On Friday 27 June 2008, Joe Orton wrote:
> Yup. Changing the "SSLVerifyClient require" to:
> SSLVerifyClient optional
> SSLRequire %{SSL_CLIENT_VERIFY} eq "SUCCESS"
Thanks a lot! The workaround worked ;-). Please consider this issue
solved.
I have another question: Has anyone successfully established a
connection to an apache/mod_ssl server with client authentication using
a java client? My client (code below) generates the following log
(exception at the end) upon execution:
*** ServerHelloDone
*** Certificate chain
***
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1
main, WRITE: TLSv1 Handshake, length = 157
SESSION KEYGEN:
PreMaster Secret:
0000: 03 01 71 CC D3 DC AF 35 A3 A2 70 1C E5 9A 06
00 ..q....5..p.....
0010: 1F 8B 18 05 6E 55 69 4E 44 18 D2 E5 0A 57 FB
D4 ....nUiND....W..
0020: 71 62 17 14 57 2A FE 8F 4D 5A CF 7A 82 09 31 8C
qb..W*..MZ.z..1.
CONNECTION KEYGEN:
Client Nonce:
0000: 48 64 A7 92 45 15 E8 74 E3 75 A7 BD F7 E3 B8 82
Hd..E..t.u......
0010: 94 D4 1E 75 ED 3D D3 41 0E 5F BA 12 ED 47 E6
B1 ...u.=.A._...G..
Server Nonce:
0000: 48 64 A7 92 B5 6D 56 62 6D E3 7B 67 C7 08 78 13
Hd...mVbm..g..x.
0010: 45 47 5A 93 18 62 D4 E5 75 25 A1 65 F8 DD 85 86
EGZ..b..u%.e....
Master Secret:
0000: 0C 65 EA 1D A6 E6 FC 3C AD AA 34 04 C6 82 81
50 .e.....<..4....P
0010: 07 78 38 FC B6 04 77 3E 7E 90 BC 24 A9 D3 B1 86 .x8...w>...
$....
0020: F9 99 26 1A FD 08 9A C3 E0 32 43 D0 A1 59 21 5C ..&......2C..Y!
\
Client MAC write Secret:
0000: D0 7D F1 90 58 AF 0B 43 F7 02 39 0C 0C B2 87
C3 ....X..C..9.....
Server MAC write Secret:
0000: 5C AD 45 74 3D 58 96 FB 41 37 72 99 12 D5 BD 3A
\.Et=X..A7r....:
Client write key:
0000: 38 AE 1A 7E 63 26 C7 7F 9D E2 74 9E D2 12 55 C9
8...c&....t...U.
Server write key:
0000: 7E 57 BF 54 A7 74 D8 72 72 AC 18 B8 5F 2D F6
06 .W.T.t.rr..._-..
... no IV used for this cipher
main, WRITE: TLSv1 Change Cipher Spec, length = 17
*** Finished
verify_data: { 150, 113, 105, 3, 36, 96, 160, 52, 133, 8, 145, 137 }
***
main, WRITE: TLSv1 Handshake, length = 32
main, waiting for close_notify or alert: state 3
main, READ: TLSv1 Alert, length = 18
main, RECV TLSv1 ALERT: fatal, handshake_failure
%% Invalidated: [Session-3, SSL_RSA_WITH_RC4_128_MD5]
main, called closeSocket()
main, Exception while waiting for close
javax.net.ssl.SSLHandshakeException: Received fatal alert:
handshake_failure
main, handling exception: javax.net.ssl.SSLHandshakeException: Received
fatal alert: handshake_failure
main, called close()
main, called closeInternal(true)
javax.net.ssl.SSLHandshakeException: Received fatal alert:
handshake_failure
at
com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at
com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:136)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1657)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:932)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.waitForClose(SSLSocketImpl.java:1435)
at
com.sun.net.ssl.internal.ssl.HandshakeOutStream.flush(HandshakeOutStream.java:103)
at
com.sun.net.ssl.internal.ssl.Handshaker.sendChangeCipherSpec(Handshaker.java:612)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.sendChangeCipherAndFinish(ClientHandshaker.java:808)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:734)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:197)
at
com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
at
com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:746)
at
com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:75)
at
java.io.BufferedInputStream.fill(BufferedInputStream.java:218)
at java.io.BufferedInputStream.read1
(BufferedInputStream.java:258)
at
java.io.BufferedInputStream.read(BufferedInputStream.java:317)
at
sun.net.www.http.HttpClient.parseHTTPHeader(HttpClient.java:687)
at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:632)
at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:652)
at
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1000)
at
com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnectionOldImpl.getInputStream(HttpsURLConnectionOldImpl.java:204)
at java.net.URL.openStream(URL.java:1009)
at URLClient.main(URLClient.java:17)
The server logs the following error:
[error] Re-negotiation handshake failed: Not accepted by client!?
Has someone experience with java client verification or can someone
formulate an educated guess what the problem could be? I have the
cacert root certificate imported at the server side
(SSLCACertificateFile), as well as the client side (within the trust
store). The server, as well as the client certificate are issued by
cacert. The server certificate is specified using SSLCertificateFile
within the VirtualHost and the client certificate is stored within the
key store. I can establish an https connection to the same host without
client authentication, which leads to the assumption that the server
certificate ca nbe verified by the java client.
I have tried to find answers to the problem using google, but none were
useful for the problem at hand.
Cheers,
Florian
--
DI Florian Hackenberger
[EMAIL PROTECTED]
www.hackenberger.at
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager [EMAIL PROTECTED]
