Cannot find peer certificate chain

2004-05-14 Thread Erwin Huber 
Dear all
I'm using the following components:
   * apache 1.3.29
   * mod_ssl 2.8.16-1.3.29
   * openssl 0.9.7d
   * mm 1.3.0
   * Solaris 8
I've configured: SSLSessionCache 
shmcb:/opt/slt/ses/apache/run/ssl_scache(512000)

The problem only occures if we use client certs. If we do multiple requests 
on the same ssl session then I get an error the *first time* the request is 
handled by the *same* apache child that has stored the SSL session ID in 
the cache. All other childs can acces the cache without problems.

trace output in ssl_engine_log (debug level does not provide better info):
[21/Apr/2004 09:48:18 01201] [trace] OpenSSL: Handshake: start
[21/Apr/2004 09:48:18 01201] [trace] OpenSSL: Loop: before/accept 
initialization
[21/Apr/2004 09:48:18 01201] [trace] OpenSSL: Loop: SSLv3 read client hello 
A
[21/Apr/2004 09:48:18 01201] [trace] OpenSSL: Loop: SSLv3 write server 
hello A
[21/Apr/2004 09:48:18 01201] [trace] OpenSSL: Loop: SSLv3 write change 
cipher spec A
[21/Apr/2004 09:48:18 01201] [trace] OpenSSL: Loop: SSLv3 write finished A
[21/Apr/2004 09:48:18 01201] [trace] OpenSSL: Loop: SSLv3 flush data
[21/Apr/2004 09:48:18 01201] [trace] OpenSSL: Loop: SSLv3 read finished A
[21/Apr/2004 09:48:18 01201] [trace] OpenSSL: Handshake: done
[21/Apr/2004 09:48:18 01201] [info] Connection: Client IP: 192.168.167.99, 
Protocol: TLSv1, Cipher: RC4-MD5 (128/128 bits)
[21/Apr/2004 09:48:18 01201] [info] Initial (No.1) HTTPS request received 
for child 0 (server airlock_baumi.ergon.ch:4442)
[21/Apr/2004 09:48:18 01201] [trace] Changed client verification type will 
force quick renegotiation
[21/Apr/2004 09:48:18 01201] [info] Requesting connection re-negotiation
[21/Apr/2004 09:48:18 01201] [trace] Performing quick renegotiation: just 
re-verifying the peer
[21/Apr/2004 09:48:18 01201] [error] Cannot find peer certificate chain
[21/Apr/2004 09:48:18 01201] [trace] OpenSSL: Write: SSL negotiation 
finished successfully
[21/Apr/2004 09:48:18 01201] [info] Connection to child 0 closed with 
standard shutdown (server airlock_baumi.ergon.ch:4442, client 
192.168.167.99)

I wonder about the "Cannot find peer certificate chain" and then the "SSL 
negotiation finished successfully". hmmm.

If we use dbm instead of shmcb then this problem does not occure.
I had a look at the source code.
ssl_engine_kernel.c, line 963:
   ssl_log(r->server, SSL_LOG_TRACE,
   "Performing quick renegotiation: just re-verifying the 
peer");
   certstack = SSL_get_peer_cert_chain(ssl);
   cert = SSL_get_peer_certificate(ssl);
   if (certstack == NULL && cert != NULL) {
   /* client certificate is in the SSL session cache, but
  there is no chain, since ssl3_get_client_certificate()
  sk_X509_shift()'ed the peer certificate out of the
  chain. So we put it back here for the purpose of quick
  renegotiation. */
   certstack = sk_new_null();
   sk_X509_push(certstack, cert);
   }
   if (certstack == NULL || sk_X509_num(certstack) == 0) {
       ssl_log(r->server, SSL_LOG_ERROR, "Cannot find peer 
certificate chain");
   return FORBIDDEN;
   }

If I omit the check on certstack == NULL with the following change:
   if (cert != NULL) {
   /* client certificate is in the SSL session cache, but
  there is no chain, since ssl3_get_client_certificate()
  sk_X509_shift()'ed the peer certificate out of the
  chain. So we put it back here for the purpose of quick
  renegotiation. */
   certstack = sk_new_null();
   sk_X509_push(certstack, cert);
   }
then the error does not occure.
Since there was no change in ssl_engine_kernel.c in version 2.8.17-1.3.31
I do not expect that this behaviour has changed. Of course I will do the 
tests
again with updated apache and mod_ssl.

My question is now:
Does anybody know about a problem in this area?
What are the side-effects of my code change?
You can see the details also here: http://cvs.ossp.org/tktview?tn=46
thanks for any ideas and replies
Erwin Huber
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Cannot find peer certificate chain

1999-11-02 Thread Paolo Di Martino 

Thanks for your help, Mads.

I upgraded to apache 1.3.9 - mod_ssl 2.4.6 (I tried both openssl 0.9.3 and
openssl 0.9.4 ).

This new version was able to load the client cert the first time I entered
in the secure area (with the OptRenegotiate option) but it still denied me
the other page I requested:

cannot find peer certificate chain

It seems that my apache server can't store the client cert or any
reference from to it, making it impossible to retrieve it in the following
(short form) handshakes.

Does anybody knows if there's a clear method to deal with this?


P.S. Even if I use the +ExportCertData option with the SSL_CLIENT_CERT
variable the things remain the same.



Thanks in advance


Paolo Di Martino
Omega Generation


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: Cannot find peer certificate chain

1999-10-28 Thread mads 

This looks a bit like a bug that was fixed in 2.4.6 -
a problem with the session cache made all sessions
expire immediately after the server had run for a couple 
of minutes. This would result in IE asking for the 
certificate password on every single item.

vh

Mads Toftum, QDPH
--- 
If Bill Gates had a dime for every time a Windows computer crashed...
Oh, wait, he already does...

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Cannot find peer certificate chain

1999-10-28 Thread Paolo Di Martino 


Hi everybody,

I'm quite new to the mailing list, found some similar stuff in it but
nothing that can solve my problem.

Here is the story:

I ran mod-ssl 2.3.5-openssl 0.9.3-apache 1.3.6 in a x86 machine with
Linux Red-Hat 6.0 (don't remember Kernel Version).


I configured my apache-ssl server with my server.crt, server.key and a
ca.crt files.

***Note

My client (1024-bits key) certificate was succesfully created, signed
with ca.crt and imported into my Netscape 4.51 web-browser in a pkcs12
format

***End-Note***



SSLCertificateFile /some-path/server.crt
SSLCertificateKeyFile /some-path/server.key


Then I wanted only my self-signed CA to recognize certificates:

#   Note: Inside SSLCACertificatePath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.

Done.


SSLCACertificatePath /some-path/
SSLCACertificateFile /some-path/ca.crt

SSLVerifyClientnone




when I start httpd with ssl all works fine, but, if I reconfigure it
with a per-directory access restriction



SSLVerifyClient require
SSLVerifyDepth1#sometimes I used 5
but the result still didn't change
SSLOptions   +FakeBasicAuth
SSLRequireSSL
SSLRequire%(SSL_CLIENT_S_DN_O) eq
"something"



then the server ask me a certificate for every page, frame, gif or
whatever he must load from this directory.

Finally I added +OptRenegotiate in the SSLOptions directive, and
the server ask me for a certificate but when I click on the Continue
button the answer is:

You don't have permission to access /some-directory/ on
..

The error_log file is something like this:

    Cannot find peer certificate chain

Where?

Thanks in advance for help.


Paolo Di Martino
OmegaGeneration







__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]