client certificate problems
In short I'm working on duplicating a web site locally for testing and
I am unable to get Client certificates to work here in my lab.
The "main/public" site is using apache 1.3.33 on OS X and is properly
configured for client certs, but I can't get this test configuration
to work. I am using "Apache 2.0.52" so that could be a factor.
(if necessary, I will try to reconfigure with 1.3.33)
The client browser is IE 6.x and what is odd is when I navigate to the
"main/public" site I am prompted to select a certificate, but when
I navigate to the "test" site IE 6.x just times out. For that reason
I am suspicious of the apache configuration but I can't be certain.
I tried with FireFox (1.0) and it also timed out. Firefox is
configured to "ask every time" for client cert. selection and
like IE, I am not prompted.
(I'm also suspicious as to why I can't select the client certificate
from the IE dialog for the test site - only the certificate for the
public site is listed.)
The virtual host configuration is listed below ("ssl.conf" was
unchanged for 2.0.52) and the error in the ssl.log is also listed
below. If anyone could offer any trouble shooting tips that would
be greatly appreciated.
Thanks for your time and assistance.
John
//-
Additional information:
Version: Apache/2.0.52
OS: Mac OS X 10.3.7
//-
// here is the log of the error:
[info] Initial (No.1) HTTPS request received for child 5 (server
www.apollo.home:443)
[debug] ssl_engine_kernel.c(422): Changed client verification type will
force renegotiation
[info] Requesting connection re-negotiation
[debug] ssl_engine_kernel.c(650): Performing full renegotiation:
complete handshake protocol
[info] Awaiting re-negotiation handshake
[debug] ssl_engine_kernel.c(1756): OpenSSL: Handshake: start
[debug] ssl_engine_kernel.c(1764): OpenSSL: Loop: before accept
initialization
[debug] ssl_engine_io.c(1517): OpenSSL: I/O error, 5 bytes expected to
read on BIO#1280be0 [mem: 7f7000]
[debug] ssl_engine_kernel.c(1793): OpenSSL: Exit: error in SSLv2 read
client hello B
[error] Re-negotiation handshake failed: Not accepted by client!?
//-
// here is the virtual host info:
DocumentRoot "/some_directory/ssl_site"
ServerAdmin [EMAIL PROTECTED]
ServerName www.apollo.home
LogLevel warn
# LogLevel debug
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# Per-Server Logging:
CustomLog logs/apollo/443.access.log "%t %h %{SSL_PROTOCOL}x
%{SSL_CIPHER}x \"%r\" %b"
ErrorLog logs/apollo/443.error.log
DirectoryIndex "index.html"
#
# ssl stuff
#
SSLEngine On
SSLProtocol all -SSLv3
SSLCipherSuite
"ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL"
#
#
LogLevel debug
ErrorLog "logs/apollo/ssl.log"
SSLOptions +StdEnvVars +ExportCertData
#
#
# path to certificates and private key
#
SSLCertificateFile
"/some_directory/openssl/servers/www.apollo.home.cert.pem"
SSLCertificateKeyFile
"/some_directory/openssl/servers/www.apollo.home.key.unencrypted"
SSLCACertificateFile
"/some_directory/openssl/private/CA-1.cert.pem"
SSLVerifyClient require
SSLVerifyDepth 3
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]
More certificate problems
I am having problems signing the certificate I can successfully generate the RSA private key using the command openssl genrsa -des3 -out server.key 1024 I can a CSR file using openssl req -new -key server.key -out server.csr I can even generate the RSA frivate key for the CA openssl genrsa -des3 -out ca.key 1024 I have even created the self sign certificate using openssl req -new -x509 -days 365 -key ca.key -out ca.crt When I try and run the shell script sign.sh I get as far as Sign the certificate? [y/n] to which I answer 'y' The reply i get back from the script is 'failed to update database' 'TT_DB error number 2' 'unable to load certificate' '16129:error:0906D06C:PEM routines:PEM_read_bio: no start line:pem_lib.c:632 Expecting TRUSTED CERTIFICATE' I obviously find that the server.crt is empty. I would appreciate some help with this problem Thanks Richard Skeggs The sign.sh shell script I am using is shown below #!