Client certificate
Hi again, looking in the modssl manual, chapter 6 FAQ, i found the way to create a server certificate and a CA, but i don't know how to create a client certificate in case that my server asks for a certificate in order to authenticate its clients, how can i create a client certificate?, please help me, thanks. Juan Carlos Albores Aguilar
Client Certificate
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, I have a questen, what does "no client certificate CA names sent" mean? when I do a: $ openssl s_client -connect myhost.com:443 (to test out my new apache + mod_ssl server) that you can find in the output. I did make a user certificate when I did my server certificate, and I was wondering if it is possible to make apache ask for a cert, and only if it matches my database the user may proceed. // with regards // ID :: danalien :: <[EMAIL PROTECTED]> PGP Public Key Fingerprint: C891 D3A1 427A A5E7 449F B19E 1E85 A109 -BEGIN PGP SIGNATURE- Version: PGPsdk version 1.7.1 (C) 1997-1999 Network Associates, Inc. and its affiliated companies. iQA/AwUBPK9smx6FoQlEaqKIEQLWbwCaA4Pc0zsbbhnl+I/1d0un5XOISmkAn3tG cHHX1vuIbPpuy38iCeBjWM9H =KMR6 -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
client certificate!
Hello everybody. In first, sorry for my english. I have web server with apache, modèssl and openssl. I need to create certificate for my user's company, can I do it with this software? Currently, I know how to create server's certificate, but what about client? thanks. Antoine __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Client certificate
Title: Client certificate Hi , I am trying to implement client authentication based on client certificates. I want to throw up an error message to the "user/browser" in case client certificate is invalid. What I got was that "The page cannot be displayed" error if an invalid(expired one) client certificate is sent and I see the following in the logs. == [Tue Nov 14 16:52:53 2006] [info] [client 14.64.53.89] client stopped connection before rflush completed [Tue Nov 14 16:52:57 2006] [error] mod_ssl: Certificate Verification: Error (10): certificate has expired [Tue Nov 14 16:52:57 2006] [error] mod_ssl: Re-negotiation handshake failed: Not accepted by client!? [Tue Nov 14 16:52:57 2006] [error] mod_ssl: Certificate Verification: Error (10): certificate has expired [Tue Nov 14 16:52:57 2006] [error] mod_ssl: SSL error on writing data (OpenSSL library error follows) [Tue Nov 14 16:52:57 2006] [error] OpenSSL: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certif icate returned [Tue Nov 14 16:52:57 2006] [info] [client 14.64.53.89] client stopped connection before rflush completed Ideally , I would like to be able to find that the client certificate has expired using the "SSL_Client….." variables and be able to give user some error message. Is it possible? Thanks, Vishal Visit our website at http://www.ubs.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments.
Expired Client Certificate
Is it possible to enable SSLVerifyClient to accept expired certificates? I want to check that the user does in fact have access to a certificate, be it expired or not, before giving them access to certain pages. Wether I use 'optional' or 'required' the user is still denied access with the server log saying that the certiifcate has expired... Suggestions? __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Client certificate
Hello Juan, An idea could be to build your own internal Certificate Authority. With that you will be able to delivers client or personal certificates to your peoples. After this you should configure the Apache server to Trust the Internal CA certificate (ROOT CA or Signer). That it ! You can maybe have a look with some product like OpenCA or OSCAR . On other way is to by a Commercial CA like Keon from RSA, Baltimore or Entrust ! http://www.dstc.qut.edu.au/MSU/projects/pki/ Sylvain Maret Sylvain Maret Senior Security Engineer e-Xpert Solutions SA Route de Pré-Marais 29 1233 Bernex / Geneva Switzerland Tel: +41 22 727 05 55 Fax: +41 22 727 05 50 Mail: [EMAIL PROTECTED] "Juan Carlos Albores Aguilar" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 25.07.2001 23:26 Please respond to modssl-users To: "modssl-users" <[EMAIL PROTECTED]> cc: Subject: Client certificate Hi again, looking in the modssl manual, chapter 6 FAQ, i found the way to create a server certificate and a CA, but i don't know how to create a client certificate in case that my server asks for a certificate in order to authenticate its clients, how can i create a client certificate?, please help me, thanks. Juan Carlos Albores Aguilar --- DISCLAIMER This email and any files transmitted with it, including replies and forwarded copies (which may contain alterations) subsequently transmitted from the Company, are confidential and solely for the use of the intended recipient. It may contain material protected by attorney-client privilege. The contents do not represent the opinion of e-Xpert Solutions SA except to the extent that it relates to their official business. If you are not the intended recipient or the person responsible for delivering to the intended recipient, be advised that you have received this email in error and that any use is strictly prohibited. If you are not the intended recipient, please advise the sender by return e-mail, then delete this message and any attachments. e-Xpert Solutions SA: [EMAIL PROTECTED]
