Apache client certificate authentication

Sat, 20 Mar 2010 10:55:28 -0700 

I'm trying to set client certificate authentication.
It looks that I cant set even the simple demo...

With apache2.2 installed:
sudo a2enmod ssl
sudo a2ensite default-ssl
sudo /etc/init.d/apache2 restart

Browse with firefox to (https)localhost - page retrieved after
security warning, ssl working.

Then I edit default-ssl and add:
SSLCACertificatePath /etc/ssl/certs/
SSLVerifyClient require

I now browse again to the address.
As I don't have any certificate for the roots I have
installed(defaults) I would expect the browser to display a error
message. Actually it just hangs.
Also a .net client application that I created can't display the
"acceptable issuers" list. Empty.

n...@ground2:/etc/ssl/certs$ openssl s_client -host localhost -port 443 -debug
CONNECTED(00000003)
write to 0x1acf790 [0x1ad0e60] (118 bytes => 118 (0x76))
0000 - 80 74 01 03 01 00 4b 00-00 00 20 00 00 39 00 00   .t....K... ..9..
0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0   8..5............
0020 - 00 00 33 00 00 32 00 00-2f 03 00 80 00 00 05 00   ..3..2../.......
0030 - 00 04 01 00 80 00 00 15-00 00 12 00 00 09 06 00   ................
0040 - 40 00 00 14 00 00 11 00-00 08 00 00 06 04 00 80   @...............
0050 - 00 00 03 02 00 80 e8 cd-46 6c ac 68 35 93 d6 74   ........Fl.h5..t
0060 - fb e8 80 20 3f 35 bd 84-13 a1 7c da 22 f4 3d 39   ... ?5....|.".=9
0070 - b9 69 1e 2b 77 9c                                 .i.+w.
read from 0x1acf790 [0x1ad63c0] (7 bytes => 7 (0x7))
0000 - 16 03 01 00 4a 02                                 ....J.
0007 - <SPACES/NULS>
read from 0x1acf790 [0x1ad63c7] (72 bytes => 72 (0x48))
0000 - 00 46 03 01 4b a4 1a 68-ea 82 78 13 40 b9 bd 53   .f..k..h....@..s
0010 - f4 5c 3f c8 e2 aa 88 60-57 d7 7e 38 ce 82 c5 51   .\?....`W.~8...Q
0020 - a1 70 90 d0 20 79 67 a2-48 a9 9c 09 e5 47 85 e7   .p.. yg.H....G..
0030 - f6 b3 8d 88 7a 5a 62 39-83 f9 14 40 20 a1 66 ac   ....zZb9...@ .f.
0040 - a1 a5 2d 5a f8 00 39                              ..-Z..9
0048 - <SPACES/NULS>
read from 0x1acf790 [0x1ad63c0] (5 bytes => 5 (0x5))
0000 - 16 03 01 01 a9                                    .....
read from 0x1acf790 [0x1ad63c5] (425 bytes => 425 (0x1A9))
0000 - 0b 00 01 a5 00 01 a2 00-01 9f 30 82 01 9b 30 82   ..........0...0.
0010 - 01 04 02 09 00 c3 8d a4-df 92 38 53 ba 30 0d 06   ..........8S.0..
0020 - 09 2a 86 48 86 f7 0d 01-01 05 05 00 30 12 31 10   .*.H........0.1.
0030 - 30 0e 06 03 55 04 03 13-07 67 72 6f 75 6e 64 32   0...U....ground2