/bin/sh ## ## sign.sh -- Sign a SSL Certificate Request (CSR) ## Copyright (c) 1998-1999 Ralf S. Engelschall, All Rights Reserved. ## # argument line handling CSR=$1 if [ $# -ne 1 ]; then echo "Usage: sign.sign .csr"; exit 1 fi if [ ! -f $CSR ]; then echo "CSR not found: $CSR"; exit 1 fi case $CSR in *.csr ) CERT="`echo $CSR | sed -e 's/\.csr/.crt/'`" ;; * ) CERT="$CSR.crt" ;; esac # make sure environment exists if [ ! -d ca.db.certs ]; then mkdir ca.db.certs fi if [ ! -f ca.db.serial ]; then echo '01' >ca.db.serial fi if [ ! -f ca.db.index ]; then cp /dev/null ca.db.index fi # create an own SSLeay config cat >ca.config < $CERT:" openssl ca -config ca.config -out $CERT -infiles $CSR echo "CA verifying: $CERT <-> CA cert" openssl verify -CAfile /etc/ssl/certs/ca.crt $CERT # cleanup after SSLeay rm -f ca.config rm -f ca.db.serial.old rm -f ca.db.index.old # die gracefully exit 0 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
[Fwd: FW: Certificate Problems]
Thanks for the response, to explain abit more the error I see in the log file only get written when I start apache using apachactl startssl the message written to ssl_error_log is: [Wed Jun 16 10:59:48 2004] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Wed Jun 16 10:59:48 2004] [warn] RSA server certificate CommonName (CN) `localhost.localdomain' does NOT match server name!? [Wed Jun 16 10:59:50 2004] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Wed Jun 16 10:59:50 2004] [warn] RSA server certificate CommonName (CN) `localhost.localdomain' does NOT match server name!? As for the the request I was making it was to simply get the home page of eghapp Using the url http://eghapp:8000 through my browser I get to view the home page of eghapp However https://eghapp:8000 I get the following log message from error_log: [Wed Jun 16 11:08:05 2004] [error] [client 10.14.2.8] Invalid method in request!L!! From access_log: 10.14.2.8 - - [16/Jun/2004:11:07:38 +0100] " L" 501 1007 Nothing gets written to the ssl message files. The browser returns Cannot find server or DNS Error Internet Explorer I am trying to install ssl on the eghapp server which is a RedHat9 linux box. An extract from the hosts file on eghapp is: 127.0.0.1 localhost loghost 10.14.1.150 eghapp An extract from the httpd.conf file is shown below Listen 8000 NameVirtualHost 10.14.1.150 ProxyPass /esav http://eghsnap1:8081/esav ProxyPassReverse /esav http://eghsnap1:8081/esav ProxyPass /ddrint http://eghsnap2:8081/ddrint ProxyPassReverse /ddrint http://eghsnap2:8081/ddrint ProxyPass /vnc http://eghsnap1:80/vnc ProxyPassReverse /vnc http://eghsnap1:80/vnc ServerAdmin [EMAIL PROTECTED] DocumentRoot /var/www/html ServerName eghapp ErrorLog logs/error_log CustomLog logs/access_log common # SSLProtocol -all +SSLv2 SSLCipherSuite SSLv2:+HIGH:+MEDIUM:+LOW:+EXP SSLCertificateFile /etc/httpd/server.csr SSLCertificateKeyFile /etc/httpd/server.key For your information I am running Apache 2.0.4.0 IE 6.0.2 Richard -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Boyle Owen Sent: 16 June 2004 10:20 To: [EMAIL PROTECTED] Subject: RE: Certificate Problems Plain text please... If you got an error in the ssl error-log then apache must be running. The invalid method error is exactly that - the HTTP method wasn't GET, POST etc... What request were you making when you got the error? Cross-check the access log for details... It looks like your certificate common name is localhost.localdomain and this doesn't match the ServerName argument which is what the warning is about. The DNS error means that he browser cannot resolve eghapp to an IP address while curl, apparently, can. No idea why - depends on OS, browser version, config etc. (eg, if the browser goes via a proxy, the proxy will not see a local /etc/hosts definition of eghapp). Tip: if you post back, cut'n'paste exact error messages - do not paraphrase as this loses important information. Also, give OS, apache 1.3 or 2 etc. Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. Diese E-mail ist eine private und persönliche Kommunikation. Sie hat keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Gruppe. This e-mail is of a private and personal nature. It is not related to the exchange or business activities of the SWX Group. Le présent e-mail est un message privé et personnel, sans rapport avec l'activité boursière du Groupe SWX. -Original Message- From: Richard Skeggs [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 16. Juni 2004 11:07 To: '[EMAIL PROTECTED]' Subject: Certificate Problems I am trying to set up ssl on my server and I have been through what I believe are the correct settings. I can run the command line script 'openssl s_client -connect eghapp:443 -state -debug' I don't appear to get an error message. However when trying to start apache using the startssl switch the following error turns up in the ssl_error_log [Tue Jun 15 15:11:04 2004] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Tue Jun 15 15:11:04 2004] [warn] RSA server certificate CommonName (CN) `localhost.localdomain' does NOT match server name!? [Tue Jun 15 15:11:07 2004] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Tue Jun 15 15:11:07 2004] [warn] RSA server certificate CommonName (CN) `localhost.localdomain' does NOT match server name!? [Tue Jun 15 15:26:34 2004] [error] [client 10.14.1.150] Invalid method in request I have also been able to successfully run the command 'curl https://eghapp'. However when I try to run 'https://eghapp' through the browser I get an error saying that the DNS server cannot be
FW: Certificate Problems
Thanks for the response, to explain abit more the error I see in the log file only get written when I start apache using apachactl startssl the message written to ssl_error_log is: [Wed Jun 16 10:59:48 2004] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Wed Jun 16 10:59:48 2004] [warn] RSA server certificate CommonName (CN) `localhost.localdomain' does NOT match server name!? [Wed Jun 16 10:59:50 2004] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Wed Jun 16 10:59:50 2004] [warn] RSA server certificate CommonName (CN) `localhost.localdomain' does NOT match server name!? As for the the request I was making it was to simply get the home page of eghapp Using the url http://eghapp:8000 through my browser I get to view the home page of eghapp However https://eghapp:8000 I get the following log message from error_log: [Wed Jun 16 11:08:05 2004] [error] [client 10.14.2.8] Invalid method in request!L!! From access_log: 10.14.2.8 - - [16/Jun/2004:11:07:38 +0100] " L" 501 1007 Nothing gets written to the ssl message files. The browser returns Cannot find server or DNS Error Internet Explorer I am trying to install ssl on the eghapp server which is a RedHat9 linux box. An extract from the hosts file on eghapp is: 127.0.0.1 localhost loghost 10.14.1.150 eghapp An extract from the httpd.conf file is shown below Listen 8000 NameVirtualHost 10.14.1.150 ProxyPass /esav http://eghsnap1:8081/esav ProxyPassReverse /esav http://eghsnap1:8081/esav ProxyPass /ddrint http://eghsnap2:8081/ddrint ProxyPassReverse /ddrint http://eghsnap2:8081/ddrint ProxyPass /vnc http://eghsnap1:80/vnc ProxyPassReverse /vnc http://eghsnap1:80/vnc ServerAdmin [EMAIL PROTECTED] DocumentRoot /var/www/html ServerName eghapp ErrorLog logs/error_log CustomLog logs/access_log common # SSLProtocol -all +SSLv2 SSLCipherSuite SSLv2:+HIGH:+MEDIUM:+LOW:+EXP SSLCertificateFile /etc/httpd/server.csr SSLCertificateKeyFile /etc/httpd/server.key For your information I am running Apache 2.0.4.0 IE 6.0.2 Richard -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Boyle Owen Sent: 16 June 2004 10:20 To: [EMAIL PROTECTED] Subject: RE: Certificate Problems Plain text please... If you got an error in the ssl error-log then apache must be running. The invalid method error is exactly that - the HTTP method wasn't GET, POST etc... What request were you making when you got the error? Cross-check the access log for details... It looks like your certificate common name is localhost.localdomain and this doesn't match the ServerName argument which is what the warning is about. The DNS error means that he browser cannot resolve eghapp to an IP address while curl, apparently, can. No idea why - depends on OS, browser version, config etc. (eg, if the browser goes via a proxy, the proxy will not see a local /etc/hosts definition of eghapp). Tip: if you post back, cut'n'paste exact error messages - do not paraphrase as this loses important information. Also, give OS, apache 1.3 or 2 etc. Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. Diese E-mail ist eine private und persönliche Kommunikation. Sie hat keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Gruppe. This e-mail is of a private and personal nature. It is not related to the exchange or business activities of the SWX Group. Le présent e-mail est un message privé et personnel, sans rapport avec l'activité boursière du Groupe SWX. -Original Message- From: Richard Skeggs [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 16. Juni 2004 11:07 To: '[EMAIL PROTECTED]' Subject: Certificate Problems I am trying to set up ssl on my server and I have been through what I believe are the correct settings. I can run the command line script 'openssl s_client -connect eghapp:443 -state -debug' I don't appear to get an error message. However when trying to start apache using the startssl switch the following error turns up in the ssl_error_log [Tue Jun 15 15:11:04 2004] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Tue Jun 15 15:11:04 2004] [warn] RSA server certificate CommonName (CN) `localhost.localdomain' does NOT match server name!? [Tue Jun 15 15:11:07 2004] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Tue Jun 15 15:11:07 2004] [warn] RSA server certificate CommonName (CN) `localhost.localdomain' does NOT match server name!? [Tue Jun 15 15:26:34 2004] [error] [client 10.14.1.150] Invalid method in request I have also been able to successfully run the command 'curl https://eghapp'. However when I try to run 'https://eghapp' through the browser I get an error saying that the DNS server cannot be
RE: Certificate Problems
Plain text please... If you got an error in the ssl error-log then apache must be running. The invalid method error is exactly that - the HTTP method wasn't GET, POST etc... What request were you making when you got the error? Cross-check the access log for details... It looks like your certificate common name is localhost.localdomain and this doesn't match the ServerName argument which is what the warning is about. The DNS error means that he browser cannot resolve eghapp to an IP address while curl, apparently, can. No idea why - depends on OS, browser version, config etc. (eg, if the browser goes via a proxy, the proxy will not see a local /etc/hosts definition of eghapp). Tip: if you post back, cut'n'paste exact error messages - do not paraphrase as this loses important information. Also, give OS, apache 1.3 or 2 etc. Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. Diese E-mail ist eine private und persönliche Kommunikation. Sie hat keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Gruppe. This e-mail is of a private and personal nature. It is not related to the exchange or business activities of the SWX Group. Le présent e-mail est un message privé et personnel, sans rapport avec l'activité boursière du Groupe SWX. -Original Message- From: Richard Skeggs [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 16. Juni 2004 11:07 To: '[EMAIL PROTECTED]' Subject: Certificate Problems I am trying to set up ssl on my server and I have been through what I believe are the correct settings. I can run the command line script 'openssl s_client -connect eghapp:443 -state -debug' I don't appear to get an error message. However when trying to start apache using the startssl switch the following error turns up in the ssl_error_log [Tue Jun 15 15:11:04 2004] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Tue Jun 15 15:11:04 2004] [warn] RSA server certificate CommonName (CN) `localhost.localdomain' does NOT match server name!? [Tue Jun 15 15:11:07 2004] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Tue Jun 15 15:11:07 2004] [warn] RSA server certificate CommonName (CN) `localhost.localdomain' does NOT match server name!? [Tue Jun 15 15:26:34 2004] [error] [client 10.14.1.150] Invalid method in request I have also been able to successfully run the command 'curl https://eghapp'. However when I try to run 'https://eghapp' through the browser I get an error saying that the DNS server cannot be found. On checking the nothing gets written to any of the ssl log files. Does anyone know how I can resolve this? Thanks Richard Skeggs Software Engineer Mobius Management Systems Cavendish House 5 The Avenue Egham Surrey TW20 9AB Tel: +44 (0) 1784 484700 Mobile: + 44 (0) 7971 608315 email: [EMAIL PROTECTED] This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Certificate Problems
