Re: SSLCertificateChain file for Intermediate CA
[EMAIL PROTECTED] wrote: Hi Damon, Could you please put in the corrected part of your httpd.conf file - all the directives that are relavant to SSL connections. OK, this is for the site https://www.motorweb.co.nz.. Try it and you may I say. First off, I'm using a Verisign Global ID certificate (ie. SGC). What I have currently works with MSIE 5+ and NS 4.7 (haven't tried other NS's). It does work with MSIE 4 but this version of IE doesn't like the Versign Global certificate (it can't complete the chain) and therefore says it doesn't trust our site. This is despite the fact that Verisign says the Global ID's work with MSIE 4+, so I must still have something wrong. At the bottom of this message is the ssl_engine_log of the server starting up and MSIE 4.7 trying to connect. Can someone point out why the intermediate_ca doesn't seem to get to IE? Is it because IE is connecting with SSLv2? Anyway, here's the relevant lines from my httpd.conf --- httpd.conf --- Listen 443 # SSL session cache is required to get around MSIE bugs SSLSessionCache dbm:/var/log/httpd/ssl_cache SSLSessionCacheTimeout 300 VirtualHost 210.55.172.141:443 ServerName www.motorweb.co.nz SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key SSLCertificateChainFile /etc/httpd/conf/ssl.crt/intermediate-ca.crt SSLLog /var/log/httpd/ssl_engine_log SSLLogLevel trace SetEnvIf User-Agent .*MSIE.* \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog /var/log/httpd/ssl_request_log \ %t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \%r\ %b /VirtualHost --- ssl_engine_log --- Init: Loading certificate private key of SSL-aware server www.motorweb.co.nz:443 Init: (www.motorweb.co.nz:443) unencrypted RSA private key - pass phrase not required Init: Configuring server www.motorweb.co.nz:443 for SSL protocol Init: (www.motorweb.co.nz:443) Creating new SSL context (protocols: SSLv2, SSLv3, TLSv1) Init: (www.motorweb.co.nz:443) Configuring permitted SSL ciphers [ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL] Init: (www.motorweb.co.nz:443) Configuring RSA server certificate Init: (www.motorweb.co.nz:443) RSA server certificate enables Server Gated Cryptography (SGC) Init: (www.motorweb.co.nz:443) Configuring RSA server private key Init: (www.motorweb.co.nz:443) Configuring server certificate chain (1 CA certificate) Connection to child 2 established (server www.motorweb.co.nz:443, client 210.55.82.41) Seeding PRNG with 0 bytes of entropy OpenSSL: Handshake: start OpenSSL: Loop: before/accept initialization OpenSSL: Loop: SSLv2 read client hello A OpenSSL: Loop: SSLv2 write server hello A OpenSSL: Loop: SSLv2 read client master key A OpenSSL: Loop: SSLv2 server start encryption OpenSSL: Loop: SSLv2 write server verify A OpenSSL: Loop: SSLv2 read client finished A OpenSSL: Loop: SSLv2 write request certificate A OpenSSL: Loop: SSLv2 write server finished A Inter-Process Session Cache: request=SET status=OK id=82EBC78C51D8403F32DA3EA9C62507DC timeout=299s (session caching) OpenSSL: Handshake: done Connection: Client IP: 210.55.82.41, Protocol: SSLv2, Cipher: EXP-RC4-MD5 (40/128 bits) Connection to child 2 closed with standard shutdown (server www.motorweb.co.nz:443, client 210.55.82.41) __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSLCertificateChain file for Intermediate CA
Without going through mod_ssl's source: did you try to put the complete chain into the ChainFile? Tried this, but it didn't make any difference. With respect to the error message, mod_ssl can write more messages than that into e.g. an ssl_engine_log. Did you check all possible logfiles? I've checked, even with SSLLogLevel debug I couldn't get anymore out of it. I've since looked through the mod_ssl source and if there is any kind of error while trying to load the ChainFile then the generic Failed to configure CA certificate chain! messge is produced. Not very helpful really since there are many possibilities. I have also tried using SSLCACertificateFile instead of and in conjunction with SSLCertificateChainFile. This was described at http://www.verisign.com/support/tlc/class3_install_docs/ssleay/v00g.html as the instructions for ApacheSSL rather than mod_ssl. If used instead of SSLCertificateChainFile no init errors happen and the following is reported in ssl_engine_log: [20/May/2001 15:10:19 11541] [trace] Init: (www.motorweb.co.nz:443) Configuring client authentication [20/May/2001 15:10:19 11541] [trace] CA certificate: /O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign So it appears there is nothing wrong with my Intermediate Certificate (since that's what the trace is outputing) or Apache's ability to read it. Why oh why then doesn't it work with SSLCertificateChainFile, agh! Thanks for the help and suggestions, but I'm still stuck. One thing I haven't mentioned previously is that I'm running Apache 1.3.12 and mod_ssl 2.6. But I presume there shouldn't be a problem with either of these versions. regards, Damon. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSLCertificateChain file for Intermediate CA
Juha Saarinen wrote: On Sun, 20 May 2001, Damon Maria wrote: One thing I haven't mentioned previously is that I'm running Apache 1.3.12 and mod_ssl 2.6. But I presume there shouldn't be a problem with either of these versions. Well... Can't hurt to upgrade, can it? I'm running Apache 1.3.19 with mod_ssl 2.8.1-1.6.0 (weird versioning courtesy of the RPM packager), and it uses the SSLCertificateChain thang without problems. I may as well, I'm running out of other options. thanks again for the help, Damon. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSLCertificateChain file for Intermediate CA
I presume you're not trying to explicitly construct the server certificate chain that is being sent to the browser, together with the actual server cert? This is what I'm trying to do. I'm trying to send all the certificates in the chain (expect the root) to the browser. This includes my server certificate and the intermediate certificate. If you try https://www.motorweb.co.nz/ in IE (I'm using 5.0) and click on the padlock, look at the Certification Path. You'll see there is the Primary CA, the www.verisign.com Intermediate CA and then the www.motorweb.co.nz certificate. IE contains the Primary and Intermediate CA and so works fine. Other browsers don't contain the Intermediate CA and so can't complete the chain. I need to get mod_ssl to serve up the Intermediate CA, and that's what SSLCertificateChainFile is supposed to do. But adding that into httpd.conf causes mod_ssl to die on startup: Failed to configure CA certificate chain! regards, Damon. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSLCertificateChain file for Intermediate CA
Since I haven't gotten too much of a response yet (expect for thanks to Juha) I'll post my VirtualHost in httpd.conf, which I probably should have done in the first place. If I uncomment the SSLCertificateChainFile line then the following appears in the log and apache won't start... [error] mod_ssl: Init: (www.motorweb.co.nz:443) Failed to configure CA certificate chain! I've copied my original message at the bottom of this one which contains the contents of /etc/httpd/conf/ssl.crt/intermediate_ca.crt (as I got it from Verisign's site). I've seen this solution to the Global ID Intermediate CA problem documented all over the web, but can't get it to work. There must be somethng obviously wrong with what I've done. yours in desperation, Damon. -- VirtualHost ServerName www.motorweb.co.nz SSLEngine on # The following hopefully get around the MSIE 4.x and 5.0 SGC bug # SSLCipherSuite ALL:!ADH:!EXPORT56:!SSLv3+EXP:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP # The following defintely gets around the MSIE 4.x and 5.0 SGC bug but SSLProtocol -all +SSLv2 SSLCipherSuite SSLv2:+HIGH:+MEDIUM:+LOW:+EXP SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key # SSLCertificateChainFile /etc/httpd/conf/ssl.crt/intermediate_ca.crt # SSLLog /var/log/httpd/ssl_engine_log # SSLLogLevel debug SetEnvIf User-Agent .*MSIE.* \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog /var/log/httpd/ssl_request_log \ %t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \%r\ %b Original Message Subject: SSLCertificateChain file for Intermediate CA Date: Thu, 17 May 2001 15:47:46 +1200 From: Damon Maria [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] I'm using a Verisign Global ID and therefore need to configure modssl to serve up the Intermediate CA. I've followed the various instructions I've found for this but with no success. I downloaded the Intermediate CA and saved it under intermediate_ca.crt (I've listed it at the bottom of this message). I then added... SSLCertificateChainFile /etc/httpd/conf/ssl.crt/intermediate_ca.crt into my VirtualHost next to all the other SSL* settings. But if I start Apache with this setting it reports... [error] mod_ssl: Init: (www.motorweb.co.nz:443) Failed to configure CA certificate chain! I've tried SSLLogLevel debug but this doesn't produce any more information. I've been trying for ages and am getting desperate, can someone help me out. thanks in advance, Damon Maria. -BEGIN CERTIFICATE- MIIEMTCCA5qgAwIBAgIQI2yXHivGDQv5dGDe8QjDwzANBgkqhkiG9w0BAQIFADBfMQswCQYD VQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDMgUHVi bGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNOTcwNDE3MDAwMDAwWhcN MDQwMTA3MjM1OTU5WjCBujEfMB0GA1UEChMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazEXMBUG A1UECxMOVmVyaVNpZ24sIEluYy4xMzAxBgNVBAsTKlZlcmlTaWduIEludGVybmF0aW9uYWwg U2VydmVyIENBIC0gQ2xhc3MgMzFJMEcGA1UECxNAd3d3LnZlcmlzaWduLmNvbS9DUFMgSW5j b3JwLmJ5IFJlZi4gTElBQklMSVRZIExURC4oYyk5NyBWZXJpU2lnbjCBnzANBgkqhkiG9w0B AQEFAAOBjQAwgYkCgYEA2IKA6NYZAn0fhRg5JaJlK+G/1AXTvOY2O6rwTGxbtueqPHNFVbLx veqXQu2aNAoV1Klc9UAl3dkHwTKydWzEyruj/lYncUOqY/UwPpMo5frxCTvzt01OOfdcSVq4 wR3Tsor+cDCVQsv+K1GLWjw6+SJPkLICp1OcTzTnqwSye28CAwEAAaOCAZAwggGMMA8GA1Ud EwQIMAYBAf8CAQAwCwYDVR0PBAQDAgEGMBEGCWCGSAGG+EIBAQQEAwIBBjAgBgNVHSUEGTAX BgpghkgBhvhFAQgBBglghkgBhvhCBAEwggE1BgNVHSAEggEsMIIBKDCCASQGC2CGSAGG+EUB BwEBMIIBEzAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL0NQUzCB5gYI KwYBBQUHAgIwgdkwFRYOVmVyaVNpZ24sIEluYy4wAwIBARqBv1ZlcmlTaWduJ3MgQ2VydGlm aWNhdGlvbiBQcmFjdGljZSBTdGF0ZW1lbnQsIHd3dy52ZXJpc2lnbi5jb20vQ1BTLCBnb3Zl cm5zIHRoaXMgY2VydGlmaWNhdGUgJiBpcyBpbmNvcnBvcmF0ZWQgYnkgcmVmZXJlbmNlIGhl cmVpbi4gU09NRSBXQVJSQU5USUVTIERJU0NMQUlNRUQgJiBMSUFCSUxJVFkgTFRELiAoYykx OTk3IFZlcmlTaWduMA0GCSqGSIb3DQEBAgUAA4GBALiMmMMrSPVyzWgNGrN0Y7uxWLaYRSLs EY3HTjOLYlohJGyawEK0Rak6+2fwkb4YH9VIGZNrjcs3S4bmfZv9jHiZ/4PC/NlVBp4xZkZ9 G3hg9FXUbFXIaWJwfE22iQYFm8hDjswMKNXRjM1GUOMxlmaSESQeSltLZl5lVR5fN5qu -END CERTIFICATE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSLCertificateChain file for Intermediate CA
Juha Saarinen wrote: Stupid suggestion, perhaps, but can Apache read the CA file? Are the permissions OK? Good suggestion, but the permissions are OK (identical to server.crt). thanks again, Damon. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
SSLCertificateChain file for Intermediate CA
I'm using a Verisign Global ID and therefore need to configure modssl to serve up the Intermediate CA. I've followed the various instructions I've found for this but with no success. I downloaded the Intermediate CA and saved it under intermediate_ca.crt (I've listed it at the bottom of this message). I then added... SSLCertificateChainFile /etc/httpd/conf/ssl.crt/intermediate_ca.crt into my VirtualHost next to all the other SSL* settings. But if I start Apache with this setting it reports... [error] mod_ssl: Init: (www.motorweb.co.nz:443) Failed to configure CA certificate chain! I've tried SSLLogLevel debug but this doesn't produce any more information. I've been trying for ages and am getting desperate, can someone help me out. thanks in advance, Damon Maria. -BEGIN CERTIFICATE- MIIEMTCCA5qgAwIBAgIQI2yXHivGDQv5dGDe8QjDwzANBgkqhkiG9w0BAQIFADBfMQswCQYD VQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDMgUHVi bGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNOTcwNDE3MDAwMDAwWhcN MDQwMTA3MjM1OTU5WjCBujEfMB0GA1UEChMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazEXMBUG A1UECxMOVmVyaVNpZ24sIEluYy4xMzAxBgNVBAsTKlZlcmlTaWduIEludGVybmF0aW9uYWwg U2VydmVyIENBIC0gQ2xhc3MgMzFJMEcGA1UECxNAd3d3LnZlcmlzaWduLmNvbS9DUFMgSW5j b3JwLmJ5IFJlZi4gTElBQklMSVRZIExURC4oYyk5NyBWZXJpU2lnbjCBnzANBgkqhkiG9w0B AQEFAAOBjQAwgYkCgYEA2IKA6NYZAn0fhRg5JaJlK+G/1AXTvOY2O6rwTGxbtueqPHNFVbLx veqXQu2aNAoV1Klc9UAl3dkHwTKydWzEyruj/lYncUOqY/UwPpMo5frxCTvzt01OOfdcSVq4 wR3Tsor+cDCVQsv+K1GLWjw6+SJPkLICp1OcTzTnqwSye28CAwEAAaOCAZAwggGMMA8GA1Ud EwQIMAYBAf8CAQAwCwYDVR0PBAQDAgEGMBEGCWCGSAGG+EIBAQQEAwIBBjAgBgNVHSUEGTAX BgpghkgBhvhFAQgBBglghkgBhvhCBAEwggE1BgNVHSAEggEsMIIBKDCCASQGC2CGSAGG+EUB BwEBMIIBEzAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL0NQUzCB5gYI KwYBBQUHAgIwgdkwFRYOVmVyaVNpZ24sIEluYy4wAwIBARqBv1ZlcmlTaWduJ3MgQ2VydGlm aWNhdGlvbiBQcmFjdGljZSBTdGF0ZW1lbnQsIHd3dy52ZXJpc2lnbi5jb20vQ1BTLCBnb3Zl cm5zIHRoaXMgY2VydGlmaWNhdGUgJiBpcyBpbmNvcnBvcmF0ZWQgYnkgcmVmZXJlbmNlIGhl cmVpbi4gU09NRSBXQVJSQU5USUVTIERJU0NMQUlNRUQgJiBMSUFCSUxJVFkgTFRELiAoYykx OTk3IFZlcmlTaWduMA0GCSqGSIb3DQEBAgUAA4GBALiMmMMrSPVyzWgNGrN0Y7uxWLaYRSLs EY3HTjOLYlohJGyawEK0Rak6+2fwkb4YH9VIGZNrjcs3S4bmfZv9jHiZ/4PC/NlVBp4xZkZ9 G3hg9FXUbFXIaWJwfE22iQYFm8hDjswMKNXRjM1GUOMxlmaSESQeSltLZl5lVR5fN5qu -END CERTIFICATE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSLCertificateChain file for Intermediate CA
Seems to work OK... Did you use IE? That seems to work fine (I guess it comes with the Intermediate CA), Netscape and Opera both barf on it tho'. https://www.motorweb.co.nz loads fine, and if I look at the cert, I see: Issued to: www.motorweb.co.nz Issued by: www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign [sic] Valid from: 05/02/01 to 06/02/02 Cert serial is: 74EB B7E7 DB06 D3A7 5401 3B94 4C7B B1FE Thumbprint: D0EA 585F DD9A E330 10DB A820 F2B1 327B FB15 48CD -- Juha PS. I'm gunna tell Nic what a l4m3r you are. ; Wait until you try it in NS first :) :: -Original Message- :: From: [EMAIL PROTECTED] :: [mailto:[EMAIL PROTECTED]]On Behalf Of Damon Maria :: Sent: Thursday, 17 May 2001 15:48 :: To: [EMAIL PROTECTED] :: Subject: SSLCertificateChain file for Intermediate CA :: :: :: I'm using a Verisign Global ID and therefore need to configure modssl to :: serve up the Intermediate CA. I've followed the various instructions :: I've found for this but with no success. :: :: I downloaded the Intermediate CA and saved it under intermediate_ca.crt :: (I've listed it at the bottom of this message). I then added... :: :: SSLCertificateChainFile /etc/httpd/conf/ssl.crt/intermediate_ca.crt :: :: into my VirtualHost next to all the other SSL* settings. But if I start :: Apache with this setting it reports... :: :: [error] mod_ssl: Init: (www.motorweb.co.nz:443) Failed to configure CA :: certificate chain! :: :: I've tried SSLLogLevel debug but this doesn't produce any more :: information. :: :: I've been trying for ages and am getting desperate, can someone help me :: out. :: :: thanks in advance, :: Damon Maria. :: __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]