Hello,
I posted this question already some days ago, but did not yet receive any
hint. Does really no-one have any idea what could be the problem?
-----------------------
I'm having a strange problem with Apache 2.0.45, mod_ssl with openssl
0.9.6i (and possibly a factor also tomcat 4.1.27 server, client IE6 with
Java 1.4 plugin from Sun).
The web-server should run all applications only over SSL and with client
certificate verification enabled.
So I set up all the necessary configuration, including server and client
certificates (our company has it's own internal CA), and moved three
different applications from the non-SSL to the SSL virtual-host.
Everything works fine, the applications can access the "environment
variables", where the user-ID coming from the certificate is stored, in
order to authenticate the users and provide user-specific content. One of
the working applications is PHP based, another one is JSP based, so via
Tomcat. (only explaining this so that it is clear the whole server
combination including the SSL setup seems to be right in principal).
However the 4th application doesn't work.
The fourth application is not JSP, but a Servlet/Applet combination.
What happens when accessing the page is that the "index.html" downloads to
the client, but then the applet should be retrieved by the browser
(IE/Java plug-in), but the JAVA Plug-In just says "applet not found", and
in the web-server error file (put in INFO) I see the following:
[Tue Aug 05 18:56:52 2003] [info] Connection to child 4 established
(server esdsv07.my.com:443, client 115.191.1.8)
[Tue Aug 05 18:56:52 2003] [info] Seeding PRNG with 136 bytes of entropy
[Tue Aug 05 18:56:52 2003] [info] SSL library error 1 in handshake (server
esdsv07.my.com:443, client 115.191.1.8)
[Tue Aug 05 18:56:52 2003] [info] SSL Library Error: 336105671
error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not
return a certificate No CAs known to server for verification?
[Tue Aug 05 18:56:52 2003] [info] Connection to child 4 closed with
abortive shutdown(server esdsv07.my.com:443, client 115.191.1.8)
[Tue Aug 05 18:56:52 2003] [info] Connection to child 69 established
(server esdsv07.my.com:443, client 115.136.126.30)
[Tue Aug 05 18:56:52 2003] [info] Seeding PRNG with 136 bytes of entropy
[Tue Aug 05 18:56:53 2003] [info] SSL library error 1 in handshake (server
esdsv07.my.com:443, client 115.136.126.30)
[Tue Aug 05 18:56:53 2003] [info] SSL Library Error: 336105671
error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not
return a certificate No CAs known to server for verification?
[Tue Aug 05 18:56:53 2003] [info] Connection to child 69 closed with
abortive shutdown(server esdsv07.my.com:443, client 115.136.126.30)
I know, normally this "peer did not return a certificate" indicates that
either my browser does not have a certificate (which it has) or that the
certificate can not be verified by the server due to a missing CA
certificate (which it has). If one of these or both problems were there,
the other three applications would not work as well, right? But they do!
Any ideas?
If I switch on debug level, I get even more info (which does not tell me a
lot more). First there is a verification/handshake on client certificate A
(successful) and then there is something about a certificate B????? what
is this about? What is certificate A and B?
Thanks in advance
Herbert
Debugging info:
[Tue Aug 05 19:14:46 2003] [info] Loading certificate & private key of
SSL-aware server
[Tue Aug 05 19:14:46 2003] [info] Init: Requesting pass phrase from dialog
filter program (/opt/hpws/apache/conf/passPhrase.dialog)
[Tue Aug 05 19:14:46 2003] [debug] ssl_engine_pphrase.c(499): encrypted
RSA private key - pass phrase requested
[Tue Aug 05 19:14:48 2003] [info] Configuring server for SSL protocol [Tue
Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(436): Creating new SSL
context (protocols: SSLv2, SSLv3, TLSv1)
[Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(553): Configuring
client authentication
[Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(1096): CA
certificate: /O=my.com/OU=IT Infrastructure/C=US/O=MY Company/CN=MY
Primary Class 2 Certification Authority
[Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(611): Configuring
permitted SSL ciphers
[!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL]
[Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(739): Configuring RSA
server certificate
[Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(778): Configuring RSA
server private key
[Tue Aug 05 19:14:49 2003] [info] Loading certificate & private key of
SSL-aware server
[Tue Aug 05 19:14:49 2003] [info] esdsv07.my.com:443 reusing existing RSA
private key on restart
[Tue Aug 05 19:14:51 2003] [info] Configuring server for SSL protocol [Tue
Aug 05 19:14:51 2003] [debug] ssl_engine_init.c(436): Creating new SSL
context (protocols: SSLv2, SSLv3, TLSv1)
[Tue Aug 05 19:14:51 2003] [debug] ssl_engine_init.c(553): Configuring
client authentication
[Tue Aug 05 19:14:51 2003] [debug] ssl_engine_init.c(1096): CA
certificate: /O=my.com/OU=IT Infrastructure/C=US/O=MY Company/CN=MY
Primary Class 2 Certification Authority
[Tue Aug 05 19:14:51 2003] [debug] ssl_engine_init.c(611): Configuring
permitted SSL ciphers
[!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL]
[Tue Aug 05 19:14:51 2003] [debug] ssl_engine_init.c(739): Configuring RSA
server certificate
[Tue Aug 05 19:14:51 2003] [debug] ssl_engine_init.c(778): Configuring RSA
server private key
[Tue Aug 05 19:15:02 2003] [info] Connection to child 64 established
(server esdsv07.my.com:443, client 115.136.126.30)
[Tue Aug 05 19:15:02 2003] [info] Seeding PRNG with 136 bytes of entropy
[Tue Aug 05 19:15:02 2003] [debug] ssl_engine_kernel.c(1764):
OpenSSL:Handshake: start
[Tue Aug 05 19:15:02 2003] [debug] ssl_engine_kernel.c(1772): OpenSSL:
Loop: before/accept initialization
[---lots of stuff/binary dump omitted---]
[Tue Aug 05 19:15:06 2003] [debug] ssl_engine_kernel.c(1772): OpenSSL:
Loop: SSLv3 read finished A
[Tue Aug 05 19:15:06 2003] [debug] ssl_engine_kernel.c(1772): OpenSSL:
Loop: SSLv3 write change cipher spec A
[Tue Aug 05 19:15:06 2003] [debug] ssl_engine_kernel.c(1772): OpenSSL:
Loop: SSLv3 write finished A
[Tue Aug 05 19:15:06 2003] [debug] ssl_engine_kernel.c(1772): OpenSSL:
Loop: SSLv3 flush data
[Tue Aug 05 19:15:06 2003] [debug] ssl_scache_shmcb.c(708): inside
shmcb_store_session
[Tue Aug 05 19:15:06 2003] [debug] ssl_scache_shmcb.c(714):
session_id[0]=106, masked index=10
[Tue Aug 05 19:15:06 2003] [debug] ssl_scache_shmcb.c(1089): entering
shmcb_insert_encoded_session, *queue->pos_count = 0
[Tue Aug 05 19:15:06 2003] [debug] ssl_scache_shmcb.c(1013): entering
shmcb_expire_division
[Tue Aug 05 19:15:06 2003] [debug] ssl_scache_shmcb.c(1145): we have 14386
bytes and 133 indexes free - enough
