You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by "Berube, Steve (HP Software)" <st...@hp.com> on 2009/10/27 03:36:44 UTC
[users@httpd] Requesting help with Smart Card Client Certificate Authentication
issue.
Hello;
I'm hoping someone can help me with this.
Issue: On various systems using Internet Explorer 7 or 8, smart card credentials are not being prompted. Firefox works providing the Security Device for ActivClient is installed.
Environment:
Server: Windows Apache 2.2.14 with OpenSSL
Clients: Various (Windows platforms)
IE 8
Firefox 3.5.3
ActivClient Smart Card/Key reader.
The issue I am having is as follows.
I have a simple apache install running SSL with a server certificate from a trusted authority. If I use a self-signed, works just as well.
I have enabled SSLClientVerify on my cgi-bin folder
Here is my directive:
<Directory "C:/Program Files/Apache Software Foundation/Apache2.2/cgi-bin">
SSLVerifyClient require
SSLVerifyDepth 10
SSLOptions +StdEnvVars
</Directory>
This is in extra/httpd-ssl.conf, basically everything is out of the box 2.2.14 so I could eliminate any customizations we made. The only real changes are me pointing to the certificates and adding this directive.
What works:
Accessing https://servername (which is running on 443) works and the client trusts the server. I see the infamous apache: It Works!'
All client browsers IE, Firefox, Windows 7, Windows Vista, 32bit 64bit all work.
What doesn't work (completely)
https://servername/cgi-bin/printenv.tcl
Note: I have a tcl interpreter running a custom printenv.tcl, but the file doesn't matter, assume we are just trying to access cgi-bin directly, same issue exists there. Same issue exists if I set the directive on the whole webserver (e.g. <location />
Now, here is where gets interesting. What should happen is the client should prompt for a client certificate from the smart card reader and ask the user for their pin.
On firefox 3.5.3 it prompts the user for their smartcard pin as long as the Security Device for ActivClient is installed. Works great!
IE 8.0 on Windows 7 didn't work, after rebuilding the system it works now.
All the other systems (tested 10) running IE will not work. This is where I am completely baffled. I've tried everything I could think of. But where I am stuck now is I can't seem to get IE 7 or 8 to (via ActivClient) prompt for a pin. Using the same client, same IE browser accessing some of our internal sites where we require a certificate it works fine. Just not to my site on apache. The other two sites that do work are hosted by IIS 6 and Omniture Dc/2.0.0 (at least states the HTTP header)
If anyone needs more information from me or has any advice here please let me know. I'm stumped and have been scouring google for hours with no luck.
Thanks
- Steve
RE: [users@httpd] Requesting help with Smart Card Client
Certificate Authentication issue.
Posted by "Berube, Steve (HP Software)" <st...@hp.com>.
For what it is worth:
Here are the apache logs relating to this issue:
I've XX'ed out IP + YY host name info
Thu Oct 29 11:25:03 2009] [debug] ssl_engine_kernel.c(1875): OpenSSL: Handshake: start
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_kernel.c(1883): OpenSSL: Loop: before/accept initialization
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1858): OpenSSL: read 11/11 bytes from BIO#fd56b0 [mem: fdcc60] (BIO dump follows)
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1791): +-------------------------------------------------------------------------+
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0000: 16 03 01 00 99 01 00 00-95 03 01 ........... |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1836): +-------------------------------------------------------------------------+
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1858): OpenSSL: read 147/147 bytes from BIO#fd56b0 [mem: fdcc6b] (BIO dump follows)
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1791): +-------------------------------------------------------------------------+
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0000: 4a e9 b2 a0 04 fb f1 8e-a3 9c 02 80 3a bc 75 7f J...........:.u. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0010: 49 18 c8 c9 40 f6 44 1c-e6 fc cb 68 52 33 95 ec I...@.D....hR3.. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0020: 20 1c ed fc 78 e4 2d dd-9c 30 e6 4e b0 7f c2 5b ...x.-..0.N...[ |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0030: be b2 57 e5 0d f2 3b 11-b5 c0 1f f0 a6 5b b1 b5 ..W...;......[.. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0040: fb 00 18 00 2f 00 35 00-05 00 0a c0 09 c0 0a c0 ..../.5......... |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0050: 13 c0 14 00 32 00 38 00-13 00 04 01 00 00 34 00 ....2.8.......4. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0060: 00 00 15 00 13 00 00 10-72 64 2d 64 62 2e 63 6e ........rd-db.cn |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0070: 64 2e XX XX 2e 63 6f 6d-00 05 00 05 01 00 00 00 d.XX.com........ |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0080: 00 00 0a 00 08 00 06 00-17 00 18 00 19 00 0b 00 ................ |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0090: 02 01 .. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1834): | 0147 - <SPACES/NULS>
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1836): +-------------------------------------------------------------------------+
[Thu Oct 29 11:25:03 2009] [debug] ssl_scache_shmcb.c(393): ssl_scache_shmcb_retrieve (0x1c -> subcache 28)
[Thu Oct 29 11:25:03 2009] [debug] ssl_scache_shmcb.c(708): shmcb_subcache_retrieve found no match
[Thu Oct 29 11:25:03 2009] [debug] ssl_scache_shmcb.c(408): leaving ssl_scache_shmcb_retrieve successfully
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_kernel.c(1721): Inter-Process Session Cache: request=GET status=MISSED id=1CEDFC78E42DDD9C30E64EB07FC25BBEB257E50DF23B11B5C01FF0A65BB1B5FB (session renewal)
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_kernel.c(1951): [client XX.XX.11.89] SSL virtual host for servername rd-db.cnd.YY.com found
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_kernel.c(1883): OpenSSL: Loop: SSLv3 read client hello A
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_kernel.c(1883): OpenSSL: Loop: SSLv3 write server hello A
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_kernel.c(1883): OpenSSL: Loop: SSLv3 write certificate A
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_kernel.c(1883): OpenSSL: Loop: SSLv3 write server done A
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_kernel.c(1883): OpenSSL: Loop: SSLv3 flush data
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1858): OpenSSL: read 5/5 bytes from BIO#fd56b0 [mem: fdcc60] (BIO dump follows)
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1791): +-------------------------------------------------------------------------+
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0000: 16 03 01 00 86 ..... |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1836): +-------------------------------------------------------------------------+
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1858): OpenSSL: read 134/134 bytes from BIO#fd56b0 [mem: fdcc65] (BIO dump follows)
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1791): +-------------------------------------------------------------------------+
