    SSLCACertificateFile /u01/env/SIT01/ssl/ca/cachain.crt
    SSLVerifyClient require
    SSLVerifyDepth 2
    SSLOptions +FakeBasicAuth +StrictRequire
    RequestHeader set Channel "B2B"

    # LDAP Authentication
    AuthName AuthLDAP
    AuthType Basic
    AuthBasicProvider ldap
    AuthzLDAPAuthoritative off
    AuthLDAPUrl "ldap://server1:2031/dc=cmp,dc=nl?userIdExtended"
    AuthLDAPBindDN "xxxx"
    AuthLDAPBindPassword "xxxxx"
    require valid-user

    ProxyPass  http:// server1:2050/
    ProxyPassReverse http:// server1:2050/
</Location>

We have tested the above settings using soapUI and cUrl and both allowed us to successfully send and receive a request from the webservice behind /b2b/batch.
However, for some reason, we cannot successfully connect to the same webservice using the BEA client. Even more strange is the fact that it DOES work when we copy the client authentication part from the <location> directive into the global part of the httpd.conf:

Configuration (working, but not workable):
# Our server certificate and key
SSLCertificateFile /u01/env/SIT01/ssl/certs/server.crt
SSLCertificateKeyFile /u01/env/SIT01/ssl/private/server.key

# Server certificate CA chain; Side effect: client certificates from these CA's will also be accepted
SSLCertificateChainFile /u01/env/SIT01/ssl/ca/cachain.crt

# Client certificate CA chain
SSLCACertificateFile /u01/env/SIT01/ssl/ca/cachain.crt
SSLVerifyClient require
SSLVerifyDepth 2

# Enable SSLv3 and TLSv1, but not SSLv2
SSLProtocol all -SSLv2

SSLEngine on
SSLProxyEngine on

<Location /b2b/batch/>
    SSLCACertificateFile /u01/env/SIT01/ssl/ca/cachain.crt
    SSLVerifyClient require
    SSLVerifyDepth 2
    SSLOptions +FakeBasicAuth +StrictRequire
    RequestHeader set Channel "B2B"

    # LDAP Authentication
    AuthName AuthLDAP
    AuthType Basic
    AuthBasicProvider ldap
    AuthzLDAPAuthoritative off
    AuthLDAPUrl "ldap://server1:2031/dc=cmp,dc=nl?userIdExtended"
    AuthLDAPBindDN "xxxx"
    AuthLDAPBindPassword "xxxxx"
    require valid-user

    ProxyPass  http:// server1:2050/
    ProxyPassReverse http:// server1:2050/
</Location>

In this case cUrl/soapUI still work and now the BEA WebLogic works also! Though these settings seem to be working for BEA, these settings also force anyone who tries to access the website, MUST provide a client certificate and that should not be the case.

We have tried many different settings such as setting the SSLVerifyClient to none/optional on a global level, experimented with the SSLVerifyDepth and such, but this did not help.

This has become quite an issue and if anyone has any suggestions or if our configuration does not do what we think it should do... any help would be greatly appreciated!

SSL log (fail):
[Mon Jan 31 17:56:11 2011] [info] Requesting connection re-negotiation
[Mon Jan 31 17:56:11 2011] [debug] ssl_engine_kernel.c(616): Performing full renegotiation: complete handshake protocol
[Mon Jan 31 17:56:11 2011] [debug] ssl_engine_kernel.c(1752): OpenSSL: Handshake: start
[Mon Jan 31 17:56:11 2011] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: SSL renegotiate ciphers
[Mon Jan 31 17:56:11 2011] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 write hello request A
[Mon Jan 31 17:56:11 2011] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 flush data
[Mon Jan 31 17:56:11 2011] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 write hello request C
[Mon Jan 31 17:56:11 2011] [info] Awaiting re-negotiation handshake
[Mon Jan 31 17:56:11 2011] [debug] ssl_engine_kernel.c(1752): OpenSSL: Handshake: start
[Mon Jan 31 17:56:11 2011] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: before accept initialization
[Mon Jan 31 17:56:11 2011] [debug] ssl_engine_io.c(1775): OpenSSL: read 5/5 bytes from BIO#5555757c6df0 [mem: 5555757f3560] (BIO dump follows)
[Mon Jan 31 17:56:11 2011] [debug] ssl_engine_io.c(1722): +-------------------------------------------------------------------------+
[Mon Jan 31 17:56:11 2011] [debug] ssl_engine_io.c(1747): | 0000: 80 9b 62 0d aa                                   ..b..            |
[Mon Jan 31 17:56:11 2011] [debug] ssl_engine_io.c(1753): +-------------------------------------------------------------------------+
[Mon Jan 31 17:56:11 2011] [debug] ssl_engine_kernel.c(1789): OpenSSL: Exit: error in SSLv3 read client hello B
[Mon Jan 31 17:56:11 2011] [error] Re-negotiation handshake failed: Not accepted by client!?
[Mon Jan 31 17:56:11 2011] [debug] ssl_engine_io.c(1561): [client xxx.xxx.xxx.xxx] read from buffered SSL brigade, mode 0, 8192 bytes
[Mon Jan 31 17:56:11 2011] [debug] ssl_engine_io.c(1623): [client xxx.xxx.xxx.xxx] buffered SSL brigade now exhausted; removing filter
[Mon Jan 31 17:56:11 2011] [info] [client xxx.xxx.xxx.xxx] Connection to child 4 established (server <our_domain>:443)


Regards,

Robert Colpaert


Think green - keep it on the screen.

This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.