0040 - 30 1e 17 0d 31 30 30 33-32 30 30 30 31 39 35 30   0...100320001950
0050 - 5a 17 0d 32 30 30 33 31-37 30 30 31 39 35 30 5a   Z..200317001950Z
0060 - 30 12 31 10 30 0e 06 03-55 04 03 13 07 67 72 6f   0.1.0...U....gro
0070 - 75 6e 64 32 30 81 9f 30-0d 06 09 2a 86 48 86 f7   und20..0...*.H..
0080 - 0d 01 01 01 05 00 03 81-8d 00 30 81 89 02 81 81   ..........0.....
0090 - 00 e3 62 43 c7 97 30 f7-15 81 90 50 ea 21 66 21   ..bC..0....P.!f!
00a0 - 04 4d 2c 29 aa b7 da 7c-fd 4b 35 ca 7f f7 16 ca   .M,)...|.K5.....
00b0 - 98 d7 66 20 ff c4 66 43-88 9f ab 1d 2f a5 c7 b9   ..f ..fC..../...
00c0 - c6 cb ee 06 ab 92 50 d9-ef 5c e0 ee 77 f1 12 a3   ......P..\..w...
00d0 - 41 d0 33 c6 e6 7a 06 12-01 7c cb 50 89 51 0d 01   A.3..z...|.P.Q..
00e0 - 21 0c 3e 02 c3 74 d0 30-46 bd 2d 67 f2 8d 41 34   !.>..t.0F.-g..A4
00f0 - 9c b2 15 99 6d d0 e0 ef-2c e9 5e 2f eb 91 8d 66   ....m...,.^/...f
0100 - be c6 76 7f 09 f5 fc e3-78 2b 9f 8d 1a 00 ff 10   ..v.....x+......
0110 - 49 02 03 01 00 01 30 0d-06 09 2a 86 48 86 f7 0d   I.....0...*.H...
0120 - 01 01 05 05 00 03 81 81-00 70 c5 4a 78 49 af 68   .........p.JxI.h
0130 - 6e 6f c4 a6 bc 6b 07 62-a6 ad 82 9f b4 f3 6e 1e   no...k.b......n.
0140 - 81 b3 d5 bf 71 30 71 94-28 cd d6 95 b5 de 62 b4   ....q0q.(.....b.
0150 - 13 34 fa 54 ae f5 0c 1c-1b 0e 71 29 4c 1e e9 8f   .4.T......q)L...
0160 - 10 f9 f9 f1 d5 f4 6e 91-7f ae e8 89 86 17 cc 88   ......n.........
0170 - 5b 11 1f d7 2c 67 0b 3b-ea de a6 0b 13 73 5e 9c   [...,g.;.....s^.
0180 - 42 3b 9f 4e 6b 6d 26 29-e5 2a 7b 25 ee 39 50 e6   B;.Nkm&).*{%.9P.
0190 - 6c 85 57 d3 c8 26 47 7c-bf ea 3d af be 7a 42 a1   l.W..&G|..=..zB.
01a0 - 97 ff 6e 4c 4e d2 83 c7-a8                        ..nLN....
depth=0 /CN=ground2
verify error:num=18:self signed certificate
verify return:1
depth=0 /CN=ground2
verify return:1
read from 0x1acf790 [0x1ad63c0] (5 bytes => 5 (0x5))
0000 - 16 03 01 01 8d                                    .....
read from 0x1acf790 [0x1ad63c5] (397 bytes => 397 (0x18D))
0000 - 0c 00 01 89 00 80 d6 7d-e4 40 cb bb dc 19 36 d6   .........@....6.
0010 - 93 d3 4a fd 0a d5 0c 84-d2 39 a4 5f 52 0b b8 81   ..J......9._R...
0020 - 74 cb 98 bc e9 51 84 9f-91 2e 63 9c 72 fb 13 b4   t....Q....c.r...
0030 - b4 d7 17 7e 16 d5 5a c1-79 ba 42 0b 2a 29 fe 32   ...~..Z.y.B.*).2
0040 - 4a 46 7a 63 5e 81 ff 59-01 37 7b ed dc fd 33 16   JFzc^..Y.7{...3.
0050 - 8a 46 1a ad 3b 72 da e8-86 00 78 04 5b 07 a7 db   .F..;r....x.[...
0060 - ca 78 74 08 7d 15 10 ea-9f cc 9d dd 33 05 07 dd   .xt.}.......3...
0070 - 62 db 88 ae aa 74 7d e0-f4 d6 e2 bd 68 b0 e7 39   b....t}.....h..9
0080 - 3e 0f 24 21 8e b3 00 01-02 00 80 13 fa f8 ea 08   >.$!............
0090 - 8a e3 d2 37 be d6 8e 7d-dd 65 ef 90 2b 91 2b 83   ...7...}.e..+.+.
00a0 - 19 35 31 a3 f9 93 43 33-80 27 6c a3 3a df a2 6c   .51...C3.'l.:..l
00b0 - 1b bc c6 c1 53 22 8f 43-58 21 f2 6e b7 d9 96 46   ....S".CX!.n...F
00c0 - 65 0a b4 4a 52 af 94 f6-ef 8e 01 1d 89 6b cd af   e..JR........k..
00d0 - 8b a6 a2 eb 6b a3 83 c8-c8 53 df c3 9d cc 3e 40   ....k....S....>@
00e0 - 67 8a 85 aa c8 8c 79 52-ce 3d fd f8 b5 ec b3 46   g.....yR.=.....F
00f0 - e6 7b d0 27 aa ee 46 d4-d3 c7 b8 2f 44 3d 99 99   .{.'..F..../D=..
0100 - 07 ae e5 a0 ca 28 7c 2e-6d ea 7c 00 80 cf 49 8f   .....(|.m.|...I.
0110 - bc 1a a7 a6 2c 61 63 6e-20 d8 08 73 69 6f 80 b6   ....,acn ..sio..
0120 - f1 2a 79 4f c1 5a 7c 89-5b 47 8a d5 11 ec fc b7   .*yO.Z|.[G......
0130 - ba 6b 79 12 4d 3b fe a0-7f c8 94 2e 6a 41 78 10   .ky.M;......jAx.
0140 - d2 71 fb a8 79 f5 11 e4-f5 22 e9 25 e0 77 53 09   .q..y....".%.wS.
0150 - ac aa 94 f6 b4 c6 2c 58-8d 5f e3 ad 07 f9 5e d5   ......,X._....^.
0160 - c9 79 17 2d 85 bf f4 52-38 14 f8 38 4a eb c2 83   .y.-...R8..8J...
0170 - c7 76 73 82 ff 43 e9 18-13 bc 05 8b 40 ab e5 6f   .vs..c......@..o
0180 - 5a 51 25 8a bc ad 81 14-b6 5e d6 48 76            ZQ%......^.Hv
read from 0x1acf790 [0x1ad63c0] (5 bytes => 5 (0x5))
0000 - 16 03 01 40                                       ...@
0005 - <SPACES/NULS>
read from 0x1acf790 [0x1ad63c5] (16384 bytes => 16384 (0x4000))
0000 - 0d 00 5a 02 05 03 04 01-02 40 59 fa 00 14 30 12   ..z......@y...0.
0010 - 31 10 30 0e 06 03 55 04-03 13 07 67 72 6f 75 6e   1.0...U....groun
0020 - 64 32 00 41 30 3f 31 24-30 22 06 03 55 04 0a 13   d2.A0?1$0"..U...
0030 - 1b 44 69 67 69 74 61 6c-20 53 69 67 6e 61 74 75   .Digital Signatu
0040 - 72 65 20 54 72 75 73 74-20 43 6f 2e 31 17 30 15   re Trust Co.1.0.
0050 - 06 03 55 04 03 13 0e 44-53 54 20 52 6f 6f 74 20   ..U....DST Root
0060 - 43 41 20 58 33 00 3c 30-3a 31 19 30 17 06 03 55   CA X3.<0:1.0...U
0070 - 04 0a 13 10 52 53 41 20-53 65 63 75 72 69 74 79   ....RSA Security
0080 - 20 49 6e 63 31 1d 30 1b-06 03 55 04 0b 13 14 52    Inc1.0...U....R
0090 - 53 41 20 53 65 63 75 72-69 74 79 20 31 30 32 34   SA Security 1024
00a0 - 20 56 33 00 3c 30 3a 31-19 30 17 06 03 55 04 0a    V3.<0:1.0...U..
00b0 - 13 10 52 53 41 20 53 65-63 75 72 69 74 79 20 49   ..RSA Security I
00c0 - 6e 63 31 1d 30 1b 06 03-55 04 0b 13 14 52 53 41   nc1.0...U....RSA
00d0 - 20 53 65 63 75 72 69 74-79 20 32 30 34 38 20 56    Security 2048 V
00e0 - 33 00 41 30 3f 31 0b 30-09 06 03 55 04 06 13 02   3.A0?1.0...U....
00f0 - 54 57 31 30 30 2e 06 03-55 04 0a 0c 27 47 6f 76   TW100...U...'Gov
0100 - 65 72 6e 6d 65 6e 74 20-52 6f 6f 74 20 43 65 72   ernment Root Cer
0110 - 74 69 66 69 63 61 74 69-6f 6e 20 41 75 74 68 6f   tification Autho
0120 - 72 69 74 79 00 65 30 63-31 0b 30 09 06 03 55 04   rity.e0c1.0...U.
0130 - 06 13 02 55 53 31 1c 30-1a 06 03 55 04 0a 13 13   ...US1.0...U....
0140 - 41 6d 65 72 69 63 61 20-4f 6e 6c 69 6e 65 20 49   America Online I
0150 - 6e 63 2e 31 36 30 34 06-03 55 04 03 13 2d 41 6d   nc.1604..U...-Am
0160 - 65 72 69 63 61 20 4f 6e-6c 69 6e 65 20 52 6f 6f   erica Online Roo
0170 - 74 20 43 65 72 74 69 66-69 63 61 74 69 6f 6e 20   t Certification
0180 - 41 75 74 68 6f 72 69 74-79 20 31 00 65 30 63 31   Authority 1.e0c1
0190 - 0b 30 09 06 03 55 04 06-13 02 55 53 31 1c 30 1a   .0...U....US1.0.
01a0 - 06 03 55 04 0a 13 13 41-6d 65 72 69 63 61 20 4f   ..U....America O
01b0 - 6e 6c 69 6e 65 20 49 6e-63 2e 31 36 30 34 06 03   nline Inc.1604..
01c0 - 55 04 03 13 2d 41 6d 65-72 69 63 61 20 4f 6e 6c   U...-America Onl
01d0 - 69 6e 65 20 52 6f 6f 74-20 43 65 72 74 69 66 69   ine Root Certifi
01e0 - 63 61 74 69 6f 6e 20 41-75 74 68 6f 72 69 74 79   cation Authority
01f0 - 20 32 00 68 30 66 31 12-30 10 06 03 55 04 0a 13    2.h0f1.0...U...
...
3fc0 - 61 6c 69 64 61 74 69 6f-6e 20 41 75 74 68 6f 72   alidation Author
3fd0 - 69 74 79 31 21 30 1f 06-03 55 04 03 13 18 68 74   ity1!0...U....ht
3fe0 - 74 70 3a 2f 2f 77 77 77-2e 76 61 6c 69 63 65 72   tp://www.valicer
3ff0 - 74 2e 63 6f 6d 2f 31 20-30 1e 06 09 2a 86 48 86   t.com/1 0...*.H.
read from 0x1acf790 [0x1ad63c0] (5 bytes => 0 (0x0))
4201:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:188:
n...@ground2:/etc/ssl/certs$

Questions:
Is normal that firefox hangs when it doesn't have a valid certificate
to provide?
Openssl output looks OK?(or the error in the end is a exception?)

Regards,
--
\ Nuno Gonçalves
/
\ Bugs? Features!
/
\ nuno...@gmail.com
/ PORTUGAL
E-mail sent directly from Google Mail webmail using HTTPS on behalf of
Nuno João Pinto Gonçalves, birth date 1986-11-16. E-mail headers
provide good assurance that this message was not tampered and
originates from nuno...@gmail.com. If you require additional security,
I may provide on request X509 electronic signature under Portuguese
government chain.
Se precisar de assinatura digital do Cartão de Cidadão, de uma apitadela.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to