Title: Certificate Problems I am trying to set up ssl on my server and I have been through what I believe are the correct settings. I can run the command line script 'openssl s_client -connect eghapp:443 -state -debug' I don't appear to get an error message. However when trying to start apache using the startssl switch the following error turns up in the ssl_error_log [Tue Jun 15 15:11:04 2004] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Tue Jun 15 15:11:04 2004] [warn] RSA server certificate CommonName (CN) `localhost.localdomain' does NOT match server name!? [Tue Jun 15 15:11:07 2004] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Tue Jun 15 15:11:07 2004] [warn] RSA server certificate CommonName (CN) `localhost.localdomain' does NOT match server name!? [Tue Jun 15 15:26:34 2004] [error] [client 10.14.1.150] Invalid method in request I have also been able to successfully run the command 'curl https://eghapp'. However when I try to run 'https://eghapp' through the browser I get an error saying that the DNS server cannot be found. On checking the nothing gets written to any of the ssl log files. Does anyone know how I can resolve this? Thanks Richard Skeggs Software Engineer Mobius Management Systems Cavendish House 5 The Avenue Egham Surrey TW20 9AB Tel: +44 (0) 1784 484700 Mobile: + 44 (0) 7971 608315 email: [EMAIL PROTECTED]
Re: certificate problems
> Just installed our new Verisign cert on our apache box but are having two > problems with it: > > 1. The person who generated the key that was sent to verisign used the wrong > common name so the secure URL we use doesn't match the URL on the cert, > throwing up a warning screen...any way around this other than starting over > with a new cert? Unfortunately no, you will need to get a new one or move your secure pages to that domain. > 2. Whenever we start httpd we are promoted for a password for ssl to start, > which doesn't work for us as httpd restarts itself ever night. Our old cert > never did this, is this something new? The key is encrypted, so in case anyone broke into your server, the attacker would not be able to simply take your certificate and key and impersonate you. He would also need that passphrase. The way of doing this is to decrypt the key : # ./usr/local/ssl/install/bin/openssl rsa -in www.example.com.key \ -out www.example.com.key.unsecure (more info at http://www.apacheworld.org/ty24/site.chapter17.html) mod_ssl also has a directive so you can have a script provide that phrase automatically. It is convenient, but not really any more secure, see the "How can I get rid of the pass-phrase dialog at Apache startup time?" entry at http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html Cheers Daniel __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
certificate problems
I apologize in advacne if this is off-topic for this list. Just installed our new Verisign cert on our apache box but are having two problems with it: 1. The person who generated the key that was sent to verisign used the wrong common name so the secure URL we use doesn't match the URL on the cert, throwing up a warning screen...any way around this other than starting over with a new cert? 2. Whenever we start httpd we are promoted for a password for ssl to start, which doesn't work for us as httpd restarts itself ever night. Our old cert never did this, is this something new? Thanks for any help... Erik __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Client Certificate Problems
Running Linux 2.0.36 Apache 1.3.6 Openssl 0.9.3 Mod_ssl 2.3.0 My server is up and running and seems to work fine in secure mode without a clientcert. But every time I create and install a client cert. in netscape 4.06 I getrecieved bad data from server messagethe server log has the following.[Thu May 27 08:33:25 1999] [error] mod_ssl: SSL handshake failed (client 100.100.100.6, server 100.100.100.11:443) (OpenSSL library error follows)[Thu May 27 08:33:25 1999] [error] OpenSSL: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure From reading the openssl.cnf file it says that nsCertType can beleft alone except for object signing. If I am creating a self sign cert.to sign my server.crt. Should I change the openssl.cnf file to allowsigning ca.crt and then change it back before I create my server.crt And do I do the same thing while creating client cert's with CA.shAlso, if anyone has another idea I'd like to hear it.Chris Jensen[EMAIL PROTECTED]