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0000: 10 00 00 82 00 80 00 c3-88 5e 6d c0 7e cd 4c b7 .........^m.~.L. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0010: 32 11 13 05 4c 11 92 b6-84 ce 1d 43 08 ff bf 63 2...L......C...c |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0020: dd 99 89 a8 86 5e e5 6f-d2 a7 f4 5a 83 c6 7d 5f .....^.o...Z..}_ |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0030: bc 93 f8 bc 11 2e ff fd-79 89 fa a1 70 1d 13 ef ........y...p... |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0040: 88 c5 34 62 a3 c5 f3 35-91 0b bf f4 00 0a 25 46 ..4b...5......%F |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0050: f3 01 f0 79 ca 67 9f 13-ef 7c 3d 2a 18 b0 3e b1 ...y.g...|=*..>. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0060: a2 2c 98 b7 c5 d6 07 d1-cf 64 f4 cb a2 81 4f f6 .,.......d....O. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0070: 48 2f d6 e6 a0 93 b0 36-46 21 4d 0d cd 7e 89 8b H/.....6F!M..~.. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0080: f2 d0 a8 63 fb bf ...c.. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1836): +-------------------------------------------------------------------------+
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_kernel.c(1883): OpenSSL: Loop: SSLv3 read client key exchange A
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1858): OpenSSL: read 5/5 bytes from BIO#fd56b0 [mem: fdcc60] (BIO dump follows)
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1791): +-------------------------------------------------------------------------+
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0000: 14 03 01 00 01 ..... |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1836): +-------------------------------------------------------------------------+
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1858): OpenSSL: read 1/1 bytes from BIO#fd56b0 [mem: fdcc65] (BIO dump follows)
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1791): +-------------------------------------------------------------------------+
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0000: 01 . |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1836): +-------------------------------------------------------------------------+
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1858): OpenSSL: read 5/5 bytes from BIO#fd56b0 [mem: fdcc60] (BIO dump follows)
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1791): +-------------------------------------------------------------------------+
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0000: 16 03 01 00 30 ....0 |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1836): +-------------------------------------------------------------------------+
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1858): OpenSSL: read 48/48 bytes from BIO#fd56b0 [mem: fdcc65] (BIO dump follows)
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1791): +-------------------------------------------------------------------------+
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0000: ff 25 ef 55 d3 31 51 f0-0e 6a 9e e4 0e f6 3b 7f .%.U.1Q..j....;. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0010: fb ec 90 52 7a 05 5d 3f-ea a8 72 42 de 2f 9a e7 ...Rz.]?..rB./.. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0020: 6c e4 d9 8f 8f 63 fc b6-e1 35 b6 e5 14 93 7c ba l....c...5....|. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1836): +-------------------------------------------------------------------------+
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_kernel.c(1883): OpenSSL: Loop: SSLv3 read finished A
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_kernel.c(1883): OpenSSL: Loop: SSLv3 write change cipher spec A
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_kernel.c(1883): OpenSSL: Loop: SSLv3 write finished A
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_kernel.c(1883): OpenSSL: Loop: SSLv3 flush data
[Thu Oct 29 11:25:03 2009] [debug] ssl_scache_shmcb.c(353): ssl_scache_shmcb_store (0xac -> subcache 12)
[Thu Oct 29 11:25:03 2009] [debug] ssl_scache_shmcb.c(645): insert happened at idx=0, data=0
[Thu Oct 29 11:25:03 2009] [debug] ssl_scache_shmcb.c(647): finished insert, subcache: idx_pos/idx_used=0/1, data_pos/data_used=0/168
[Thu Oct 29 11:25:03 2009] [debug] ssl_scache_shmcb.c(378): leaving ssl_scache_shmcb_store successfully
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_kernel.c(1721): Inter-Process Session Cache: request=SET status=OK id=AC94F2DD376455B7FD542C6606D4CA30149CFCA32DE4A663D43F63CDA064AB91 timeout=300s (session caching)
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_kernel.c(1879): OpenSSL: Handshake: done
[Thu Oct 29 11:25:03 2009] [info] Connection: Client IP: XX.XX.11.89, Protocol: TLSv1, Cipher: AES128-SHA (128/128 bits)
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1858): OpenSSL: read 5/5 bytes from BIO#fd56b0 [mem: fdcc60] (BIO dump follows)
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1791): +-------------------------------------------------------------------------+
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0000: 17 03 01 06 40 ....@ |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1836): +-------------------------------------------------------------------------+
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1858): OpenSSL: read 1600/1600 bytes from BIO#fd56b0 [mem: fdcc65] (BIO dump follows)
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1791): +-------------------------------------------------------------------------+
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0000: 84 6e 1b bb b1 ce 5d 44-d8 bb 36 8f 96 c4 62 d6 .n....]D..6...b. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0010: 15 90 35 2f 17 82 3e 9c-20 c5 a6 0d 8e 6f d1 22 ..5/..>. ....o." |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0020: bf da 0f 43 ef 19 2b 98-66 d5 ec ca 03 9b a9 98 ...C..+.f....... |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0030: 45 cc 30 49 f3 37 51 d1-98 ab 45 62 12 0e a8 26 E.0I.7Q...Eb...& |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0040: 5b 98 8b 80 ee 62 b1 f2-19 24 21 51 1a 02 b0 e1 [....b...$!Q.... |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0050: e4 00 c1 e2 53 32 4a 3d-5d ca a2 38 7d a6 e7 36 ....S2J=]..8}..6 |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0060: f8 f2 6d 8c fa 2c 9a 78-84 33 0f 3c 6e 29 d1 34 ..m..,.x.3.<n).4 |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0070: a5 ff 63 76 78 49 5a 4a-14 43 c6 53 f1 fc ad 76 ..cvxIZJ.C.S...v |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0080: 4c de 99 85 8a 5b 2e 52-f0 9e 8b b6 d1 9f ca 1b L....[.R........ |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0090: ec 0a c6 82 43 fa 1f 04-79 a3 67 54 38 b2 81 e1 ....C...y.gT8... |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 00a0: 5e 4b 1f 24 8c db 49 23-9b bf cb 76 46 62 d3 f7 ^K.$..I#...vFb.. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 00b0: c6 fc 7a 14 c7 c0 10 e8-15 8e 24 d2 ce 19 b6 df ..z.......$..... |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 00c0: bb 9f 00 03 23 4d b9 ea-60 02 55 b0 75 99 6e 92 ....#M..`.U.u.n. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 00d0: 1c 34 a7 5a cf f3 65 59-91 23 ae fa ac 58 8d 34 .4.Z..eY.#...X.4 |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 00e0: 6d c2 ab 14 26 fe 20 84-65 4f 56 f4 97 c6 d6 61 m...&. .eOV....a |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 00f0: 31 c6 26 da 2d ac f8 72-81 6d 0c c2 76 33 b2 5d 1.