Client Certificate questions
Hi Folks: I am having problems getting a self-signed identity (client) cert installed into my browsers (Mozilla 0.9.8 and Netscape 4.78). The cert is signed and tested to be valid, I just can't find the right method to install it into my browser. I even tried copying the ident.crt to ident.pem and browsing it with the browsers. This installed the cert as a server cert, not an identity cert. Can anyone provide any hints on how to install a client cert? Thanks! -- Ron Gage - Owner, Linux Network Services - Saginaw, Michigan - 989-274-8088 Your one-stop source for Reliable, Secure and Affordable Networking Solutions - This mail sent through IMP: http://horde.org/imp/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Client Certificate DN
Hi I have an apache set has a directoy configured so taht only browsers with a certificate signed from the correct CA can access it. What I would like to do is that the DN of the certifiacte set as an envirnment variable. Can anyone tell me how to do this? Laurie -- == Laurie Robert Young [EMAIL PROTECTED] | [EMAIL PROTECTED] www.wildfalcon.com | www.doc.ic.ac.uk/~laurie ICQ UIN #20194782 == __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Proxy client certificate
Hello All, ** I am sorry to send you this mail again. If someone knows anything on this, please reply. Thanks a lot in advance **. I am trying to make a proxy server(apache 1.3.22 compiled after enabling SSL_EXPERIMENTAL) authenticate itself to a backend server(apache 1.3.19) which is in the same machine (although in a real scenario the backend server will run on a different machine). Proxyserver listens at port on a machine and the backend server listnes at 127.0.0.2:8443. All the communications are SSL-enabled. browser ->---SSL + client auth--> Proxy server --SSL-->backend server. Browser authenticates itself to the proxy server whereas proxy server does not authenticate itself to the backend server. Now, the need is to make the proxy server also authenticate itself to the backend server. The proxy server has the directive "SSLProxyMachineCertficateFile" in it's httpd.conf. This directive has the value set to the its'(proxy's) client certificate. Should I need to set the value for SSLProxyCACertficateFile also? The error I see in the browser is: -- The proxy server received an invalid response from an upstream server. The proxy server could not handle the request GET /. Reason: SSL proxy connect failed (test:): peer 127.0.0.1:8443: key values mismatch --- and the error that I see in the backend server is - [error] mod_ssl: SSL handshake failed (server vvos3:8443, client 127.0.0.1) (OpenSSL library error follows) [Sun Apr 21 10:56:32 2002] [error] OpenSSL: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate [Hint: No CAs known to server for verification?] Can anyone please throw light on this ? Thanks a lot in advance. Thanks and Regards, Anbu __ Do You Yahoo!? Yahoo! Games - play chess, backgammon, pool and more http://games.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
client certificate disclosures
I have a client certificate that was issued to me by a CA that contains potentially sensitive information such as my name, my position within my organisation, my location, and so on. This certificate has been imported into my browser (Netscape). What are the rules in the SSL protocol regarding the disclosure of client certs to any HTTPS server I might connect to? Since the certs are signed and not encrypted, if SSL sends some or all of these certs to a foreign HTTPS server, won't my X.509 credentials be disclosed to the foreign server? I am hoping I have a fundamental misunderstanding here .. Thanks, Ben __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Client Certificate Problems
Running Linux 2.0.36 Apache 1.3.6 Openssl 0.9.3 Mod_ssl 2.3.0 My server is up and running and seems to work fine in secure mode without a clientcert. But every time I create and install a client cert. in netscape 4.06 I getrecieved bad data from server messagethe server log has the following.[Thu May 27 08:33:25 1999] [error] mod_ssl: SSL handshake failed (client 100.100.100.6, server 100.100.100.11:443) (OpenSSL library error follows)[Thu May 27 08:33:25 1999] [error] OpenSSL: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure From reading the openssl.cnf file it says that nsCertType can beleft alone except for object signing. If I am creating a self sign cert.to sign my server.crt. Should I change the openssl.cnf file to allowsigning ca.crt and then change it back before I create my server.crt And do I do the same thing while creating client cert's with CA.shAlso, if anyone has another idea I'd like to hear it.Chris Jensen[EMAIL PROTECTED]
client certificate issues.
