You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Michele Mase' <mi...@gmail.com> on 2013/05/07 14:18:12 UTC
[users@httpd] Similar issuer dn mod_ssl client authentication issue
I'm testing a client authentication using:
SSLCACertificateFile /path/to/pemfile.pem
<LocationMatch "/test">
SSLVerifyClient require
SSLVerifyDepth 2
/LocationMatch>
My env:
CentOS 6.4, OpenSSL 1.0.0-fips 29 Mar 2010, Server version: Apache/2.4.3
(Unix) - Server built: Feb 7 2013 14:32:46
I have 2 CA's x509 pem files, bundled.
CA1 signs client1 certificate files
CA2 signs client2 certificate files
I should use two different CA with a similar issuer DN_OU in a bundle (file
/path/to/pemfile.pem)
openssl x509 -noout -in one.pem -issuer
/C=IT/ST=MyState/L=MyTown/CN=Example Root CA Temporary 90days/O=Example
S.p.A./OU=CA *O*rganization Unit/emailAddress=info@example.com
openssl x509 -noout -in one.pem -issuer
/C=IT/ST=MyState/L=MyTown/CN=Example Root CA Temporary 90days/O=Example
S.p.A./OU=CA *o*rganization Unit/emailAddress=info@example.com
The only difference between 2 CAs is the capital letter in OU field.
When i try to use this configuration I receive a 403 error:
[Mon May 06 09:33:28.115455 2013] [ssl:error] [pid 5120:tid
139860297901824] [client 10.0.2.2:59798] AH02261: Re-negotiation handshake
failed: Not accepted by client!?
The only way it works is without the SSLRequire directive.
or
Using only one CA in the file (file /path/to/pemfile.pem)
or using
SSLVerifyClient optional|optional_no_ca
But I'm still unable to retrieve client cert data; I don't know if the
client is authenticated or not.
The same configuration using openssl_server works, it seems like an
uncorrect (or incomplete) mod_ssl openssl's implementation.
Addendum:
The bundle file contains CA1 and CA2; client certificates signed by CA1
(client1) work, client certificates signed by CA2 (client2) don't work.
If I change the order of the two certificates in the /path/to/pemfile.pem, it
happens that:
The budle file contains CA2 and CA1; client certificates signed by CA2
(client2) work, client certificates signed by CA1 (client1) don't work.
The same site under iis works :(
How could I solve it using apache?
Some suggestions?
Regards
Michele Masè
[users@httpd] Re: Similar issuer dn mod_ssl client authentication issue
Posted by David <cl...@gmail.com>.
Michele Mase' <michele.mase <at> gmail.com> writes:
>
>
>
>
>
>
>
>
>
> I'm testing a client authentication using:SSLCACertificateFile
/path/to/pemfile.pem<LocationMatch "/test">
>
>
> SSLVerifyClient require SSLVerifyDepth 2/LocationMatch>
> My env:
>
>
> CentOS 6.4, OpenSSL 1.0.0-fips 29 Mar 2010, Server version: Apache/2.4.3
(Unix) - Server built: Feb 7 2013 14:32:46
>
>
>
> I have 2 CA's x509 pem files, bundled.CA1 signs client1 certificate
filesCA2 signs client2 certificate filesI should use two different CA with a
similar issuer DN_OU in a bundle (file /path/to/pemfile.pem)
>
>
> openssl x509 -noout -in one.pem -
issuer/C=IT/ST=MyState/L=MyTown/CN=Example Root CA Temporary
90days/O=Example S.p.A./OU=CA Organization Unit/emailAddress=info <at>
example.comopenssl x509 -noout -in one.pem -
issuer/C=IT/ST=MyState/L=MyTown/CN=Example Root CA Temporary
90days/O=Example S.p.A./OU=CA organization Unit/emailAddress=info <at>
example.com
>
> The only difference between 2 CAs is the capital letter in OU field.
>
>
> When i try to use this configuration I receive a 403 error:[Mon May 06
09:33:28.115455 2013] [ssl:error] [pid 5120:tid 139860297901824] [client
10.0.2.2:59798] AH02261: Re-negotiation handshake failed: Not accepted by
client!?
> The only way it works is without the SSLRequire directive.
> or
> Using only one CA in the file (file /path/to/pemfile.pem)
>
>
>
> or usingSSLVerifyClient optional|optional_no_ca
>
>
>
> But I'm still unable to retrieve client cert data; I don't know if the
client is authenticated or not.
>
>
> The same configuration using openssl_server works, it seems like an
uncorrect (or incomplete) mod_ssl openssl's implementation.
>
> Addendum:
>
> The bundle file contains CA1 and CA2; client certificates signed by CA1
(client1) work, client certificates signed by CA2 (client2) don't work.
>
> If I change the order of the two certificates in the /path/to/pemfile.pem,
it happens that:The budle file contains CA2 and CA1; client certificates
signed by CA2 (client2) work, client certificates signed by CA1 (client1)
don't work.
>
> The same site under iis works :(
>
>
> How could I solve it using apache?
> Some suggestions?
> Regards
> Michele Masè
Hi Michele,
I was wondering if you ever found a solution for this. I think I am running
into a similar issue as some of my clients have no trouble using the
certificate authentication while others can't seem to get it to work. I too
have created a bundle file with CA1 and CA2 and I am suspecting that the
ones signed by the latter is not being recognized. Any help will be
appreciated.
Thanks,
David
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org