You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Alan Brown <em...@blueyonder.co.uk> on 2010/12/29 01:55:40 UTC

[users@httpd] SSL Client Authentication Problem

Hi all,

I am working in a test environment with Apache v2.2.14 on XP Pro SP3 and I 
have experienced difficulties setting up SSL Client Authentication.



I have used the openssl command line tool to set up my private key, server 
certificate, and a certificate authority, and I have configured the 
httpd-ssl.conf file. All works as expected, except when I try to configure 
SSL Client Authentication. All browsers report an error and are unable to 
establish an SSL session, eg with Firefox :-



Secure Connection Failed

An error occurred during a connection to myhost_1.

SSL peer was unable to negotiate an acceptable set of security parameters.

(Error code: ssl_error_handshake_failure_alert)



(myhost_1 is configured as 127.0.0.1 in hosts file)



In the config which works I have :-



<VirtualHost _default_:443>

SSLEngine on

SSLCipherSuite 
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

SSLCertificateFile "/xampp/xampp/apache/conf/test/server.crt"

SSLCertificateKeyFile "/xampp/xampp/apache/conf/test/server.key"

#SSLCACertificateFile "/xampp/xampp/apache/conf/test/ca/ca.crt"

#SSLVerifyClient require

#SSLVerifyDepth  10

</VirtualHost>



When I uncomment the lines to configure SSL Client Authentication then I get 
the above errors. The browser is supposed to request which client 
certificate the user wants to use, then I can select the one I created and 
signed with ca.crt, which I have set as a trusted CA in the browser.



My Apache server has the following identifier (from HTTP Response header) :-

Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l 
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 
Perl/v5.10.1



The openssl version I am using is also 0.9.8l (l for 'link').



Here are the openssl commands I used :-



openssl genrsa -out ca.key 1024

openssl req -new -key ca.key -x509 -days 60 -out ca.crt

openssl genrsa -out server.key 1024

openssl req -new -key server.key  -days 90 -out server.csr

openssl x509 -req -in server.csr -set_serial 451470 -CA ca\ca.crt -CAkey 
ca\ca.key -out server.crt

openssl genrsa -out client_a.key 1024

openssl req -new -key client_a.key  -days 90 -out client_a.csr

openssl x509 -req -in client_a.csr -set_serial 451470 -CA 
..\ca\ca.crt -CAkey ..\ca\ca.key -out client_a.crt



I have carefully studied all documentation and I just wonder why this is not 
working - have I misunderstood something or is there possibly a bug?



Thanks in advance for any advice.



Alan.






---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] [SOLVED] SSL Client Authentication Problem

Posted by Alan Brown <em...@blueyonder.co.uk>.
----- Original Message ----- 
From: "Igor Galić" <i....@brainsware.org>
To: <us...@httpd.apache.org>
Sent: Tuesday, January 04, 2011 1:30 PM
Subject: Re: [users@httpd] SSL Client Authentication Problem



----- "Alan Brown" <em...@blueyonder.co.uk> wrote:

> Hi all,
>
> I am working in a test environment with Apache v2.2.14 on XP Pro SP3
> and I
> have experienced difficulties setting up SSL Client Authentication.
>
>
>
> I have used the openssl command line tool to set up my private key,
> server
> certificate, and a certificate authority, and I have configured the
> httpd-ssl.conf file. All works as expected, except when I try to
> configure
> SSL Client Authentication. All browsers report an error and are unable
> to
> establish an SSL session, eg with Firefox :-
>
>
>
> Secure Connection Failed
>
> An error occurred during a connection to myhost_1.
>
> SSL peer was unable to negotiate an acceptable set of security
> parameters.
>
> (Error code: ssl_error_handshake_failure_alert)
>
>
>
> (myhost_1 is configured as 127.0.0.1 in hosts file)
>
>
>
> In the config which works I have :-
>
>
>
> <VirtualHost _default_:443>
>
> SSLEngine on
>
> SSLCipherSuite
> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
>
> SSLCertificateFile "/xampp/xampp/apache/conf/test/server.crt"
>
> SSLCertificateKeyFile "/xampp/xampp/apache/conf/test/server.key"
>
> #SSLCACertificateFile "/xampp/xampp/apache/conf/test/ca/ca.crt"
>
> #SSLVerifyClient require
>
> #SSLVerifyDepth  10
>
> </VirtualHost>
>
>
>
> When I uncomment the lines to configure SSL Client Authentication then
> I get
> the above errors. The browser is supposed to request which client
> certificate the user wants to use, then I can select the one I created
> and
> signed with ca.crt, which I have set as a trusted CA in the browser.
>
>
>
> My Apache server has the following identifier (from HTTP Response
> header) :-
>
> Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
> mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4
>
> Perl/v5.10.1
>
>
>
> The openssl version I am using is also 0.9.8l (l for 'link').

No. OpenSSL 0.9.8l is a version regularily released:
http://www.openssl.org/source/


> Here are the openssl commands I used :-
>
>
>
> openssl genrsa -out ca.key 1024
>
> openssl req -new -key ca.key -x509 -days 60 -out ca.crt
>
> openssl genrsa -out server.key 1024
>
> openssl req -new -key server.key  -days 90 -out server.csr
>
> openssl x509 -req -in server.csr -set_serial 451470 -CA ca\ca.crt
> -CAkey
> ca\ca.key -out server.crt
>
> openssl genrsa -out client_a.key 1024
>
> openssl req -new -key client_a.key  -days 90 -out client_a.csr
>
> openssl x509 -req -in client_a.csr -set_serial 451470 -CA
> ..\ca\ca.crt -CAkey ..\ca\ca.key -out client_a.crt
>
>
>
> I have carefully studied all documentation and I just wonder why this
> is not
> working - have I misunderstood something or is there possibly a bug?
>
>
>
> Thanks in advance for any advice.