&.-..r.m..v3.] |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0100: 6f f6 5e 79 57 7f 35 a2-a3 4a ef f8 85 74 6a ae o.^yW.5..J...tj. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0110: c6 f7 75 c5 91 85 84 9b-95 6d 3c 53 87 ff f2 40 ..u......m<S...@ |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0120: ae 87 99 1d 67 c9 74 04-9f a7 6f cb e2 ea 27 94 ....g.t...o...'. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0130: 26 f9 bf 76 f5 c2 16 b4-0e 5c 2b 11 9a 77 8e a8 &..v.....\\+..w.. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0140: 33 a9 1a b7 75 cb 26 ae-ea fb df a2 d6 06 69 ed 3...u.&.......i. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0150: 8e 6e 7b 8a 8d 2f 67 d0-a6 2d 34 88 a1 d1 c7 4e .n{../g..-4....N |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0160: 30 e3 10 64 0d ab ec e8-db 26 c0 cd 90 6e c2 d1 0..d.....&...n.. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0170: 30 f2 f8 5e 27 3a 56 86-f7 92 26 16 29 ae a9 49 0..^':V...&.)..I |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0180: c2 37 54 2a 40 e8 c3 a5-f9 db f3 0d 9d 4e bf b2 .7T*@........N.. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0190: 8b e1 4f f8 17 97 20 7d-a5 8b 7a 74 3f fa d5 7a ..O... }..zt?..z |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 01a0: 87 7d a8 91 dc 84 5e 72-be a7 b0 e0 7e 9d 33 c1 .}....^r....~.3. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 01b0: 0f d5 f7 01 62 2d a0 98-77 d2 6e 95 d8 1c ef 4f ....b-..w.n....O |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 01c0: 75 e3 7a 86 4e 6e fa d5-de f4 54 66 ff db 71 51 u.z.Nn....Tf..qQ |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 01d0: 7a ed 29 cd c2 55 bc a9-53 98 bb 66 35 e6 c5 8d z.)..U..S..f5... |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 01e0: 89 51 90 95 8c a9 b9 4c-18 44 d0 bf 69 7c 3e ea .Q.....L.D..i|>. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 01f0: b8 47 17 ef ff 0c 77 51-92 9a 24 5d b4 38 ea 87 .G....wQ..$].8.. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0200: 81 44 b9 0a c4 c9 da 17-c9 7f 55 04 e4 ae 84 e5 .D........U..... |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0210: 47 81 ff a1 94 aa c1 13-fc 00 8e c4 17 f7 5c c5 G.............\\. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0220: 9f da ac 00 67 c8 55 93-28 9e 8c 7e b6 4f bc 1b ....g.U.(..~.O.. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0230: c2 a5 97 27 c6 9c bd 52-90 31 20 09 86 48 11 98 ...'...R.1 ..H.. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0240: 2c ce fb 96 8c 2d 89 fd-41 9b ad fb fe fa 61 04 ,....-..A.....a. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0250: cb be 86 b5 35 31 fc 91-42 14 48 9f 36 5e f2 69 ....51..B.H.6^.i |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0260: f4 c2 6a 8d f0 b7 d5 14-e4 ab 17 06 d2 89 e0 6d ..j............m |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0270: 49 fc 22 76 18 82 89 18-ac ff 9f 10 50 98 9f a7 I."v........P... |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0280: 1d 30 fd c6 f0 1b 50 e7-ba f9 31 23 de 96 ff 63 .0....P...1#...c |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0290: 3d 1f b0 4a d3 9b 20 53-c3 dd ab 58 19 07 56 cb =..J.. S...X..V. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 02a0: 65 b7 f7 1c da e4 64 a0-5f 92 b0 a2 a5 07 de 23 e.....d._......# |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 02b0: 0e fc 1a 48 98 d4 f5 74-fa c7 18 b4 65 82 0f 31 ...H...t....e..1 |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 02c0: 68 ce 54 c0 23 eb ef bc-ac ad f5 b9 36 19 b9 d6 h.T.#.......6... |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 02d0: ff 8c 02 d1 23 90 ce 63-2d 3d 64 63 40 96 8a e0 ....#..c-=dc@... |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 02e0: f4 70 fa b0 dd ef 8a 77-7b ce 3e 32 65 13 c4 5d .p.....w{.>2e..] |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 02f0: bc a8 33 0e 80 5c 76 f8-2e ca 67 62 ab f2 86 ee ..3..\\v...gb.... |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0300: f7 86 15 d3 86 d9 58 35-06 eb 54 4a 28 e2 55 c3 ......X5..TJ(.U. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0310: f6 81 91 00 ab 21 bc 75-1d bb 99 a8 9d 90 61 38 .....!.u......a8 |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0320: 76 8d 62 df 92 cb 27 5b-22 51 9a 98 6f 8e 99 7b v.b...'["Q..o..{ |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0330: f7 6f b6 2e 28 ac 7b 74-67 a4 bc 60 a6 18 41 a2 .o..(.{tg..`..A. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0340: 51 78 c2 a4 3b 7e 27 9c-28 a0 da 3a b2 02 53 76 Qx..;~'.(..:..Sv |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0350: 36 8f 3d 34 ec 2f 79 6b-a7 17 d2 ee a7 47 8a 64 6.=4./yk.....G.d |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0360: df b5 1a 90 5e 30 1e d6-64 79 5b 18 d7 99 71 73 ....^0..dy[...qs |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0370: d1 ad e7 b6 c0 c0 aa c7-1a 35 9a 54 4b 40 ee 0c .........5.TK@.. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0380: e9 c2 e7 9c 1e cc 22 81-ae ae 73 4c 57 32 2d 05 ......"...sLW2-. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0390: e6 c8 34 33 11 36 fa 5b-03 c6 28 5f 12 a4 f3 59 ..43.6.[..(_...Y |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 03a0: 68 f8 43 81 c4 19 d6 0b-9e a9 03 a1 24 c7 b4 b9 h.C.........$... |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 03b0: 65 35 a1 55 13 6f 06 15-6a 8b ed f6 4e a0 28 74 e5.U.o..j...N.(t |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 03c0: 93 36 f6 9e cb 78 e8 40-e0 93 cc 24 92 7c 30 a2 .6...x.@...$.|0. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 03d0: 51 03 c6 fa 5b b0 70 34-ef 8e 6d 54 a6 96 d0 b9 Q...[.p4..mT.... |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 03e0: cd bc dd 41 e2 17 0e d0-c7 3e f7 c9 58 98 23 ec ...A.....>..X.#. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 03f0: 70 b1 76 31 b8 02 0d ab-93 0a 79 db 07 d1 f4 a3 p.v1......y..... |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0400: e1 b7 00 e8 a2 62 68 f7-ce b0 f5 21 18 d3 53 48 .....bh....!..SH |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0410: 42 d2 a6 4e ce 63 ff bc-dc 83 1f c0 04 5b bd cb B..N.c.......[.. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0420: 93 97 ca c2 72 6e 90 c0-9a 07 c3 e2 3c 58 d3 1a ....rn......<X.. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0430: 40 f6 bc 9b 4c 6c 60 a3-e4 ba 1c 31 c7 8d 84 84 @...Ll`....1.... |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0440: 99 b6 3f 7b b2 3c 44 91-7e 51 f3 2b af 41 34 af ..?{.<D.~Q.+.A4. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0450: a8 97 8e 9c 1d e2 38 07-6b dd 79 11 16 de a6 b3 ......8.k.y..... |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0460: e1 a2 f4 7f 80 eb 11 74-ff 1e 23 50 8b bf 9c f2 .......t..#P.... |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0470: 2d 3e a9 04 f2 45 96 77-36 93 d1 14 e7 9c 71 f3 ->...E.w6.....q. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0480: 5f d1 7a 62 19 5b 3b 39-42 46 0e 4d 9f dc a7 dd _.zb.[;9BF.M.... |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0490: d1 69 47 f3 19 d1 af f4-89 56 b3 30 d3 d7 95 24 .iG......V.0...$ |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 04a0: b2 7d fc 5e bf 1b b8 51-86 2e 6e 34 c9 8c 28 a9 .}.^...Q..n4..(. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 04b0: 9e 24 75 58 35 f5 60 69-fd fd f1 9b bb 68 6c cd .$uX5.`i.....hl. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 04c0: b1 4c 15 5f f5 4c fb 7a-47 44 bd 06 4e 19 8a 8e .L._.L.zGD..N... |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 04d0: 68 d4 58 e4 48 90 47 b8-a5 17 c5 8e 98 ee 07 25 h.X.H.G........% |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 04e0: f3 4d c9 7e 5f f6 43 1c-4f 3b 9e 28 d7 13 3f 66 .M.~_.C.O;.(..?f |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 04f0: b5 fd 89 35 6d d6 90 f8-54 cd ea 81 92 de ad 40 ...5m...T......@ |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0500: e4 e7 58 c9 69 70 be 4f-4c 68 1b de d6 1d e9 f7 ..X.ip.OLh...... |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0510: 2b e5 47 e3 01 c8 84 4e-44 31 d3 ad 75 92 39 c6 +.G....ND1..u.9. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0520: 05 da 10 86 b7 5b 8f e9-b9 93 e7 a8 d2 19 39 84 .....[........9. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0530: 34 50 01 21 52 9e f1 b4-94 9b dd cb e6 50 c6 d9 4P.!R........P.. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0540: 37 64 01 f1 25 cb 81 53-c5 82 a0 0f ec f2 34 01 7d..%..S......4. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0550: cb 32 be 44 d2 4e 3f 43-81 3c aa 17 2c f5 c4 8c .2.D.N?C.<..,... |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0560: 39 32 e9 37 3d c3 11 06-53 f7 31 2e b0 0e 56 5d 92.7=...S.1...V] |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0570: e7 e3 88 a2 f9 d0 5f 4e-8f 98 c0 39 64 1f 98 6f ......_N...9d..o |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0580: 95 1e 44 ed 20 36 8e cf-b5 69 ee 36 b9 47 cf 13 ..D. 6...i.6.G.. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0590: fd 84 82 28 08 af 91 ce-95 8e 23 eb 62 72 3f 3d ...(......#.br?= |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 05a0: 0b 93 fa d9 5e 7d ab c4-b5 2a 7d 29 c8 d5 ce 54 ....^}...*})...T |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 05b0: ae 2e 35 27 ef 5b 6b 12-3f 09 d9 9b 06 cc 76 72 ..5'.[k.?.....vr |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 05c0: ce c8 94 ce 7a 8f ae 6a-c6 2c 79 2f a0 3b 7d f9 ....z..j.,y/.;}. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 05d0: be 0a 99 77 d1 ba e5 e7-16 6c 47 89 c7 c3 b0 aa ...w.....lG..... |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 05e0: 49 07 f4 7c 43 fa cb 42-2e 4d e7 45 26 67 bc 91 I..|C..B.M.E&g.. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 05f0: 4c 9d 25 b7 bb f9 e0 6a-eb 53 eb ae 93 05 33 79 L.%....j.S....3y |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0600: 1b 03 61 98 46 84 cc 1b-ed 6e 21 11 2a 8c 4d 99 ..a.F....n!.*.M. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0610: 95 ed ae 77 be b8 41 46-52 58 2f cc 7a b7 d8 eb ...w..AFRX/.z... |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0620: 9f 1b a6 21 c6 79 bf bf-55 2a 11 f5 1d cf 30 9e ...!.y..U*....0. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0630: 6f e5 4e 7d 32 0d 16 27-fc 72 cc f2 b2 aa 0d 98 o.N}2..'.r...... |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1836): +-------------------------------------------------------------------------+
[Thu Oct 29 11:25:03 2009] [info] Initial (No.1) HTTPS request received for child 63 (server rd-db.cnd.YY.com:8443)
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_kernel.c(487): [client XX.XX.11.89] Changed client verification type will force renegotiation
[Thu Oct 29 11:25:03 2009] [info] [client XX.XX.11.89] Requesting connection re-negotiation
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_kernel.c(724): [client XX.XX.11.89] Performing full renegotiation: complete handshake protocol
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_kernel.c(1875): OpenSSL: Handshake: start
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_kernel.c(1883): OpenSSL: Loop: SSL renegotiate ciphers
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_kernel.c(1883): OpenSSL: Loop: SSLv3 write hello request A
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_kernel.c(1883): OpenSSL: Loop: SSLv3 flush data
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_kernel.c(1883): OpenSSL: Loop: SSLv3 write hello request C
[Thu Oct 29 11:25:03 2009] [info] [client XX.XX.11.89] Awaiting re-negotiation handshake
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_kernel.c(1875): OpenSSL: Handshake: start
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_kernel.c(1883): OpenSSL: Loop: before accept initialization
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1858): OpenSSL: read 5/5 bytes from BIO#fd56b0 [mem: fdcc60] (BIO dump follows)
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1791): +-------------------------------------------------------------------------+
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0000: 16 03 01 00 90 ..... |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1836): +-------------------------------------------------------------------------+
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1858): OpenSSL: read 144/144 bytes from BIO#fd56b0 [mem: fdcc65] (BIO dump follows)
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1791): +-------------------------------------------------------------------------+
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0000: fa 50 f4 a0 17 63 11 f6-62 3b bb d8 08 22 93 2c .P...c..b;..."., |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0010: 9d de 9d 37 8c df 22 7b-40 62 c1 8b db 63 be c1 ...7.."{@b...c.. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0020: f3 6b 2b 6e 72 34 84 0e-da 6c 55 d8 fe 39 69 35 .k+nr4...lU..9i5 |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0030: e3 b6 7a ff 1c 59 a2 03-aa 5c d1 44 e0 fc f7 b0 ..z..Y...\\.D.... |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0040: 52 17 cc d6 24 2e af 9e-de 6a 83 38 ae ea 5e d8 R...$....j.8..^. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0050: f0 e4 ce 4b a8 79 c4 a0-9d c0 77 af 7c cb 5c a6 ...K.y....w.|.\\. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0060: 83 16 3c 61 18 6c 56 ff-88 90 6a f1 c7 93 9b 08 ..<a.lV...j..... |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0070: c1 a8 ef 32 26 2b b7 20-b2 d8 4c 00 cd 53 d2 df ...2&+. ..L..S.. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0080: 99 71 d7 c2 bc a7 19 72-fd ce 72 b9 d4 10 9f 51 .q.....r..r....Q |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1836): +-------------------------------------------------------------------------+
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_kernel.c(1951): [client XX.XX.11.89] SSL virtual host for servername rd-db.cnd.YY.com found
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_kernel.c(1883): OpenSSL: Loop: SSLv3 read client hello A
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_kernel.c(1883): OpenSSL: Loop: SSLv3 write server hello A
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_kernel.c(1883): OpenSSL: Loop: SSLv3 write certificate A
[Thu Oct 29 11:25:04 2009] [debug] ssl_engine_kernel.c(1883): OpenSSL: Loop: SSLv3 write certificate request A
[Thu Oct 29 11:25:04 2009] [debug] ssl_engine_kernel.c(1883): OpenSSL: Loop: SSLv3 flush data
[Thu Oct 29 11:25:04 2009] [debug] ssl_engine_io.c(1869): OpenSSL: I/O error, 5 bytes expected to read on BIO#fd56b0 [mem: fdcc60]
[Thu Oct 29 11:25:04 2009] [debug] ssl_engine_kernel.c(1912): OpenSSL: Exit: error in SSLv3 read client certificate A
[Thu Oct 29 11:25:04 2009] [error] [client XX.XX.11.89] Re-negotiation handshake failed: Not accepted by client!?
-----Original Message-----
From: Berube, Steve (HP Software)
Sent: Thursday, October 29, 2009 11:12 AM
To: users@httpd.apache.org
Subject: RE: [users@httpd] Requesting help with Smart Card Client Certificate Authentication issue.
Was wondering if anyone else had ideas here. I have a strace (Microsoft tool) of the trace, but my expertise in analyzing that is lacking.
-----Original Message-----
From: Berube, Steve (HP Software)
Sent: Tuesday, October 27, 2009 10:31 AM
To: users@httpd.apache.org
Subject: RE: [users@httpd] Requesting help with Smart Card Client Certificate Authentication issue.
Ok quick update, I did that test and unfortunately no change in behavior. I can't access / now (as expected) but still no prompt for certificate. Other systems that work continue to work. Firefox no issue, one windows 7 IE system, no issue.
I am installing wireshark now.
-----Original Message-----
From: Berube, Steve (HP Software)
Sent: Tuesday, October 27, 2009 10:28 AM
To: users@httpd.apache.org
Subject: RE: [users@httpd] Requesting help with Smart Card Client Certificate Authentication issue.
So for testing, are you asking I move SSLVerifyClient + SSLVerifyDepth to the entire virtual host directive?
e.g.
<VirtualHost _default_:443>
# General setup for the virtual host
DocumentRoot "C:/Program Files/Apache Software Foundation/Apache2.2/htdocs"
ServerName rd-db.cnd.hp.com:443
ServerAdmin admin@rd-db.hp.com
ErrorLog "C:/Program Files/Apache Software Foundation/Apache2.2/logs/error.log"
TransferLog "C:/Program Files/Apache Software Foundation/Apache2.2/logs/access.log"
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
SSLVerifyClient require
SSLVerifyDepth 10
<Location />
SSLOptions +StdEnvVars
</location>
-----Original Message-----
From: Eric Covener [mailto:covener@gmail.com]
Sent: Tuesday, October 27, 2009 10:26 AM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Requesting help with Smart Card Client Certificate Authentication issue.
On Tue, Oct 27, 2009 at 10:21 AM, Berube, Steve (HP Software)
<st...@hp.com> wrote:
> My test originally was this
> <Location />
> SSLVerifyClient require
>
> SSLVerifyDepth 10
>
> SSLOptions +StdEnvVars
> </location>
>
> Same issue whether based on a directory or using the root location.
> I'm still trying to figure out why one and only IE works, but no others.
> I've tried HTTP Analyzer plugin for IE which only shows a single error (nothing else)
>
> ERROR_INTERNET_SECURITY_CHANNEL_ERROR
>
> Nothing else at all in the trace.
>
> If I go to the root url (which is SSL Enabled, but no client verify)
>
> I will try your suggestion of wireshark.
Putting it in <Location /> is still the more complicated case of:
handshake without request for client authentication
read request
server-driven renegotiation of the handshake with client authentication request
*hope IE prompts*
SSLVerifyClient is accepted in <VirtualHost> context, which should
cause the initial handshake to ask for a client cert.
>
>
> -----Original Message-----
> From: Eric Covener [mailto:covener@gmail.com]
> Sent: Tuesday, October 27, 2009 10:17 AM
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] Requesting help with Smart Card Client Certificate Authentication issue.
>
> On Mon, Oct 26, 2009 at 10:36 PM, Berube, Steve (HP Software)
> <st...@hp.com> wrote:
>> <Directory "C:/Program Files/Apache Software Foundation/Apache2.2/cgi-bin">
>>
>> SSLVerifyClient require
>>
>> SSLVerifyDepth 10
>>
>> SSLOptions +StdEnvVars
>>
>> </Directory>
>
>
> Can you simplify your testing by setting this outside of per-directory
> config? Have you used wireshark to see if Apache is sending the
> proper list of trusted certificates that line up with whoever signed
> your certs in your HW device?
>
> Perhaps http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcertificatechainfile
> or http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcacertificatepath
> might help?
>
> --
> Eric Covener
> covener@gmail.com
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Requesting help with Smart Card Client
Certificate Authentication issue.
Posted by "Berube, Steve (HP Software)" <st...@hp.com>.
Was wondering if anyone else had ideas here. I have a strace (Microsoft tool) of the trace, but my expertise in analyzing that is lacking.
-----Original Message-----
From: Berube, Steve (HP Software)
Sent: Tuesday, October 27, 2009 10:31 AM
To: users@httpd.apache.org
Subject: RE: [users@httpd] Requesting help with Smart Card Client Certificate Authentication issue.
Ok quick update, I did that test and unfortunately no change in behavior. I can't access / now (as expected) but still no prompt for certificate. Other systems that work continue to work. Firefox no issue, one windows 7 IE system, no issue.
I am installing wireshark now.
-----Original Message-----
From: Berube, Steve (HP Software)
Sent: Tuesday, October 27, 2009 10:28 AM
To: users@httpd.apache.org
Subject: RE: [users@httpd] Requesting help with Smart Card Client Certificate Authentication issue.
So for testing, are you asking I move SSLVerifyClient + SSLVerifyDepth to the entire virtual host directive?
e.g.
<VirtualHost _default_:443>
# General setup for the virtual host
DocumentRoot "C:/Program Files/Apache Software Foundation/Apache2.2/htdocs"
ServerName rd-db.cnd.hp.com:443
ServerAdmin admin@rd-db.hp.com
ErrorLog "C:/Program Files/Apache Software Foundation/Apache2.2/logs/error.log"
TransferLog "C:/Program Files/Apache Software Foundation/Apache2.2/logs/access.log"
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
SSLVerifyClient require
SSLVerifyDepth 10
<Location />
SSLOptions +StdEnvVars
</location>
-----Original Message-----
From: Eric Covener [mailto:covener@gmail.com]
Sent: Tuesday, October 27, 2009 10:26 AM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Requesting help with Smart Card Client Certificate Authentication issue.
On Tue, Oct 27, 2009 at 10:21 AM, Berube, Steve (HP Software)
<st...@hp.com> wrote:
> My test originally was this
> <Location />
> SSLVerifyClient require
>
> SSLVerifyDepth 10
>
> SSLOptions +StdEnvVars
> </location>
>
> Same issue whether based on a directory or using the root location.
> I'm still trying to figure out why one and only IE works, but no others.
> I've tried HTTP Analyzer plugin for IE which only shows a single error (nothing else)
>
> ERROR_INTERNET_SECURITY_CHANNEL_ERROR
>
> Nothing else at all in the trace.
>
> If I go to the root url (which is SSL Enabled, but no client verify)
>
> I will try your suggestion of wireshark.
Putting it in <Location /> is still the more complicated case of:
handshake without request for client authentication
read request
server-driven renegotiation of the handshake with client authentication request
*hope IE prompts*
SSLVerifyClient is accepted in <VirtualHost> context, which should
cause the initial handshake to ask for a client cert.
>
>
> -----Original Message-----
> From: Eric Covener [mailto:covener@gmail.com]
> Sent: Tuesday, October 27, 2009 10:17 AM
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] Requesting help with Smart Card Client Certificate Authentication issue.
>
> On Mon, Oct 26, 2009 at 10:36 PM, Berube, Steve (HP Software)
> <st...@hp.com> wrote:
>> <Directory "C:/Program Files/Apache Software Foundation/Apache2.2/cgi-bin">
>>
>> SSLVerifyClient require
>>
>> SSLVerifyDepth 10
>>
>> SSLOptions +StdEnvVars
>>
>> </Directory>
>
>
> Can you simplify your testing by setting this outside of per-directory
> config? Have you used wireshark to see if Apache is sending the
> proper list of trusted certificates that line up with whoever signed
> your certs in your HW device?
>
> Perhaps http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcertificatechainfile
> or http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcacertificatepath
> might help?
>
> --
> Eric Covener
> covener@gmail.com
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Requesting help with Smart Card Client
Certificate Authentication issue.
Posted by "Berube, Steve (HP Software)" <st...@hp.com>.
Ok quick update, I did that test and unfortunately no change in behavior. I can't access / now (as expected) but still no prompt for certificate. Other systems that work continue to work. Firefox no issue, one windows 7 IE system, no issue.
I am installing wireshark now.
-----Original Message-----
From: Berube, Steve (HP Software)
Sent: Tuesday, October 27, 2009 10:28 AM
To: users@httpd.apache.org
Subject: RE: [users@httpd] Requesting help with Smart Card Client Certificate Authentication issue.
So for testing, are you asking I move SSLVerifyClient + SSLVerifyDepth to the entire virtual host directive?
e.g.
<VirtualHost _default_:443>
# General setup for the virtual host
DocumentRoot "C:/Program Files/Apache Software Foundation/Apache2.2/htdocs"
ServerName rd-db.cnd.hp.com:443
ServerAdmin admin@rd-db.hp.com
ErrorLog "C:/Program Files/Apache Software Foundation/Apache2.2/logs/error.log"
TransferLog "C:/Program Files/Apache Software Foundation/Apache2.2/logs/access.log"
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
SSLVerifyClient require
SSLVerifyDepth 10
<Location />
SSLOptions +StdEnvVars
</location>
-----Original Message-----
From: Eric Covener [mailto:covener@gmail.com]
Sent: Tuesday, October 27, 2009 10:26 AM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Requesting help with Smart Card Client Certificate Authentication issue.
On Tue, Oct 27, 2009 at 10:21 AM, Berube, Steve (HP Software)
<st...@hp.com> wrote:
> My test originally was this
> <Location />
> SSLVerifyClient require
>
> SSLVerifyDepth 10
>
> SSLOptions +StdEnvVars
> </location>
>
> Same issue whether based on a directory or using the root location.
> I'm still trying to figure out why one and only IE works, but no others.
> I've tried HTTP Analyzer plugin for IE which only shows a single error (nothing else)
>
> ERROR_INTERNET_SECURITY_CHANNEL_ERROR
>
> Nothing else at all in the trace.
>
> If I go to the root url (which is SSL Enabled, but no client verify)
>
> I will try your suggestion of wireshark.
Putting it in <Location /> is still the more complicated case of:
handshake without request for client authentication
read request
server-driven renegotiation of the handshake with client authentication request
*hope IE prompts*
SSLVerifyClient is accepted in <VirtualHost> context, which should
cause the initial handshake to ask for a client cert.
>
>
> -----Original Message-----
> From: Eric Covener [mailto:covener@gmail.com]
> Sent: Tuesday, October 27, 2009 10:17 AM
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] Requesting help with Smart Card Client Certificate Authentication issue.
>
> On Mon, Oct 26, 2009 at 10:36 PM, Berube, Steve (HP Software)
> <st...@hp.com> wrote:
>> <Directory "C:/Program Files/Apache Software Foundation/Apache2.2/cgi-bin">
>>
>> SSLVerifyClient require
>>
>> SSLVerifyDepth 10
>>
>> SSLOptions +StdEnvVars
>>
>> </Directory>
>
>
> Can you simplify your testing by setting this outside of per-directory
> config? Have you used wireshark to see if Apache is sending the
> proper list of trusted certificates that line up with whoever signed
> your certs in your HW device?
>
> Perhaps http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcertificatechainfile
> or http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcacertificatepath
> might help?
>
> --
> Eric Covener
> covener@gmail.com
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Requesting help with Smart Card Client
Certificate Authentication issue.
Posted by "Berube, Steve (HP Software)" <st...@hp.com>.
So for testing, are you asking I move SSLVerifyClient + SSLVerifyDepth to the entire virtual host directive?
e.g.
<VirtualHost _default_:443>
# General setup for the virtual host
DocumentRoot "C:/Program Files/Apache Software Foundation/Apache2.2/htdocs"
ServerName rd-db.cnd.hp.com:443
ServerAdmin admin@rd-db.hp.com
ErrorLog "C:/Program Files/Apache Software Foundation/Apache2.2/logs/error.log"
TransferLog "C:/Program Files/Apache Software Foundation/Apache2.2/logs/access.log"
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
SSLVerifyClient require
SSLVerifyDepth 10
<Location />
SSLOptions +StdEnvVars
</location>
-----Original Message-----
From: Eric Covener [mailto:covener@gmail.com]
Sent: Tuesday, October 27, 2009 10:26 AM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Requesting help with Smart Card Client Certificate Authentication issue.
On Tue, Oct 27, 2009 at 10:21 AM, Berube, Steve (HP Software)
<st...@hp.com> wrote:
> My test originally was this
> <Location />
> SSLVerifyClient require
>
> SSLVerifyDepth 10
>
> SSLOptions +StdEnvVars
> </location>
>
> Same issue whether based on a directory or using the root location.
> I'm still trying to figure out why one and only IE works, but no others.
> I've tried HTTP Analyzer plugin for IE which only shows a single error (nothing else)
>
> ERROR_INTERNET_SECURITY_CHANNEL_ERROR
>
> Nothing else at all in the trace.
>
> If I go to the root url (which is SSL Enabled, but no client verify)
>
> I will try your suggestion of wireshark.
Putting it in <Location /> is still the more complicated case of:
handshake without request for client authentication
read request
server-driven renegotiation of the handshake with client authentication request
*hope IE prompts*
SSLVerifyClient is accepted in <VirtualHost> context, which should
cause the initial handshake to ask for a client cert.
>
>
> -----Original Message-----
> From: Eric Covener [mailto:covener@gmail.com]
> Sent: Tuesday, October 27, 2009 10:17 AM
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] Requesting help with Smart Card Client Certificate Authentication issue.
>
> On Mon, Oct 26, 2009 at 10:36 PM, Berube, Steve (HP Software)
> <st...@hp.com> wrote:
>> <Directory "C:/Program Files/Apache Software Foundation/Apache2.2/cgi-bin">
>>
>> SSLVerifyClient require
>>
>> SSLVerifyDepth 10
>>
>> SSLOptions +StdEnvVars
>>
>> </Directory>
>
>
> Can you simplify your testing by setting this outside of per-directory
> config? Have you used wireshark to see if Apache is sending the
> proper list of trusted certificates that line up with whoever signed
> your certs in your HW device?
>
> Perhaps http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcertificatechainfile
> or http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcacertificatepath
> might help?
>
> --
> Eric Covener
> covener@gmail.com
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Requesting help with Smart Card Client Certificate
Authentication issue.
Posted by Eric Covener <co...@gmail.com>.
On Tue, Oct 27, 2009 at 10:21 AM, Berube, Steve (HP Software)
<st...@hp.com> wrote:
> My test originally was this
> <Location />
> SSLVerifyClient require
>
> SSLVerifyDepth 10
>
> SSLOptions +StdEnvVars
> </location>
>
> Same issue whether based on a directory or using the root location.
> I'm still trying to figure out why one and only IE works, but no others.
> I've tried HTTP Analyzer plugin for IE which only shows a single error (nothing else)
>
> ERROR_INTERNET_SECURITY_CHANNEL_ERROR
>
> Nothing else at all in the trace.
>
> If I go to the root url (which is SSL Enabled, but no client verify)
>
> I will try your suggestion of wireshark.
Putting it in <Location /> is still the more complicated case of:
handshake without request for client authentication
read request
server-driven renegotiation of the handshake with client authentication request
*hope IE prompts*
SSLVerifyClient is accepted in <VirtualHost> context, which should
cause the initial handshake to ask for a client cert.
>
>
> -----Original Message-----
> From: Eric Covener [mailto:covener@gmail.com]
> Sent: Tuesday, October 27, 2009 10:17 AM
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] Requesting help with Smart Card Client Certificate Authentication issue.
>
> On Mon, Oct 26, 2009 at 10:36 PM, Berube, Steve (HP Software)
> <st...@hp.com> wrote:
>> <Directory "C:/Program Files/Apache Software Foundation/Apache2.2/cgi-bin">
>>
>> SSLVerifyClient require
>>
>> SSLVerifyDepth 10
>>
>> SSLOptions +StdEnvVars
>>
>> </Directory>
>
>
> Can you simplify your testing by setting this outside of per-directory
> config? Have you used wireshark to see if Apache is sending the
> proper list of trusted certificates that line up with whoever signed
> your certs in your HW device?
>
> Perhaps http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcertificatechainfile
> or http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcacertificatepath
> might help?
>
> --
> Eric Covener
> covener@gmail.com
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Requesting help with Smart Card Client
Certificate Authentication issue.
Posted by "Berube, Steve (HP Software)" <st...@hp.com>.
My test originally was this
<Location />
SSLVerifyClient require
SSLVerifyDepth 10
SSLOptions +StdEnvVars
</location>
Same issue whether based on a directory or using the root location.
I'm still trying to figure out why one and only IE works, but no others.
I've tried HTTP Analyzer plugin for IE which only shows a single error (nothing else)
ERROR_INTERNET_SECURITY_CHANNEL_ERROR
Nothing else at all in the trace.
If I go to the root url (which is SSL Enabled, but no client verify)
I will try your suggestion of wireshark.
-----Original Message-----
From: Eric Covener [mailto:covener@gmail.com]
Sent: Tuesday, October 27, 2009 10:17 AM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Requesting help with Smart Card Client Certificate Authentication issue.
On Mon, Oct 26, 2009 at 10:36 PM, Berube, Steve (HP Software)
<st...@hp.com> wrote:
> <Directory "C:/Program Files/Apache Software Foundation/Apache2.2/cgi-bin">
>
> SSLVerifyClient require
>
> SSLVerifyDepth 10
>
> SSLOptions +StdEnvVars
>
> </Directory>
Can you simplify your testing by setting this outside of per-directory
config? Have you used wireshark to see if Apache is sending the
proper list of trusted certificates that line up with whoever signed
your certs in your HW device?
Perhaps http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcertificatechainfile
or http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcacertificatepath
might help?
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Requesting help with Smart Card Client Certificate
Authentication issue.
Posted by Eric Covener <co...@gmail.com>.
On Mon, Oct 26, 2009 at 10:36 PM, Berube, Steve (HP Software)
<st...@hp.com> wrote:
> <Directory "C:/Program Files/Apache Software Foundation/Apache2.2/cgi-bin">
>
> SSLVerifyClient require
>
> SSLVerifyDepth 10
>
> SSLOptions +StdEnvVars
>
> </Directory>
Can you simplify your testing by setting this outside of per-directory
config? Have you used wireshark to see if Apache is sending the
proper list of trusted certificates that line up with whoever signed
your certs in your HW device?
Perhaps http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcertificatechainfile
or http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcacertificatepath
might help?