Hi, I've been playing around with client certificates in Netscape and am puzzled by a couple of things. 1) If a client certificates is verified against my CA cert, which is public, what is to prevent someone from copying my CA cert, and using the copy to verify my client certificates. I don't know why anyone would do this. They wouldn't be able to sign new client certs with the copy of my CA certs, however, in some odd way someone could somehow find it useful to temporarily highjack certificate verifications, no? 2) Since I have SSLVerifyClient turned on my browser (in this case Netscape) brings up a window with a list of client certs to choose from. Is there anyway to automate that process and perhaps map different client certs to different sites? 3) If I don't have SSLVerifyClient turned on but still use SSLRequire that checks against one of the SSL Client variables, what should happen? I wasn't experimenting too carefully but it seemed like all the checks against SSL Client environment variables were ignored when the browser didn't provide a client certificate. tia r. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Client certificate-problem
Hi, I have created a client certificate with my CA using openssl as openssl ca -in client.csr Then converted it into DER encoded format and trying to import it into browser. But it is not listing the certificate in any catagory of certificates. Even it is not listing it in certificates list when I tried to connect to Apache SSL server with client authentication option enabled. How to solve this? Is it the correct procedure of creating client certificates? I just uncommented the SSLVerifyClient require line in httpd.conf file. In which section I have to specify if I want different access permissions for a particular directory or URL? (I am working on WindowsNT 4.0). Thanks and Regards, Hari. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
encrypted client certificate
It seems that during the normal SSL handshake the client certificate will be sent to the server unencrypted. My question: is there some way to make the browsers send the client certificates encrypted? It seems that this happens if there is already an SSL session in place not requiring a client certificate and the browser enters a directory where authentication with a client certificate is needed. During the renegotiation the client certificate is sent over an already encrypted channel. Is this the way to do it with apache+mod_ssl ? thanks -Dominik Seitz __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
verify client certificate
Hi all. I have a problem with a certificate chain and a server certificate, I need help. The certificate chain is formed by the Root CA Certificate and the Subordinate CA Certificate below showed. The server certificate is the last certificate. I have configured apache with modssl and when i try to access to https://imladris.dif.um.es I get the following error: Apache/1.3.19 (Unix) ApacheJServ/1.1.2 mod_ssl/2.8.3 OpenSSL/0.9.6g configured -- resuming normal operations [Thu Sep 19 10:13:14 2002] [error] mod_ssl: SSL handshake failed (server imladris.dif.um.es:443, client 2001:720:1710:f00::2) (OpenSSL library error follows) [Thu Sep 19 10:13:14 2002] [error] OpenSSL: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate [Hint: Subject CN in certificate not server name or identical to CA!?] Obviously it's a mistake, server certificate's subject is the same than the server name (in httpd.conf file) and it's not a CA. I think the problem is in the path validation, in the NameConstraints extensions (2.5.29.30), but I'm not sure. I don't know if openssl supports this extensins and if it's well configured. Any idea? Thanks, Gabi. ** Root CA