Can't get PKI Client Authentication Enforcement to work

Joseph Felten Mon, 10 Dec 2007 10:51:11 -0800

I'm stumped so I thought I would give this list a try as I believe my problem is
an openssl issue.


Background:  Building an SSL enabled Apache web server on a closed network. 
Apache under Solaris 8 OS.  Need to restrict access to users with ID
certificates issued by particular CA's (issued by particular Root issuers) read
from a smart card.  I can make everything work except restricting access to
particular CA's.  Whenever I enable SSLVerifyClient and SSLVerifyDepth in
Apache it denies all access even though I present a cert that was issued by one
of the CA's under SSLCACertificatePath.  Even though I have those CA's certs
loaded on the server and can dump and verify them with openssl.  I get errors
in the Apache log such as.:

"Certificate Verification: Error (20): unable to get local issuer certificate"

and

"SSL Library Error: 336105650 error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned"

I'm not sure which certificate is not being returned.  From the browser/smart
card?  It seems to be presenting the cert to the server.  I suspect that error
is misleading.

I know the browser is reading the cert from the smart card as the browser
security module kicks in and asks which cert from the smart card to present to
the server.  I can't just install the user ID cert directly in the browser as
they are flagged non-exportable for security reasons, plus the smart cards are
a requirement.

Software:  Apache/2.2.4 (Unix) mod_jk/1.2.21 DAV/2 mod_ssl/2.2.4 OpenSSL/0.9.8e
mod_perl/2.0.3 Perl/v5.8.8

I tried some tests with openssl verify, s_client, s_server etc.  openssl
s_server seems happy with everything.  For example.:

openssl s_server -key conf/euukmoappd003n.dev.local.server.key -cert
conf/cert.euukmoappd003n.dev.local.server.crt -CApath conf/ssl.crt -state
-Verify 10

verify depth is 10, must return a certificate
Enter pass phrase for conf/disa.euukmoappd003n.dev.local.server.key:
Using default temp DH parameters
Using default temp ECDH parameters
ACCEPT

And I can connect with s_client.

Below is the debug log from starting the SSL server and trying and failing to
view a test page with a certificate issued by a root/CA chain the server has
loaded.  When I try to load a test page, it grinds a bit, asks me to insert my
smart card, grinds a bit, asks for my smart card PIN, grinds a bit more, then
the browser displays an error page that "The page cannot be displayed".  This
is with microsoft internet explorer (unfortunately that is the browser the
users have).  Sorry I can't post the actual certs here as we have pretty tight
security rules.  Thanks in advance.

[Fri Dec 07 19:11:40 2007] [info] Loading certificate & private key of SSL-aware
server
[Fri Dec 07 19:11:40 2007] [debug] ssl_engine_pphrase.c(481): encrypted RSA
private key - pass phrase reused
[Fri Dec 07 19:11:41 2007] [info] Configuring server for SSL protocol
[Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(405): Creating new SSL
context (protocols: SSLv3, TLSv1)
[Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(538): Configuring client
authentication
[Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(1113): CA certificate:
/C=US/O=USG/OU=DD/OU=PKI/CN=DD CLASS 3 Root CA
[Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(1113): CA certificate:
/C=US/O=USG/OU=ECA/CN=ECA Root CA
[Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(1113): CA certificate:
/C=US/O=USG/OU=DD/OU=PKI/CN=DD Root CA 2
[Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(1113): CA certificate:
/C=US/ST=Cambs/L=Mole/O=USG/OU=USA OU PKI DD/CN=euukmoappd003n.dev.local
[Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(1113): CA certificate:
/C=US/O=USG/OU=DD/OU=PKI/CN=DD CA-12
[Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(1113): CA certificate:
/C=US/O=USG/OU=DD/OU=PKI/CN=DD CLASS 3 Root CA
[Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(1113): CA certificate:
/C=US/O=USG/OU=DD/OU=PKI/CN=DD CA-13
[Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(1113): CA certificate:
/C=US/O=USG/OU=ECA/CN=ECA Root CA
[Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(1113): CA certificate:
/C=US/O=USG/OU=DD/OU=PKI/CN=DD CA-12
[Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(1113): CA certificate:
/C=US/O=USG/OU=DD/OU=PKI/CN=DD CA-13
[Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(1113): CA certificate:
/C=US/O=USG/OU=DD/OU=PKI/CN=DD CLASS 3 Root CA
[Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(1113): CA certificate:
/C=US/O=USG/OU=DD/OU=PKI/CN=DD Root CA 2
[Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(1113): CA certificate:
/C=US/O=USG/OU=ECA/CN=ECA Root CA
[Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(1113): CA certificate:
/C=US/O=USG/OU=DD/OU=PKI/CN=DD CA-12
[Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(1113): CA certificate:
/C=US/O=USG/OU=DD/OU=PKI/CN=DD Root CA 2
[Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(1113): CA certificate:
/C=US/O=USG/OU=DD/OU=PKI/CN=DD CA-15
[Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(1113): CA certificate:
/C=US/O=USG/OU=DD/OU=PKI/CN=DD Root CA 2
[Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(1113): CA certificate:
/C=US/O=USG/OU=DD/OU=PKI/CN=DD CA-12
[Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(1113): CA certificate:
/C=US/O=USG/OU=DD/OU=PKI/CN=DD CA-13
[Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(1113): CA certificate:
/C=US/O=USG/OU=DD/OU=PKI/CN=DD CA-15
[Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(601): Configuring permitted
SSL ciphers [ALL:!ADH:!EXPORT56:!EXP:RC4+RSA:+HIGH:-MEDIUM:!LOW:+SSLv2:

-eNULL]
[Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(626): Configuring
certificate revocation facility
[Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(729): Configuring RSA
server certificate
[Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(768): Configuring RSA
server private key
[Fri Dec 07 19:11:43 2007] [info] Configuring server for SSL protocol
[Fri Dec 07 19:11:43 2007] [debug] ssl_engine_init.c(405): Creating new SSL
context (protocols: SSLv3, TLSv1)
[Fri Dec 07 19:11:43 2007] [debug] ssl_engine_init.c(538): Configuring client
authentication
[Fri Dec 07 19:11:43 2007] [debug] ssl_engine_init.c(1113): CA certificate:
/C=US/O=USG/OU=DD/OU=PKI/CN=DD CLASS 3 Root CA
[Fri Dec 07 19:11:43 2007] [debug] ssl_engine_init.c(1113): CA certificate:
/C=US/O=USG/OU=ECA/CN=ECA Root CA
[Fri Dec 07 19:11:43 2007] [debug] ssl_engine_init.c(1113): CA certificate:
/C=US/O=USG/OU=DD/OU=PKI/CN=DD Root CA 2
[Fri Dec 07 19:11:43 2007] [debug] ssl_engine_init.c(1113): CA certificate:
/C=US/ST=Cambs/L=Mole/O=USG/OU=USA OU PKI DD/CN=euukmoappd003n.dev.local
[Fri Dec 07 19:11:43 2007] [debug] ssl_engine_init.c(1113): CA certificate:
/C=US/O=USG/OU=DD/OU=PKI/CN=DD CA-12
[Fri Dec 07 19:11:43 2007] [debug] ssl_engine_init.c(1113): CA certificate:
/C=US/O=USG/OU=DD/OU=PKI/CN=DD CLASS 3 Root CA
[Fri Dec 07 19:11:43 2007] [debug] ssl_engine_init.c(1113): CA certificate:
/C=US/O=USG/OU=DD/OU=PKI/CN=DD CA-13
[Fri Dec 07 19:11:43 2007] [debug] ssl_engine_init.c(1113): CA certificate:
/C=US/O=USG/OU=ECA/CN=ECA Root CA
[Fri Dec 07 19:11:43 2007] [debug] ssl_engine_init.c(1113): CA certificate:
/C=US/O=USG/OU=DD/OU=PKI/CN=DD CA-12
[Fri Dec 07 19:11:43 2007] [debug] ssl_engine_init.c(1113): CA certificate:
/C=US/O=USG/OU=DD/OU=PKI/CN=DD CA-13
[Fri Dec 07 19:11:43 2007] [debug] ssl_engine_init.c(1113): CA certificate:
/C=US/O=USG/OU=DD/OU=PKI/CN=DD CLASS 3 Root CA
[Fri Dec 07 19:11:43 2007] [debug] ssl_engine_init.c(1113): CA certificate:
/C=US/O=USG/OU=DD/OU=PKI/CN=DD Root CA 2
[Fri Dec 07 19:11:43 2007] [debug] ssl_engine_init.c(1113): CA certificate:
/C=US/O=USG/OU=ECA/CN=ECA Root CA
[Fri Dec 07 19:11:43 2007] [debug] ssl_engine_init.c(1113): CA certificate:
/C=US/O=USG/OU=DD/OU=PKI/CN=DD CA-12
[Fri Dec 07 19:11:43 2007] [debug] ssl_engine_init.c(1113): CA certificate:
/C=US/O=USG/OU=DD/OU=PKI/CN=DD Root CA 2
[Fri Dec 07 19:11:43 2007] [debug] ssl_engine_init.c(1113): CA certificate:
/C=US/O=USG/OU=DD/OU=PKI/CN=DD CA-15
[Fri Dec 07 19:11:43 2007] [debug] ssl_engine_init.c(1113): CA certificate:
/C=US/O=USG/OU=DD/OU=PKI/CN=DD Root CA 2
[Fri Dec 07 19:11:43 2007] [debug] ssl_engine_init.c(1113): CA certificate:
/C=US/O=USG/OU=DD/OU=PKI/CN=DD CA-12
[Fri Dec 07 19:11:43 2007] [debug] ssl_engine_init.c(1113): CA certificate:
/C=US/O=USG/OU=DD/OU=PKI/CN=DD CA-13
[Fri Dec 07 19:11:43 2007] [debug] ssl_engine_init.c(1113): CA certificate:
/C=US/O=USG/OU=DD/OU=PKI/CN=DD CA-15
[Fri Dec 07 19:11:43 2007] [debug] ssl_engine_init.c(601): Configuring permitted
SSL ciphers [ALL:!ADH:!EXPORT56:!EXP:RC4+RSA:+HIGH:-MEDIUM:!LOW:+SSLv2:

-eNULL]
[Fri Dec 07 19:11:43 2007] [debug] ssl_engine_init.c(626): Configuring
certificate revocation facility
[Fri Dec 07 19:11:43 2007] [debug] ssl_engine_init.c(729): Configuring RSA
server certificate
[Fri Dec 07 19:11:43 2007] [debug] ssl_engine_init.c(768): Configuring RSA
server private key
[Fri Dec 07 19:11:49 2007] [info] [client 131.58.59.198] Connection to child 0
established (server euukmoappd003n.dev.local:443)
[Fri Dec 07 19:11:49 2007] [info] Seeding PRNG with 512 bytes of entropy
[Fri Dec 07 19:11:49 2007] [debug] ssl_engine_kernel.c(1752): OpenSSL:
Handshake: start
[Fri Dec 07 19:11:49 2007] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop:
before/accept initialization
[Fri Dec 07 19:11:49 2007] [debug] ssl_engine_io.c(1775): OpenSSL: read 11/11
bytes from BIO#100629330 [mem: 1007677e0] (BIO dump follows)
[Fri Dec 07 19:11:49 2007] [debug] ssl_engine_io.c(1722):
+-------------------------------------------------------------------------+
[Fri Dec 07 19:11:49 2007] [debug] ssl_engine_io.c(1747): | 0000: 80 4c 01 03 01
00 33 00-00 00 10                 .L....3....      |
[Fri Dec 07 19:11:49 2007] [debug] ssl_engine_io.c(1753):
+-------------------------------------------------------------------------+
[Fri Dec 07 19:11:49 2007] [debug] ssl_engine_io.c(1775): OpenSSL: read 67/67
bytes from BIO#100629330 [mem: 1007677eb] (BIO dump follows)
[Fri Dec 07 19:11:49 2007] [debug] ssl_engine_io.c(1722):
+-------------------------------------------------------------------------+
[Fri Dec 07 19:11:49 2007] [debug] ssl_engine_io.c(1747): | 0000: 00 00 04 00 00
05 00 00-0a 01 00 80 07 00 c0 03  ................ |
[Fri Dec 07 19:11:49 2007] [debug] ssl_engine_io.c(1747): | 0010: 00 80 00 00 09
06 00 40-00 00 64 00 00 62 00 00  [EMAIL PROTECTED] |
[Fri Dec 07 19:11:49 2007] [debug] ssl_engine_io.c(1747): | 0020: 03 00 00 06 02
00 80 04-00 80 00 00 13 00 00 12  ................ |
[Fri Dec 07 19:11:49 2007] [debug] ssl_engine_io.c(1747): | 0030: 00 00 63 58 73
4d 82 58-2f cf 3e 3f 17 85 78 27  ..cXsM.X/.>?..x' |
[Fri Dec 07 19:11:49 2007] [debug] ssl_engine_io.c(1747): | 0040: c1 b5 bb      
                                  ...              |
[Fri Dec 07 19:11:49 2007] [debug] ssl_engine_io.c(1753):
+-------------------------------------------------------------------------+
[Fri Dec 07 19:11:49 2007] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop:
SSLv3 read client hello A
[Fri Dec 07 19:11:49 2007] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop:
SSLv3 write server hello A
[Fri Dec 07 19:11:49 2007] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop:
SSLv3 write certificate A
[Fri Dec 07 19:11:49 2007] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop:
SSLv3 write certificate request A
[Fri Dec 07 19:11:49 2007] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop:
SSLv3 flush data
[Fri Dec 07 19:12:03 2007] [debug] ssl_engine_io.c(1786): OpenSSL: I/O error, 5
bytes expected to read on BIO#100629330 [mem: 1007677e0]
[Fri Dec 07 19:12:03 2007] [debug] ssl_engine_kernel.c(1789): OpenSSL: Exit:
error in SSLv3 read client certificate A
[Fri Dec 07 19:12:03 2007] [debug] ssl_engine_kernel.c(1789): OpenSSL: Exit:
error in SSLv3 read client certificate A
[Fri Dec 07 19:12:03 2007] [info] [client 131.58.59.198] (70014)End of file
found: SSL handshake interrupted by system [Hint: Stop button pressed in

browser?!]
[Fri Dec 07 19:12:03 2007] [info] [client 131.58.59.198] Connection closed to
child 0 with abortive shutdown (server euukmoappd003n.dev.local:443)
[Fri Dec 07 19:12:13 2007] [info] [client 131.58.59.198] Connection to child 1
established (server euukmoappd003n.dev.local:443)
[Fri Dec 07 19:12:13 2007] [info] Seeding PRNG with 512 bytes of entropy
[Fri Dec 07 19:12:13 2007] [debug] ssl_engine_kernel.c(1752): OpenSSL:
Handshake: start
[Fri Dec 07 19:12:13 2007] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop:
before/accept initialization
[Fri Dec 07 19:12:34 2007] [debug] ssl_engine_io.c(1775): OpenSSL: read 11/11
bytes from BIO#100629330 [mem: 1007677e0] (BIO dump follows)
[Fri Dec 07 19:12:34 2007] [debug] ssl_engine_io.c(1722):
+-------------------------------------------------------------------------+
[Fri Dec 07 19:12:34 2007] [debug] ssl_engine_io.c(1747): | 0000: 80 4c 01 03 01
00 33 00-00 00 10                 .L....3....      |
[Fri Dec 07 19:12:34 2007] [debug] ssl_engine_io.c(1753):
+-------------------------------------------------------------------------+
[Fri Dec 07 19:12:34 2007] [debug] ssl_engine_io.c(1775): OpenSSL: read 67/67
bytes from BIO#100629330 [mem: 1007677eb] (BIO dump follows)
[Fri Dec 07 19:12:34 2007] [debug] ssl_engine_io.c(1722):
+-------------------------------------------------------------------------+
[Fri Dec 07 19:12:34 2007] [debug] ssl_engine_io.c(1747): | 0000: 00 00 04 00 00
05 00 00-0a 01 00 80 07 00 c0 03  ................ |
[Fri Dec 07 19:12:34 2007] [debug] ssl_engine_io.c(1747): | 0010: 00 80 00 00 09
06 00 40-00 00 64 00 00 62 00 00  [EMAIL PROTECTED] |
[Fri Dec 07 19:12:34 2007] [debug] ssl_engine_io.c(1747): | 0020: 03 00 00 06 02
00 80 04-00 80 00 00 13 00 00 12  ................ |
[Fri Dec 07 19:12:34 2007] [debug] ssl_engine_io.c(1747): | 0030: 00 00 63 bb 75
33 36 bc-e7 29 6d 0a 05 49 dc 04  ..c.u36..)m..I.. |
[Fri Dec 07 19:12:34 2007] [debug] ssl_engine_io.c(1747): | 0040: 35 16 bc      
                                  5..              |
[Fri Dec 07 19:12:34 2007] [debug] ssl_engine_io.c(1753):
+-------------------------------------------------------------------------+
[Fri Dec 07 19:12:34 2007] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop:
SSLv3 read client hello A
[Fri Dec 07 19:12:34 2007] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop:
SSLv3 write server hello A
[Fri Dec 07 19:12:34 2007] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop:
SSLv3 write certificate A
[Fri Dec 07 19:12:34 2007] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop:
SSLv3 write certificate request A
[Fri Dec 07 19:12:34 2007] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop:
SSLv3 flush data
[Fri Dec 07 19:12:43 2007] [debug] ssl_engine_io.c(1775): OpenSSL: read 5/5
bytes from BIO#100629330 [mem: 1007677e0] (BIO dump follows)
[Fri Dec 07 19:12:43 2007] [debug] ssl_engine_io.c(1722):
+-------------------------------------------------------------------------+
[Fri Dec 07 19:12:43 2007] [debug] ssl_engine_io.c(1747): | 0000: 16 03 01 09 50
                                  ....P            |
[Fri Dec 07 19:12:43 2007] [debug] ssl_engine_io.c(1753):
+-------------------------------------------------------------------------+
[Fri Dec 07 19:12:43 2007] [debug] ssl_engine_io.c(1775): OpenSSL: read
2384/2384 bytes from BIO#100629330 [mem: 1007677e5] (BIO dump follows)
[Fri Dec 07 19:12:43 2007] [debug] ssl_engine_io.c(1722):
+-------------------------------------------------------------------------+
[Fri Dec 07 19:12:43 2007] [debug] ssl_engine_io.c(1747): | 0000: 0b 00 08 40 00
08 3d 00-03 ff 30 82 03 fb 30 82  [EMAIL PROTECTED] |
** SNIPPED A BUNCH OF THIS HEX DUMP **
[Fri Dec 07 19:12:43 2007] [debug] ssl_engine_io.c(1747): | 0940: 66 8f 49 f1 e4
a6 88 c5-db 06 cd 35 a4 f5 a2 13  f.I........5.... |
[Fri Dec 07 19:12:43 2007] [debug] ssl_engine_io.c(1753):
+-------------------------------------------------------------------------+
[Fri Dec 07 19:12:43 2007] [debug] ssl_engine_kernel.c(1190): Certificate
Verification: depth: 1, subject: /C=US/O=USG/OU=DD/OU=PKI/CN=DD CA-12, issuer:

/C=US/O=USG/OU=DD/OU=PKI/CN=DD Root CA 2
[Fri Dec 07 19:12:43 2007] [error] Certificate Verification: Error (20): unable
to get local issuer certificate
[Fri Dec 07 19:12:43 2007] [debug] ssl_engine_kernel.c(1770): OpenSSL: Write:
SSLv3 read client certificate B
[Fri Dec 07 19:12:43 2007] [debug] ssl_engine_kernel.c(1789): OpenSSL: Exit:
error in SSLv3 read client certificate B
[Fri Dec 07 19:12:43 2007] [debug] ssl_engine_kernel.c(1789): OpenSSL: Exit:
error in SSLv3 read client certificate B
[Fri Dec 07 19:12:43 2007] [info] [client 131.58.59.198] SSL library error 1 in
handshake (server euukmoappd003n.dev.local:443)
[Fri Dec 07 19:12:43 2007] [info] SSL Library Error: 336105650
error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
[Fri Dec 07 19:12:43 2007] [info] [client 131.58.59.198] Connection closed to
child 1 with abortive shutdown (server euukmoappd003n.dev.local:443)
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Can't get PKI Client Authentication Enforcement to work

Reply via email to