Hello,
I'm having a strange problem with Apache 2.0.45 / openssl 0.9.6 (and
possibly tomcat 4.1.27).
The web-server should run all applications only over SSL and with client
certificate verification enabled.
So I set up all the necessary configuration, including server and client
certificates (our company has it's own internal CA), and moved three
different applications from the non-SSL to the SSL virtual-host.
Everything works fine, the applications can access the "environment
variables", where the user-ID coming from the certificate is stored, in
order to authenticate the users and provide user-specific content.
However the 4th application doesn't work. One of the working applications
is PHP, another also working application is JSP based, so using Tomcat.
The fourth application is not JSP, but a Servlet/Applet combination.
What happens when accessing the page is that the "index.html" downloads to
the client, but then the applet should be retrieved by the browser (IE),
but the JAVA Plug-In just says "applet not found", and in the web-server
error file (put in INFO) I see the following errors.:
[Tue Aug 05 18:56:52 2003] [info] Connection to child 4 established
(server esds
v07.bbn.hp.com:443, client 15.191.1.8)
[Tue Aug 05 18:56:52 2003] [info] Seeding PRNG with 136 bytes of entropy
[Tue Aug 05 18:56:52 2003] [info] SSL library error 1 in handshake (server
esdsv
07.bbn.hp.com:443, client 15.191.1.8)
[Tue Aug 05 18:56:52 2003] [info] SSL Library Error: 336105671
error:140890C7:SS
L routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
No CAs
known to server for verification?
[Tue Aug 05 18:56:52 2003] [info] Connection to child 4 closed with
abortive shu
tdown(server esdsv07.bbn.hp.com:443, client 15.191.1.8)
[Tue Aug 05 18:56:52 2003] [info] Connection to child 69 established
(server esd
sv07.bbn.hp.com:443, client 15.136.126.30)
[Tue Aug 05 18:56:52 2003] [info] Seeding PRNG with 136 bytes of entropy
[Tue Aug 05 18:56:53 2003] [info] SSL library error 1 in handshake (server
esdsv
07.bbn.hp.com:443, client 15.136.126.30)
[Tue Aug 05 18:56:53 2003] [info] SSL Library Error: 336105671
error:140890C7:SS
L routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
No CAs
known to server for verification?
[Tue Aug 05 18:56:53 2003] [info] Connection to child 69 closed with
abortive sh
utdown(server esdsv07.bbn.hp.com:443, client 15.136.126.30)
I know, normally this "peer did not return a certificate" indicates that
either my browser does not have a certificate (which it has) or that the
certificate can not be verified by the server due to a missing CA
certificate (which it has). If one of these or both problems were there,
the other three applications would not work as well, but they do!
Now I was wondering if it could be an issue somewhere inbetween mod_ssl,
mod_jk, Tomcat??
In principal the connector between Apache and Tomcat works, otherwise the
JSP application would not work as well. That can be easily verified by
inserting a bug in this configuration and voila, the JSP app stops
working.
Any ideas?
thanks in advance
Herbert
PS: if I switch on debug level, I get even more info, which does not help
me, but it first says something about client certificate A (success) and
then something about a certificate B????? what is this about?
[Tue Aug 05 19:14:46 2003] [info] Loading certificate & private key of
SSL-aware
server
[Tue Aug 05 19:14:46 2003] [info] Init: Requesting pass phrase from dialog
filte
r program (/opt/hpws/apache/conf/passPhrase.dialog)
[Tue Aug 05 19:14:46 2003] [debug] ssl_engine_pphrase.c(499): encrypted
RSA priv
ate key - pass phrase requested
[Tue Aug 05 19:14:48 2003] [info] Configuring server for SSL protocol
[Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(436): Creating new
SSL cont
ext (protocols: SSLv2, SSLv3, TLSv1)
[Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(553): Configuring
client au
thentication
[Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(1096): CA
certificate: /O=my.com/OU=IT Infrastructure/C=US/O=MY Company/CN=MY
Primary Class 2 Certification Authority
[Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(611): Configuring
permitted
SSL ciphers [!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL]
[Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(739): Configuring RSA
serve
r certificate
[Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(778): Configuring RSA
serve
r private key
[Tue Aug 05 19:14:49 2003] [info] Loading certificate & private key of
SSL-aware
server
[Tue Aug 05 19:14:49 2003] [info] esdsv07.my.com:443 reusing existing RSA pr
ivate key on restart
[Tue Aug 05 19:14:51 2003] [info] Configuring server for SSL protocol
[Tue Aug 05 19:14:51 2003] [debug] ssl_engine_init.c(436): Creating new
SSL cont
ext (protocols: SSLv2, SSLv3, TLSv1)
[Tue Aug 05 19:14:51 2003] [debug] ssl_engine_init.c(553): Configuring
client au
thentication
[Tue Aug 05 19:14:51 2003] [debug] ssl_engine_init.c(1096): CA
certificate: /O=my.com/OU=IT Infrastructure/C=US/O=MY Company/CN=MY
Primary Class 2 Certification Authority
[Tue Aug 05 19:14:51 2003] [debug] ssl_engine_init.c(611): Configuring
permitted
SSL ciphers [!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL]
[Tue Aug 05 19:14:51 2003] [debug] ssl_engine_init.c(739): Configuring RSA
serve
r certificate
[Tue Aug 05 19:14:51 2003] [debug] ssl_engine_init.c(778): Configuring RSA
serve
r private key
[Tue Aug 05 19:15:02 2003] [info] Connection to child 64 established
(server esd
sv07.bbn.hp.com:443, client 15.136.126.30)
[Tue Aug 05 19:15:02 2003] [info] Seeding PRNG with 136 bytes of entropy
[Tue Aug 05 19:15:02 2003] [debug] ssl_engine_kernel.c(1764): OpenSSL:
Handshake
: start
[Tue Aug 05 19:15:02 2003] [debug] ssl_engine_kernel.c(1772): OpenSSL:
Loop: bef
ore/accept initialization
[---lots of stuff omitted, including the verificate of my certificate---]
[Tue Aug 05 19:15:06 2003] [debug] ssl_engine_kernel.c(1772): OpenSSL:
Loop: SSL
v3 read finished A
[Tue Aug 05 19:15:06 2003] [debug] ssl_engine_kernel.c(1772): OpenSSL:
Loop: SSL
v3 write change cipher spec A
[Tue Aug 05 19:15:06 2003] [debug] ssl_engine_kernel.c(1772): OpenSSL:
Loop: SSL
v3 write finished A
[Tue Aug 05 19:15:06 2003] [debug] ssl_engine_kernel.c(1772): OpenSSL:
Loop: SSL
v3 flush data
[Tue Aug 05 19:15:06 2003] [debug] ssl_scache_shmcb.c(708): inside
shmcb_store_s
ession
[Tue Aug 05 19:15:06 2003] [debug] ssl_scache_shmcb.c(714):
session_id[0]=106, m
asked index=10
[Tue Aug 05 19:15:06 2003] [debug] ssl_scache_shmcb.c(1089): entering
shmcb_inse
rt_encoded_session, *queue->pos_count = 0
[Tue Aug 05 19:15:06 2003] [debug] ssl_scache_shmcb.c(1013): entering
shmcb_expi
re_division