Certificate ** Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: md5WithRSAEncryption Issuer: C=ES, O=umu, OU=umu, CN=PKIv6 3.2 ca root Validity Not Before: Sep 16 22:00:00 2002 GMT Not After : Sep 16 22:00:00 2004 GMT Subject: C=ES, O=umu, OU=umu, CN=PKIv6 3.2 ca root Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:aa:e5:b5:5b:0a:f4:ef:79:2a:4d:8e:84:e1:ce: 43:59:81:2d:b6:53:8c:97:77:4f:db:07:08:69:b0: 68:ea:1d:cd:fe:c2:a4:a2:08:ec:ce:ed:b4:13:91: dc:da:bf:27:41:ef:f1:f3:3b:96:36:97:2f:9c:f3: 48:21:b3:a0:34:0d:8a:e8:04:cf:d5:c2:06:dd:cf: 5d:ea:7c:d5:9e:ab:92:65:7a:e1:32:ee:73:f4:4f: 99:be:18:5c:a0:84:5c:b0:09:f0:8a:68:61:1a:94: ec:c5:95:9b:10:c4:0b:4b:e9:e0:2f:48:7b:2b:23: 56:02:56:a7:2c:16:c4:2f:0d Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE Netscape Cert Type: SSL Client, S/MIME, SSL CA, S/MIME CA, Object Signing CA Signature Algorithm: md5WithRSAEncryption *** Subordinate CA Certificate *** Certificate: Data: Version: 3 (0x2) Serial Number: 28 (0x1c) Signature Algorithm: md5WithRSAEncryption Issuer: C=ES, O=umu, OU=umu, CN=PKIv6 3.2 ca root Validity Not Before: Sep 17 11:25:36 2002 GMT Not After : Sep 17 11:25:36 2003 GMT Subject: C=ES, O=umu, OU=umu dd, CN=PKIv6 3.2 ca sub2 Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (512 bit) Modulus (512 bit): 00:b5:e5:36:3f:7a:29:a0:da:3a:67:60:4f:ed:52: 81:09:26:21:4d:a7:14:77:54:56:be:87:1d:5a:62: 26:89:aa:f4:00:19:e6:c5:d8:c0:68:71:0f:2b:b5: 7b:54:25:7f:98:2e:75:e6:65:76:b4:9f:39:99:2e: 56:19:b6:5e:27 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Certificate Sign, CRL Sign 2.5.29.30: critical 0...0...umu-euro6ix dd X509v3 Basic Constraints: critical CA:TRUE Netscape Cert Type: SSL Client, S/MIME, SSL CA, S/MIME CA, Object Signing CA Signature Algorithm: md5WithRSAEncryption *** Server Certificate (ServerName=imladris.dif.um.es) ** Certificate: Data: Version: 3 (0x2) Serial Number: 15 (0xf) Signature Algorithm: md5WithRSAEncryption Issuer: C=ES, O=umu, OU=umu dd, CN=PKIv6 3.2 ca sub2 Validity Not Before: Sep 17 15:55:07 2002 GMT Not After : Sep 17 15:55:07 2003 GMT Subject: C=ES, O=umu, OU=umu dd, CN=imladris.dif.um.es Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (512 bit) Modulus (512 bit): 00:b6:85:42:e5:32:6f:30:5f:69:8f:c1:93:ca:a6: 19:3a:67:b7:c0:d2:12:e0:7d:c2:75:0f:4e:00:30: 16:4f:39:fb:9a:49:5d:db:18:bb:20:b4:6b:67:df: ca:96:2f:18:1e:95:b9:56:9b:19:72:9a:2a:78:b7: 09:d9:0f:15:37 Exponent: 65537 (0x10001) X509v3 extensions: Netscape Cert Type: SSL Server, S/MIME, Object Signing X509v3 B
client certificate problems
In short I'm working on duplicating a web site locally for testing and
I am unable to get Client certificates to work here in my lab.
The "main/public" site is using apache 1.3.33 on OS X and is properly
configured for client certs, but I can't get this test configuration
to work. I am using "Apache 2.0.52" so that could be a factor.
(if necessary, I will try to reconfigure with 1.3.33)
The client browser is IE 6.x and what is odd is when I navigate to the
"main/public" site I am prompted to select a certificate, but when
I navigate to the "test" site IE 6.x just times out. For that reason
I am suspicious of the apache configuration but I can't be certain.
I tried with FireFox (1.0) and it also timed out. Firefox is
configured to "ask every time" for client cert. selection and
like IE, I am not prompted.
(I'm also suspicious as to why I can't select the client certificate
from the IE dialog for the test site - only the certificate for the
public site is listed.)
The virtual host configuration is listed below ("ssl.conf" was
unchanged for 2.0.52) and the error in the ssl.log is also listed
below. If anyone could offer any trouble shooting tips that would
be greatly appreciated.
Thanks for your time and assistance.
John
//-
Additional information:
Version: Apache/2.0.52
OS: Mac OS X 10.3.7
//-
// here is the log of the error:
[info] Initial (No.1) HTTPS request received for child 5 (server
www.apollo.home:443)
[debug] ssl_engine_kernel.c(422): Changed client verification type will
force renegotiation
[info] Requesting connection re-negotiation
[debug] ssl_engine_kernel.c(650): Performing full renegotiation:
complete handshake protocol
[info] Awaiting re-negotiation handshake
[debug] ssl_engine_kernel.c(1756): OpenSSL: Handshake: start
[debug] ssl_engine_kernel.c(1764): OpenSSL: Loop: before accept
initialization
[debug] ssl_engine_io.c(1517): OpenSSL: I/O error, 5 bytes expected to
read on BIO#1280be0 [mem: 7f7000]
[debug] ssl_engine_kernel.c(1793): OpenSSL: Exit: error in SSLv2 read
client hello B
[error] Re-negotiation handshake failed: Not accepted by client!?
//-
// here is the virtual host info:
DocumentRoot "/some_directory/ssl_site"
ServerAdmin [EMAIL PROTECTED]
ServerName www.apollo.home
LogLevel warn
# LogLevel debug
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# Per-Server Logging:
CustomLog logs/apollo/443.access.log "%t %h %{SSL_PROTOCOL}x
%{SSL_CIPHER}x \"%r\" %b"
ErrorLog logs/apollo/443.error.log
DirectoryIndex "index.html"
#
# ssl stuff
#
SSLEngine On
SSLProtocol all -SSLv3
SSLCipherSuite
"ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL"
#
#
LogLevel debug
ErrorLog "logs/apollo/ssl.log"
SSLOptions +StdEnvVars +ExportCertData
#
#
# path to certificates and private key
#
SSLCertificateFile
"/some_directory/openssl/servers/www.apollo.home.cert.pem"
SSLCertificateKeyFile
"/some_directory/openssl/servers/www.apollo.home.key.unencrypted"
SSLCACertificateFile
"/some_directory/openssl/private/CA-1.cert.pem"
SSLVerifyClient require
SSLVerifyDepth 3
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]
Client Certificate size
Hi, Is there an upper bound on maximum client certificate size that Apache/Mod_ssl can handle. I am using SSL_VERSION_LIBRARY=OpenSSL/0.9.7b , Apache 1.3.27 Thanks, Vishal Visit our website at http://www.ubs.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. UBS Limited is a company registered in England & Wales under company number 2035362, whose registered office is at 1 Finsbury Avenue, London, EC2M 2PP, United Kingdom. UBS AG (London Branch) is registered as a branch of a foreign company under number BR004507, whose registered office is at 1 Finsbury Avenue, London, EC2M 2PP, United Kingdom. UBS Clearing and Execution Services Limited is a company registered in England & Wales under company number 03123037, whose registered office is at 1 Finsbury Avenue, London, EC2M 2PP, United Kingdom.
Requesting Client Certificate Serial
I am having a hard time getting mod_ssl to request
the clients certificate serial number. I belive I have it in right but it always
fails.
SSLVerifyClient
requireSSLVerifyDepth
5SSLOptions
+FakeBasicAuthSSLRequireSSL
SSLRequire
%{SSL_CLIENT_M_SERIAL} eq "
"
ANy help would be greatly appreciate.
Michael M.
Datawan
Re: Expired Client Certificate
Give them an up-to-date certificate? ** Important Note This email (including any attachments) contains information which is confidential and may be subject to legal privilege. If you are not the intended recipient you must not use, distribute or copy this email. If you have received this email in error please notify the sender immediately and delete this email. Any views expressed in this email are not necessarily the views of AXA. Thank you. ** __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Expired Client Certificate
On Mon, Sep 18, 2000, Wil Boucher wrote: > Is it possible to enable SSLVerifyClient to accept expired certificates? > > I want to check that the user does in fact have access to a certificate, be > it expired or not, before giving them access to certain pages. > > Wether I use 'optional' or 'required' the user is still denied access with > the server log saying that the certiifcate has expired... Try "optional_no_ca". Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Expired Client Certificate
Same Error, Certificate Verification Error (10): Certificate has Expired... > On Mon, Sep 18, 2000, Wil Boucher wrote: > > > Is it possible to enable SSLVerifyClient to accept expired certificates? > > > > I want to check that the user does in fact have access to a certificate, be > > it expired or not, before giving them access to certain pages. > > > > Wether I use 'optional' or 'required' the user is still denied access with > > the server log saying that the certiifcate has expired... > > Try "optional_no_ca". __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Client certificate request error
Hi all, I run Apache-mod_ssl server on Solaris2.6(Apache1.3.20, mod_ssl2.8.4-.3.20, openSSL 0.9.6a). I built the private CA and tried to server certification and it's OK. Now I'm trying to client certification. I set the httpd.conf(SSLCACertificatePath,SSLCACertificateFile, SSLVerifyClient 2). I restarted Apache ssl server and access the page. It required the client certificate.--of course.. I tried to make the client certificate request. But I can't make it. The command is " CA.sh -newreq"(or "openssl req -new -keyout clientkey.pem -out clientcsr.pem"). The error message is as follows, "Using configuration from /usr/local/ssl/openssl.cnf unable to load 'random state' This means that the random number generator has not been seeded with much random data. Generating a 1024 bit RSA private key 2966:error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seede d:md _rand.c:474:You need to read the OpenSSL FAQ, http://www.openssl.org/support /faq .html 2966:error:04069003:rsa routines:RSA_generate_key:BN lib:rsa_gen.c:182: Request (and private key) is in newreq.pem" I understood that "OpenSSL 0.9.6a uses no default seeding file at all." So I decided to use "openssl -rand" option for pointing $RANDFILE. But I don't have default seeding file. If I want to set $RANDFILE, how do I do? Or does anybody knows the other way? If anyone knows about this, please advice me. Regards, [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Client Certificate questions
Ron Gage wrote: > Hi Folks: > > I am having problems getting a self-signed identity (client) cert installed into > my browsers (Mozilla 0.9.8 and Netscape 4.78). > > The cert is signed and tested to be valid, I just can't find the right method to > install it into my browser. I even tried copying the ident.crt to ident.pem and > browsing it with the browsers. This installed the cert as a server cert, not an > identity cert. > > Can anyone provide any hints on how to install a client cert? Thanks! Ron, Not certain about the versions here - I was using NS6.2 on windoze which I believe has the same codebase as Moz 0.9.6, no? Anyway, in the Certificate Manager, we used the (perhaps slightly misnamed) Restore function to pick up a PKCS#12 file from the local filesystem. This was just the client certificate reworked into PKCS#12 format with openssl - the restore file dialog filters for .p12's... HTH colm __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Client Certificate questions
Den 02-02-20 15.04 skrev "Ron Gage" <[EMAIL PROTECTED]> följande: > Hi Folks: > > I am having problems getting a self-signed identity (client) cert installed > into > my browsers (Mozilla 0.9.8 and Netscape 4.78). > > The cert is signed and tested to be valid, I just can't find the right method > to > install it into my browser. I even tried copying the ident.crt to ident.pem > and > browsing it with the browsers. This installed the cert as a server cert, not > an > identity cert. > > Can anyone provide any hints on how to install a client cert? Thanks! In Netscape and Mozilla, you can import a standard pkcs12 certificate (.pk12 extension), but it's a bit more tedious. It's done via Netscape Prefences > Privacy & Security > Certificates. Click on "Manage Securities" and "Restore". Enter your signed certificate, and it will install itself. /goran __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Client Certificate questions
Quoting Göran Fröjdh <[EMAIL PROTECTED]>: > Den 02-02-20 15.04 skrev "Ron Gage" <[EMAIL PROTECTED]> följande: > > > Hi Folks: > > > > I am having problems getting a self-signed identity (client) cert > installed into my browsers (Mozilla 0.9.8 and Netscape 4.78). > > > > The cert is signed and tested to be valid, I just can't find the right > method to install it into my browser. I even tried copying the ident.crt to > ident.pem and browsing it with the browsers. This installed the cert as a server cert, not an identity cert. > > > > Can anyone provide any hints on how to install a client cert? Thanks! > > In Netscape and Mozilla, you can import a standard pkcs12 certificate > (.pk12 > extension), but it's a bit more tedious. It's done via Netscape Prefences > > Privacy & Security > Certificates. Click on "Manage Securities" and > "Restore". Enter your signed certificate, and it will install itself. > /goran > Great. I tried the following: root@net:/home/ron# openssl x509 -in ident.crt -out ident.p12 -outform pkcs12 I tried to import this file into netscape and into mozilla. No go - they both complain that the cert is corrupted. I guess this begs the question: how does one go about creating the pkcs12 format certificate? Thanks -- Ron Gage - Owner, Linux Network Services - Saginaw, Michigan - 989-274-8088 Your one-stop source for Reliable, Secure and Affordable Networking Solutions - This mail sent through IMP: http://horde.org/imp/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Client Certificate questions
> Great. I tried the following: > > root@net:/home/ron# openssl x509 -in ident.crt -out ident.p12 -outform pkcs12 > > I tried to import this file into netscape and into mozilla. No go - they both > complain that the cert is corrupted. I guess this begs the question: how does > one go about creating the pkcs12 format certificate? Try: openssl pkcs12 -in client.crt -inkey client.key -certfile ca.crt -out client.p12 -export The filenames should be self-explanatory - let me know if not. HTH colm __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Client Certificate questions
> > > Hi Folks: > > > > I am having problems getting a self-signed identity (client) cert > installed into my browsers (Mozilla 0.9.8 and Netscape 4.78). > > > > The cert is signed and tested to be valid, I just can't find the > > right > method to install it into my browser. I even tried copying the > ident.crt to ident.pem and browsing it with the browsers. This > installed the cert as a server cert, not an identity cert. > > > > Can anyone provide any hints on how to install a client cert? > > Thanks! > > In Netscape and Mozilla, you can import a standard pkcs12 certificate > (.pk12 extension), but it's a bit more tedious. It's done via Netscape > Prefences > Privacy & Security > Certificates. Click on "Manage > Securities" and "Restore". Enter your signed certificate, and it will > install itself. /goran This doesn't work for me (FreeBSD 4.4 - mozilla). Mozilla dumps core. Don't know why... Great. I tried the following: root@net:/home/ron# openssl x509 -in ident.crt -out ident.p12 -outform pkcs12 I tried to import this file into netscape and into mozilla. No go - they both complain that the cert is corrupted. I guess this begs the question: how does one go about creating the pkcs12 format certificate? openssl pkcs12 -export -in server_cert.pem -inkey server_key.pem -out yourcert.p12 Enter Export Password: Verifying password - Enter Export Password: __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Client Certificate questions
Quoting CAM <[EMAIL PROTECTED]>: > > > Great. I tried the following: > > > > root@net:/home/ron# openssl x509 -in ident.crt -out ident.p12 -outform > pkcs12 > > > > I tried to import this file into netscape and into mozilla. No go - they > both > > complain that the cert is corrupted. I guess this begs the question: how > does > > one go about creating the pkcs12 format certificate? > > > Try: > > openssl pkcs12 -in client.crt -inkey client.key -certfile ca.crt -out > client.p12 > -export > It worked! Thank you everyone for your assistance. Time to write a HOWTO on this - sheeze! > The filenames should be self-explanatory - let me know if not. > > HTH > colm > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > > -- Ron Gage - Owner, Linux Network Services - Saginaw, Michigan - 989-274-8088 Your one-stop source for Reliable, Secure and Affordable Networking Solutions - This mail sent through IMP: http://horde.org/imp/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Passing proxy client certificate
Hello All, I am trying to make a proxy server(apache 1.3.22 compiled after enabling SSL_EXPERIMENTAL) authenticate itself to a backend server(apache 1.3.19) which is in the same machine (although in a real scenario the backend server will run on a different machine). Proxyserver listens at port on a machine and the backend server listnes at 127.0.0.2:8443. All the communications are SSL-enabled. browser ->---SSL + client auth--> Proxy server --SSL-->backend server. Browser authenticates itself to the proxy server whereas proxy server does not authenticate itself to the backend server. