You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Michele Mase' <mi...@gmail.com> on 2013/05/07 14:18:12 UTC

[users@httpd] Similar issuer dn mod_ssl client authentication issue

I'm testing a client authentication using:

SSLCACertificateFile /path/to/pemfile.pem
<LocationMatch "/test">
        SSLVerifyClient require
        SSLVerifyDepth 2
/LocationMatch>

My env:
CentOS 6.4, OpenSSL 1.0.0-fips 29 Mar 2010, Server version: Apache/2.4.3
(Unix) - Server built:   Feb  7 2013 14:32:46

I have 2 CA's x509 pem files, bundled.
CA1 signs client1 certificate files
CA2 signs client2 certificate files
I should use two different CA with a similar issuer DN_OU in a bundle (file
/path/to/pemfile.pem)

openssl x509 -noout -in one.pem -issuer
/C=IT/ST=MyState/L=MyTown/CN=Example Root CA Temporary 90days/O=Example
S.p.A./OU=CA *O*rganization Unit/emailAddress=info@example.com

openssl x509 -noout -in one.pem -issuer
/C=IT/ST=MyState/L=MyTown/CN=Example Root CA Temporary 90days/O=Example
S.p.A./OU=CA *o*rganization Unit/emailAddress=info@example.com

The only difference between 2 CAs is the capital letter in OU field.

When i try to use this configuration I receive a 403 error:

[Mon May 06 09:33:28.115455 2013] [ssl:error] [pid 5120:tid
139860297901824] [client 10.0.2.2:59798] AH02261: Re-negotiation handshake
failed: Not accepted by client!?

The only way it works is without the SSLRequire directive.
or
Using only one CA in the file (file /path/to/pemfile.pem)
or using
SSLVerifyClient optional|optional_no_ca
But I'm still unable to retrieve client cert data; I don't know if the
client is authenticated or not.

The same configuration using openssl_server works, it seems like an
uncorrect (or incomplete) mod_ssl openssl's implementation.

Addendum:
The bundle file contains CA1 and CA2; client certificates signed by CA1
(client1) work, client certificates signed by CA2 (client2) don't work.
If I change the order of the two certificates in the /path/to/pemfile.pem, it
happens that:
The budle file contains CA2 and CA1; client certificates signed by CA2
(client2) work, client certificates signed by CA1 (client1) don't work.

The same site under iis works :(

How could I solve it using apache?
Some suggestions?

Regards
Michele Masè

[users@httpd] Re: Similar issuer dn mod_ssl client authentication issue

Posted by David <cl...@gmail.com>.

Michele Mase' <michele.mase <at> gmail.com> writes:

> 
> 
> 
> 
> 
> 
> 
> 
> 
> I'm testing a client authentication using:SSLCACertificateFile 
/path/to/pemfile.pem<LocationMatch "/test">
> 
> 
>         SSLVerifyClient require        SSLVerifyDepth 2/LocationMatch>
> My env:
> 
> 
> CentOS 6.4, OpenSSL 1.0.0-fips 29 Mar 2010, Server version: Apache/2.4.3 
(Unix) - Server built:   Feb  7 2013 14:32:46
> 
> 
> 
> I have 2 CA's x509 pem files, bundled.CA1 signs client1 certificate 
filesCA2 signs client2 certificate filesI should use two different CA with a 
similar issuer DN_OU in a bundle (file /path/to/pemfile.pem)
> 
> 
> openssl x509 -noout -in one.pem -
issuer/C=IT/ST=MyState/L=MyTown/CN=Example Root CA Temporary 
90days/O=Example S.p.A./OU=CA Organization Unit/emailAddress=info <at> 
example.comopenssl x509 -noout -in one.pem -
issuer/C=IT/ST=MyState/L=MyTown/CN=Example Root CA Temporary 
90days/O=Example S.p.A./OU=CA organization Unit/emailAddress=info <at> 
example.com
> 
> The only difference between 2 CAs is the capital letter in OU field.
> 
> 
> When i try to use this configuration I receive a 403 error:[Mon May 06 
09:33:28.115455 2013] [ssl:error] [pid 5120:tid 139860297901824] [client 
10.0.2.2:59798] AH02261: Re-negotiation handshake failed: Not accepted by 
client!?
> The only way it works is without the SSLRequire directive.
> or
> Using only one CA in the file (file /path/to/pemfile.pem)
> 
> 
> 
> or usingSSLVerifyClient optional|optional_no_ca
> 
> 
> 
> But I'm still unable to retrieve client cert data; I don't know if the 
client is authenticated or not.
> 
> 
> The same configuration using openssl_server works, it seems like an 
uncorrect (or incomplete) mod_ssl openssl's implementation.
> 
> Addendum:
> 
> The bundle file contains CA1 and CA2; client certificates signed by CA1 
(client1) work, client certificates signed by CA2 (client2) don't work.
> 
> If I change the order of the two certificates in the /path/to/pemfile.pem, 
it happens that:The budle file contains CA2 and CA1; client certificates 
signed by CA2 (client2) work, client certificates signed by CA1 (client1) 
don't work.
> 
> The same site under iis works :(
> 
> 
> How could I solve it using apache?
> Some suggestions?
> Regards
> Michele Masè


Hi Michele,

I was wondering if you ever found a solution for this.  I think I am running 
into a similar issue as some of my clients have no trouble using the 
certificate authentication while others can't seem to get it to work.  I too 
have created a bundle file with CA1 and CA2 and I am suspecting that the 
ones signed by the latter is not being recognized.  Any help will be 
appreciated.

Thanks,
David


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org