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Requesting help with Smart Card Client
Certificate Authentication issue.
Posted by "Berube, Steve (HP Software)" <st...@hp.com>.
Hi all;
I was able to resolve this.
The issue apparently was in the CAstore on the apache server. I'm not sure if there was a corrupt entry in there, or a duplicate. But something was causing the issue. I created a fresh CA store with one cert, the one matching the root of the client cert and all worked!
-----Original Message-----
From: Berube, Steve (HP Software)
Sent: Tuesday, October 27, 2009 7:27 AM
To: users@httpd.apache.org
Subject: RE: [users@httpd] Requesting help with Smart Card Client Certificate Authentication issue.
Hi there, thank you for the reply. Yes I have that in there. In fact apache 2.2 ships with that by default.
Here is mine directly from httpd-ssl.conf
I pasted a good portion of the file so you can see its context.
<Directory "C:/Program Files/Apache Software Foundation/Apache2.2/cgi-bin">
SSLRequire %{SSL_CLIENT_S_DN_O} eq "Hewlett-Packard Company"
SSLVerifyClient require
SSLVerifyDepth 10
SSLOptions +StdEnvVars +OptRenegotiate
</Directory>
# SSL Protocol Adjustments:
# The safe and default but still SSL/TLS standard compliant shutdown
# approach is that mod_ssl sends the close notify alert but doesn't wait for
# the close notify alert from client. When you need a different shutdown
# approach you can use one of the following variables:
# o ssl-unclean-shutdown:
# This forces an unclean shutdown when the connection is closed, i.e. no
# SSL close notify alert is send or allowed to received. This violates
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
# this when you receive I/O errors because of the standard approach where
# mod_ssl sends the close notify alert.
# o ssl-accurate-shutdown:
# This forces an accurate shutdown when the connection is closed, i.e. a
# SSL close notify alert is send and mod_ssl waits for the close notify
# alert of the client. This is 100% SSL/TLS standard compliant, but in
# practice often causes hanging connections with brain-dead browsers. Use
# this only for browsers where you know that their SSL implementation
# works correctly.
# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
CustomLog "C:/Program Files/Apache Software Foundation/Apache2.2/logs/ssl_request.log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
-----Original Message-----
From: Toomas Aas [mailto:toomas.aas@raad.tartu.ee]
Sent: Tuesday, October 27, 2009 1:44 AM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Requesting help with Smart Card Client Certificate Authentication issue.
Berube, Steve (HP Software) wrote:
> Now, here is where gets interesting. What should happen is the client
> should prompt for a client certificate from the smart card reader and
> ask the user for their pin.
>
> On firefox 3.5.3 it prompts the user for their smartcard pin as long as
> the Security Device for ActivClient is installed. Works great!
>
> IE 8.0 on Windows 7 didn't work, after rebuilding the system it works now.
>
> All the other systems (tested 10) running IE will not work.
This may be a SSL handshake issue. Do you have something like this in your
SSL virtualhost:
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
If not, try adding it.
It seems to me that something in this area was changed recently in Apache,
because after upgrading from 2.2.9 to 2.2.13 I had to add similar
directive even for Firefox, which worked fine before.
--
Toomas Aas
... The truth is out there. Does anyone know the URL?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Requesting help with Smart Card Client
Certificate Authentication issue.
Posted by "Berube, Steve (HP Software)" <st...@hp.com>.
Hi there, thank you for the reply. Yes I have that in there. In fact apache 2.2 ships with that by default.
Here is mine directly from httpd-ssl.conf
I pasted a good portion of the file so you can see its context.
<Directory "C:/Program Files/Apache Software Foundation/Apache2.2/cgi-bin">
SSLRequire %{SSL_CLIENT_S_DN_O} eq "Hewlett-Packard Company"
SSLVerifyClient require
SSLVerifyDepth 10
SSLOptions +StdEnvVars +OptRenegotiate
</Directory>
# SSL Protocol Adjustments:
# The safe and default but still SSL/TLS standard compliant shutdown
# approach is that mod_ssl sends the close notify alert but doesn't wait for
# the close notify alert from client. When you need a different shutdown
# approach you can use one of the following variables:
# o ssl-unclean-shutdown:
# This forces an unclean shutdown when the connection is closed, i.e. no
# SSL close notify alert is send or allowed to received. This violates
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
# this when you receive I/O errors because of the standard approach where
# mod_ssl sends the close notify alert.
# o ssl-accurate-shutdown:
# This forces an accurate shutdown when the connection is closed, i.e. a
# SSL close notify alert is send and mod_ssl waits for the close notify
# alert of the client. This is 100% SSL/TLS standard compliant, but in
# practice often causes hanging connections with brain-dead browsers. Use
# this only for browsers where you know that their SSL implementation
# works correctly.
# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
CustomLog "C:/Program Files/Apache Software Foundation/Apache2.2/logs/ssl_request.log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
-----Original Message-----
From: Toomas Aas [mailto:toomas.aas@raad.tartu.ee]
Sent: Tuesday, October 27, 2009 1:44 AM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Requesting help with Smart Card Client Certificate Authentication issue.
Berube, Steve (HP Software) wrote:
> Now, here is where gets interesting. What should happen is the client
> should prompt for a client certificate from the smart card reader and
> ask the user for their pin.
>
> On firefox 3.5.3 it prompts the user for their smartcard pin as long as
> the Security Device for ActivClient is installed. Works great!
>
> IE 8.0 on Windows 7 didn't work, after rebuilding the system it works now.
>
> All the other systems (tested 10) running IE will not work.
This may be a SSL handshake issue. Do you have something like this in your
SSL virtualhost:
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
If not, try adding it.
It seems to me that something in this area was changed recently in Apache,
because after upgrading from 2.2.9 to 2.2.13 I had to add similar
directive even for Firefox, which worked fine before.
--
Toomas Aas
... The truth is out there. Does anyone know the URL?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Requesting help with Smart Card Client Certificate
Authentication issue.
Posted by Toomas Aas <to...@raad.tartu.ee>.
Berube, Steve (HP Software) wrote:
> Now, here is where gets interesting. What should happen is the client
> should prompt for a client certificate from the smart card reader and
> ask the user for their pin.
>
> On firefox 3.5.3 it prompts the user for their smartcard pin as long as
> the Security Device for ActivClient is installed. Works great!
>
> IE 8.0 on Windows 7 didn’t work, after rebuilding the system it works now.
>
> All the other systems (tested 10) running IE will not work.
This may be a SSL handshake issue. Do you have something like this in your
SSL virtualhost:
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
If not, try adding it.
It seems to me that something in this area was changed recently in Apache,
because after upgrading from 2.2.9 to 2.2.13 I had to add similar
directive even for Firefox, which worked fine before.
--
Toomas Aas
... The truth is out there. Does anyone know the URL?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org