Hi,
I have setup on two system the apach/openssl/mod_ssl products.
The first system named "gate.ecb" is configured as a reverse proxy.
A Verisign CA test certificate, a verisign signed server certificate and his
private key are installed.
The second system is our application server and is named "serv.ecb". It has
also a Verisign CA test certificate, a verisign signed application server
certificate and this private key.
A PC with browser is connected to the same network for my tests. The PC has
the verisign CA certificate, but no private key nor a certificate.
What we need is :
PC -- > SSL with no client identification -- > Gate --> SSL with
identification of the gate to --> Server.
In the gate "SSLVerifyClient" is not defined or set to none.
In the server SSLVerifyClient require is set.
When the PC tries to connect to the server SERV via reverse proxy on GATE,
it gets an error that the PC needs a client certificate.
On the ssl_engine_log of the server we see following data:
[01/Mar/2001 13:58:37 04468] [info] Connection to child 0 established
(server serv.ecb:443, client 192.168.1.34)
[01/Mar/2001 13:58:37 04468] [info] Seeding PRNG with 1160 bytes of entropy
[01/Mar/2001 13:58:37 04468] [trace] OpenSSL: Handshake: start
[01/Mar/2001 13:58:37 04468] [trace] OpenSSL: Loop: before/accept
initialization
[01/Mar/2001 13:58:37 04468] [debug] OpenSSL: read 11/11 bytes from
BIO#000698B8 [mem: 000851E0] (BIO dump follows)
[01/Mar/2001 13:58:37 04468] [trace] OpenSSL: Loop: SSLv3 read client hello
A
[01/Mar/2001 13:58:37 04468] [trace] OpenSSL: Loop: SSLv3 write server hello
A
[01/Mar/2001 13:58:37 04468] [debug] OpenSSL: write 1024/1024 bytes to
BIO#000698B8 [mem: 00070F38] (BIO dump follows)
[01/Mar/2001 13:58:37 04468] [trace] OpenSSL: Loop: SSLv3 write certificate
A
[01/Mar/2001 13:58:37 04468] [trace] OpenSSL: Loop: SSLv3 write key exchange
A
[01/Mar/2001 13:58:37 04468] [trace] OpenSSL: Loop: SSLv3 write certificate
request A
[01/Mar/2001 13:58:37 04468] [debug] OpenSSL: write 854/854 bytes to
BIO#000698B8 [mem: 00070F38] (BIO dump follows)
[01/Mar/2001 13:58:37 04468] [trace] OpenSSL: Loop: SSLv3 flush data
[01/Mar/2001 13:58:38 04468] [debug] OpenSSL: read 5/5 bytes from
BIO#000698B8 [mem: 000851E0] (BIO dump follows)
[01/Mar/2001 13:58:38 04468] [debug] OpenSSL: read 2/2 bytes from
BIO#000698B8 [mem: 000851E5] (BIO dump follows)
[01/Mar/2001 13:58:38 04468] [trace] OpenSSL: Read: SSLv3 read client
certificate A
[01/Mar/2001 13:58:38 04468] [debug] OpenSSL: read 5/5 bytes from
BIO#000698B8 [mem: 000851E0] (BIO dump follows)
[01/Mar/2001 13:58:38 04468] [debug] OpenSSL: read 134/134 bytes from
BIO#000698B8 [mem: 000851E5] (BIO dump follows)
[01/Mar/2001 13:58:38 04468] [debug] OpenSSL: write 7/7 bytes to
BIO#000698B8 [mem: 00070F38] (BIO dump follows)
>>>>>HERE IT COMES >>>>>
[01/Mar/2001 13:58:38 04468] [trace] OpenSSL: Write: SSLv3 read client
certificate B <<<< THIS IS B
[01/Mar/2001 13:58:38 04468] [trace] OpenSSL: Exit: error in SSLv3 read
client certificate B
[01/Mar/2001 13:58:38 04468] [trace] OpenSSL: Exit: error in SSLv3 read
client certificate B
[01/Mar/2001 13:58:38 04468] [error] SSL handshake failed (server
serv.ecb:443, client 192.168.1.34) (OpenSSL library error follows)
[01/Mar/2001 13:58:38 04468] [error] OpenSSL: error:140890C7:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
[Hint: No CAs known to server for verification?]
It seems that the authentication of the certificate of GATE was not
successful, because the server requested a certificate from client A, but
received some from client B and this fails. This is not what we need. We
only need the GATE being authenticated. And when the GATE is trusted, all
requests from external clients that do not have a certificate should pass
via the gate to the server.
When we set on the server SSLVerifyClient to none, then the PC can obtain
the pages from the server without any problem.
Please can you help?
1. Is this supposed to work as in our scenario?
2. Is there anything wrong with our configuration?
3. Please can you explain?
Thanks for your assistance.
Herman De Taeye
Note: Following are fragments of the two httpd.conf files.
Gate: In the httpd.conf :
SSLCryptoDevice cswift
SSLPassPhraseDialog builtin
SSLSessionCache dbm:/usr/local/ap17e/logs/ssl_scache
SSLSessionCacheTimeout 300
SSLMutex file:/usr/local/ap17e/logs/ssl_mutex
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
<VirtualHost 192.168.1.34:443>
ServerName gate.ecb
Port 443
ProxyRequests off
ProxyPass /serv/ https://serv.ecb/
ProxyPassReverse /serv/ https://serv.ecb/
Nocache *
ErrorLog logs/ssl_proxy-error_log
CustomLog logs/ssl_proxy-access_log common
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /usr/local/ap17e/conf/ssl.crt/server.crt
SSLCertificateKeyFile /usr/local/ap17e/conf/ssl.key/server.key
SSLCACertificateFile /usr/local/ap17e/conf/ssl.crt/verisign-ca.crt
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog /usr/local/ap17e/logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
Serv: In the httpd.conf :
SSLCryptoDevice cswift
SSLPassPhraseDialog builtin
SSLSessionCache dbm:/usr/local/ap17e/logs/ssl_scache
SSLSessionCacheTimeout 300
SSLMutex file:/usr/local/ap17e/logs/ssl_mutex
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
<VirtualHost _default_:443>
DocumentRoot "/usr/local/ap17e/htdocs"
ServerName serv.ecb
ServerAdmin [EMAIL PROTECTED]
ErrorLog /usr/local/ap17e/logs/error_log
TransferLog /usr/local/ap17e/logs/access_log
SSLEngine on
SSLProtocol all +SSLv3
SSLCipherSuite ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /usr/local/ap17e/conf/ssl.crt/server.crt
SSLCertificateKeyFile /usr/local/ap17e/conf/ssl.key/server.key
SSLCACertificateFile /usr/local/ap17e/conf/ssl.crt/verisign-ca.crt
SSLVerifyClient require
SSLVerifyDepth 1
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/usr/local/ap17e/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog /usr/local/ap17e/logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