Instead of involving a browser, which is a big, complex and opaque thing,
can you please test with openssl s_client?

> Alan.

So long,
i

-- 
Igor Galić

Tel: +43 (0) 664 886 22 883
Mail: i.galic@brainsware.org
URL: http://brainsware.org/


Thanks Igor for pointing out this s_client tool within openssl. On 
investigating use of this tool, I realised I needed a bit more understanding 
of how SSL/TLS works, and realised I omitted to understand one essential 
feature of the SSL handshake, namely that the client must possess a private 
key.



This means the client cert must actually contain a private key, which makes 
it quite unlike a website cert, which just has the public key<->identity 
mapping (and digital signature). I found this concept very odd at first - 
even if it is password protected a digital cert seems not a place to store a 
private key. The format for the composite file is PKCS#12, (.p12 extension). 
(When you view such a client cert in IE8, for example, it says 'You have a 
private key which corresponds to this certificate').



To create the .p12 file you enter the command :-



openssl pkcs12 -export -out client_a.p12 -in client_a.crt -inkey 
client_a.key



where client_a.crt is the client cert and client_a.key is the private key 
file.



Then the browser can accept import of the file client_a.p12 as a 'Personal 
Certificate', and it now all works on Firefox/Chrome/Opera/IE8, with the 
browser displaying a dialog for client cert choice on accessing the secure 
page.



Thanks also Joost - you are correct, importing client cert is needed, it 
will not work without this, ie it won't just prompt for a client cert on 
accessing secure page. But I had not set up client cert correctly, so the 
import did not work.











---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] SSL Client Authentication Problem

Posted by Igor Galić <i....@brainsware.org>.
----- "Alan Brown" <em...@blueyonder.co.uk> wrote:

> Hi all,
> 
> I am working in a test environment with Apache v2.2.14 on XP Pro SP3
> and I 
> have experienced difficulties setting up SSL Client Authentication.
> 
> 
> 
> I have used the openssl command line tool to set up my private key,
> server 
> certificate, and a certificate authority, and I have configured the 
> httpd-ssl.conf file. All works as expected, except when I try to
> configure 
> SSL Client Authentication. All browsers report an error and are unable
> to 
> establish an SSL session, eg with Firefox :-
> 
> 
> 
> Secure Connection Failed
> 
> An error occurred during a connection to myhost_1.
> 
> SSL peer was unable to negotiate an acceptable set of security
> parameters.
> 
> (Error code: ssl_error_handshake_failure_alert)
> 
> 
> 
> (myhost_1 is configured as 127.0.0.1 in hosts file)
> 
> 
> 
> In the config which works I have :-
> 
> 
> 
> <VirtualHost _default_:443>
> 
> SSLEngine on
> 
> SSLCipherSuite 
> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
> 
> SSLCertificateFile "/xampp/xampp/apache/conf/test/server.crt"
> 
> SSLCertificateKeyFile "/xampp/xampp/apache/conf/test/server.key"
> 
> #SSLCACertificateFile "/xampp/xampp/apache/conf/test/ca/ca.crt"
> 
> #SSLVerifyClient require
> 
> #SSLVerifyDepth  10
> 
> </VirtualHost>
> 
> 
> 
> When I uncomment the lines to configure SSL Client Authentication then
> I get 
> the above errors. The browser is supposed to request which client 
> certificate the user wants to use, then I can select the one I created
> and 
> signed with ca.crt, which I have set as a trusted CA in the browser.
> 
> 
> 
> My Apache server has the following identifier (from HTTP Response
> header) :-
> 
> Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l 
> mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4
> 
> Perl/v5.10.1
> 
> 
> 
> The openssl version I am using is also 0.9.8l (l for 'link').

No. OpenSSL 0.9.8l is a version regularily released: 
http://www.openssl.org/source/

 
> Here are the openssl commands I used :-
> 
> 
> 
> openssl genrsa -out ca.key 1024
> 
> openssl req -new -key ca.key -x509 -days 60 -out ca.crt
> 
> openssl genrsa -out server.key 1024
> 
> openssl req -new -key server.key  -days 90 -out server.csr
> 
> openssl x509 -req -in server.csr -set_serial 451470 -CA ca\ca.crt
> -CAkey 
> ca\ca.key -out server.crt
> 
> openssl genrsa -out client_a.key 1024
> 
> openssl req -new -key client_a.key  -days 90 -out client_a.csr
> 
> openssl x509 -req -in client_a.csr -set_serial 451470 -CA 
> ..\ca\ca.crt -CAkey ..\ca\ca.key -out client_a.crt
> 
> 
> 
> I have carefully studied all documentation and I just wonder why this
> is not 
> working - have I misunderstood something or is there possibly a bug?
> 
> 
> 
> Thanks in advance for any advice.

Instead of involving a browser, which is a big, complex and opaque thing,
can you please test with openssl s_client?

> Alan.

So long,
i

-- 
Igor Galić

Tel: +43 (0) 664 886 22 883
Mail: i.galic@brainsware.org
URL: http://brainsware.org/

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org