[Tue Aug 05 19:15:06 2003] [debug] ssl_scache_shmcb.c(1145): we have 14386
bytes
and 133 indexes free - enough
[Tue Aug 05 19:15:06 2003] [debug] ssl_scache_shmcb.c(1174): storing in
index 0,
at offset 0
[Tue Aug 05 19:15:06 2003] [debug] ssl_scache_shmcb.c(1189):
session_id[0]=106,
idx->s_id2=63
[Tue Aug 05 19:15:06 2003] [debug] ssl_scache_shmcb.c(1200): leaving now
with 11
28 bytes in the cache and 1 indexes
[Tue Aug 05 19:15:06 2003] [debug] ssl_scache_shmcb.c(1204): leaving
shmcb_inser
t_encoded_session
[Tue Aug 05 19:15:06 2003] [debug] ssl_scache_shmcb.c(742): leaving
shmcb_store
successfully
[Tue Aug 05 19:15:06 2003] [debug] ssl_scache_shmcb.c(437): shmcb_store
successf
ul
[Tue Aug 05 19:15:06 2003] [debug] ssl_engine_kernel.c(1610):
Inter-Process Sess
ion Cache: request=SET status=OK
id=6A3F782DD6F051D3FFBFDFC9AD3197731D1008BF6C16
089DB3EF2B1875772849 timeout=296s (session caching)
[Tue Aug 05 19:15:06 2003] [debug] ssl_engine_kernel.c(1768): OpenSSL:
Handshake
[--- another and another successful handshake following ---]
[--- even more stuff omitted, then something strange: ---]
[Tue Aug 05 19:15:13 2003] [info] Connection to child 1 established
(server esds
v07.bbn.hp.com:443, client 15.191.1.8)
[Tue Aug 05 19:15:13 2003] [info] Seeding PRNG with 136 bytes of entropy
[Tue Aug 05 19:15:13 2003] [debug] ssl_engine_kernel.c(1764): OpenSSL:
Handshake
: start
[Tue Aug 05 19:15:13 2003] [debug] ssl_engine_kernel.c(1772): OpenSSL:
Loop: bef
ore/accept initialization
[Tue Aug 05 19:15:13 2003] [debug] ssl_engine_io.c(1478): OpenSSL: read
11/11 by
tes from BIO#40239088 [mem: 403f1568] (BIO dump follows)
[--bio dump left out--]
[Tue Aug 05 19:15:13 2003] [debug] ssl_engine_kernel.c(1772): OpenSSL:
Loop: SSL
v3 read client hello A
[Tue Aug 05 19:15:13 2003] [debug] ssl_engine_kernel.c(1772): OpenSSL:
Loop: SSL
v3 write server hello A
[Tue Aug 05 19:15:13 2003] [debug] ssl_engine_kernel.c(1772): OpenSSL:
Loop: SSL
v3 write certificate A
[Tue Aug 05 19:15:13 2003] [debug] ssl_engine_kernel.c(1772): OpenSSL:
Loop: SSL
v3 write certificate request A
[Tue Aug 05 19:15:13 2003] [debug] ssl_engine_kernel.c(1772): OpenSSL:
Loop: SSL
v3 flush data
[Tue Aug 05 19:15:14 2003] [debug] ssl_engine_io.c(1478): OpenSSL: read
5/5 byte
s from BIO#40239088 [mem: 403f1568] (BIO dump follows)
[--another bio dump left out--]
[Tue Aug 05 19:15:14 2003] [debug] ssl_engine_kernel.c(1782): OpenSSL:
Write: SS
Lv3 read client certificate B
[Tue Aug 05 19:15:14 2003] [debug] ssl_engine_kernel.c(1801): OpenSSL:
Exit: err
or in SSLv3 read client certificate B
[Tue Aug 05 19:15:14 2003] [debug] ssl_engine_kernel.c(1801): OpenSSL:
Exit: err
or in SSLv3 read client certificate B
[Tue Aug 05 19:15:14 2003] [info] SSL library error 1 in handshake (server
esdsv07.my.com:443, client 115.191.1.8)
[Tue Aug 05 19:15:14 2003] [info] SSL Library Error: 336105671
error:140890C7:SS
L routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
No CAs
known to server for verification?
[Tue Aug 05 19:15:14 2003] [info] Connection to child 1 closed with
abortive shu
tdown(server esdsv07.my.com:443, client 115.191.1.8)
[Tue Aug 05 19:15:14 2003] [info] Connection to child 66 established
(server esdsv07.my.com:443, client 115.136.126.30)
It started with read/writen client certificate A, no error, then suddenly
says something about client certificate B, which fails. What is client
certificate B?
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
