You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by "McGregor, Donald (Don) (CIV)" <mc...@nps.edu> on 2015/03/23 20:22:23 UTC

[users@httpd] CAC Card Client Certificate Auth and Crypto Suites

I’m attempting to get smart cards (DoD CAC) working with apache 2.2 (CentOS 6).

It works on some browsers—Chrome, Safari—but not Firefox 36.0.3 and IE 11.0.9600.1760 on Windows 8.1. Firefox doesn’t work
on OS X, either. The root cause of the problem seems to be the SSL negotiation.

The SSLProtocol setting is this:

SSLProtocol All -SSLv2 -SSLv3 -TLSv1.2 -TLSv1.1

I started off allowing TLS 1.1 and 1.2 but this seemed to provoke complaints in the
protocol negotiation about downgrade attacks. Apparently the clients tried to downgrade
to TLS1 and the server thought there was some sort of attack going on
and terminated the negotiation. 

The above change got through the initial version negotiation, but then ran aground on 
this, with info level debugging on:


[Mon Mar 23 12:08:08 2015] [info] Seeding PRNG with 144 bytes of entropy
[Mon Mar 23 12:08:08 2015] [info] [client 172.20.82.139] SSL library error 1 in handshake (server localhost.localdomain:443)
[Mon Mar 23 12:08:08 2015] [info] SSL Library Error: 336109761 error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher Too restrictive SSLCipherSuite or using DSA server certificate?
[Mon Mar 23 12:08:08 2015] [info] [client 172.20.82.139] Connection closed to child 2 with abortive shutdown (server localhost.localdomain:443)


The cipher suite is highly (i.e., too) accommodating:

SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

So:

Anyone seen this before? What should the SSLProtocol and CipherSuite settings be to allow
client certificate authentication while maintaining reasonable security? Alternatively, what
should the client settings on the browsers be? I have very limited control over the client
settings  but it would be nice to know.

httpd-2.2.15-39.el6.centos.x86_64
openssl-1.0.1e-30.el6_6.5.x86_64




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: [users@httpd] CAC Card Client Certificate Auth and Crypto Suites

Posted by Jason Pyeron <jp...@pdinc.us>.

> -----Original Message-----
> From: McGregor, Donald (Don) (CIV) 
> Sent: Monday, March 23, 2015 15:22
> 
> 
> I'm attempting to get smart cards (DoD CAC) working with 
> apache 2.2 (CentOS 6).
> 
> It works on some browsers-Chrome, Safari-but not Firefox 
> 36.0.3 and IE 11.0.9600.1760 on Windows 8.1. Firefox doesn't work
> on OS X, either. The root cause of the problem seems to be 
> the SSL negotiation.

Interesting.

Lets ignore FF and OS X for now, as Chrome and IE (on windows) use the same certificate store for accessing the smart card.

> 
> The SSLProtocol setting is this:
> 
> SSLProtocol All -SSLv2 -SSLv3 -TLSv1.2 -TLSv1.1
> 
> I started off allowing TLS 1.1 and 1.2 but this seemed to 
> provoke complaints in the
> protocol negotiation about downgrade attacks. Apparently the 
> clients tried to downgrade
> to TLS1 and the server thought there was some sort of attack going on
> and terminated the negotiation. 
> 
> The above change got through the initial version negotiation, 
> but then ran aground on 
> this, with info level debugging on:
> 

Can you run wireshark on the browser side?

I would like to see (pcap.gz please) the chrome success and the IE failure, then we can tweak to get IE working too.

> 
> [Mon Mar 23 12:08:08 2015] [info] Seeding PRNG with 144 bytes 
> of entropy
> [Mon Mar 23 12:08:08 2015] [info] [client 172.20.82.139] SSL 
> library error 1 in handshake (server localhost.localdomain:443)
> [Mon Mar 23 12:08:08 2015] [info] SSL Library Error: 
> 336109761 error:1408A0C1:SSL 
> routines:SSL3_GET_CLIENT_HELLO:no shared cipher Too 
> restrictive SSLCipherSuite or using DSA server certificate?
> [Mon Mar 23 12:08:08 2015] [info] [client 172.20.82.139] 
> Connection closed to child 2 with abortive shutdown (server 
> localhost.localdomain:443)
> 
> 
> The cipher suite is highly (i.e., too) accommodating:
> 
> SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
> 
> So:
> 
> Anyone seen this before? What should the SSLProtocol and 
> CipherSuite settings be to allow
> client certificate authentication while maintaining 
> reasonable security? Alternatively, what
> should the client settings on the browsers be? I have very 
> limited control over the client
> settings  but it would be nice to know.
> 
> httpd-2.2.15-39.el6.centos.x86_64
> openssl-1.0.1e-30.el6_6.5.x86_64

--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-                                                               -
- Jason Pyeron                      PD Inc. http://www.pdinc.us -
- Principal Consultant              10 West 24th Street #100    -
- +1 (443) 269-1555 x333            Baltimore, Maryland 21218   -
-                                                               -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This message is copyright PD Inc, subject to license 20080407P00.