[Tue Aug 05 19:15:06 2003] [debug] ssl_scache_shmcb.c(1174): storing in
index 0, at offset 0
[Tue Aug 05 19:15:06 2003] [debug] ssl_scache_shmcb.c(1189):
session_id[0]=106, idx->s_id2=63
[Tue Aug 05 19:15:06 2003] [debug] ssl_scache_shmcb.c(1200): leaving now
with 11 28 bytes in the cache and 1 indexes
[Tue Aug 05 19:15:06 2003] [debug] ssl_scache_shmcb.c(1204): leaving
shmcb_insert_encoded_session
[Tue Aug 05 19:15:06 2003] [debug] ssl_scache_shmcb.c(742): leaving
shmcb_store successfully
[Tue Aug 05 19:15:06 2003] [debug] ssl_scache_shmcb.c(437): shmcb_store
successful
[Tue Aug 05 19:15:06 2003] [debug] ssl_engine_kernel.c(1610):
Inter-Process Session Cache: request=SET status=OK
id=6A3F782DD6F051D3FFBFDFC9AD3197731D1008BF6C16089DB3EF2B1875772849
timeout=296s (session caching)
[Tue Aug 05 19:15:06 2003] [debug] ssl_engine_kernel.c(1768): OpenSSL:
Handshake
[--- another and another successful handshake following ---]
[--- even more stuff omitted, then something strange: ---]
[Tue Aug 05 19:15:13 2003] [info] Connection to child 1 established
(server esdsv07.my.com:443, client 15.191.1.8)
[Tue Aug 05 19:15:13 2003] [info] Seeding PRNG with 136 bytes of entropy
[Tue Aug 05 19:15:13 2003] [debug] ssl_engine_kernel.c(1764): OpenSSL:
Handshake : start
[Tue Aug 05 19:15:13 2003] [debug] ssl_engine_kernel.c(1772): OpenSSL:
Loop: before/accept initialization
[Tue Aug 05 19:15:13 2003] [debug] ssl_engine_io.c(1478): OpenSSL: read
11/11 by tes from BIO#40239088 [mem: 403f1568] (BIO dump follows)
[--bio dump left out--]
[Tue Aug 05 19:15:13 2003] [debug] ssl_engine_kernel.c(1772): OpenSSL:
Loop: SSLv3 read client hello A
[Tue Aug 05 19:15:13 2003] [debug] ssl_engine_kernel.c(1772): OpenSSL:
Loop: SSLv3 write server hello A
[Tue Aug 05 19:15:13 2003] [debug] ssl_engine_kernel.c(1772): OpenSSL:
Loop: SSLv3 write certificate A
[Tue Aug 05 19:15:13 2003] [debug] ssl_engine_kernel.c(1772): OpenSSL:
Loop: SSLv3 write certificate request A
[Tue Aug 05 19:15:13 2003] [debug] ssl_engine_kernel.c(1772): OpenSSL:
Loop: SSLv3 flush data
[Tue Aug 05 19:15:14 2003] [debug] ssl_engine_io.c(1478): OpenSSL: read
5/5 bytes from BIO#40239088 [mem: 403f1568] (BIO dump follows)
[--another bio dump left out-- so far the usuall success, but now....]
[Tue Aug 05 19:15:14 2003] [debug] ssl_engine_kernel.c(1782): OpenSSL:
Write: SSLv3 read client certificate B
[Tue Aug 05 19:15:14 2003] [debug] ssl_engine_kernel.c(1801): OpenSSL:
Exit: error in SSLv3 read client certificate B
[Tue Aug 05 19:15:14 2003] [debug] ssl_engine_kernel.c(1801): OpenSSL:
Exit: error in SSLv3 read client certificate B
[Tue Aug 05 19:15:14 2003] [info] SSL library error 1 in handshake (server
esdsv07.my.com:443, client 115.191.1.8)
[Tue Aug 05 19:15:14 2003] [info] SSL Library Error: 336105671
error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not
return a certificate No CAs known to server for verification?
[Tue Aug 05 19:15:14 2003] [info] Connection to child 1 closed with
abortive shutdown(server esdsv07.my.com:443, client 115.191.1.8)
[Tue Aug 05 19:15:14 2003] [info] Connection to child 66 established
(server esdsv07.my.com:443, client 115.136.126.30)
It started with read/writen client certificate A, no error, then suddenly
says something about client certificate B, which fails. What is client
certificate B?
--
Herbert Neugebauer
[EMAIL PROTECTED]
71088 Holzgerlingen Germany
*****
War does not decide who's right, only who's left
-- unknown quote
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
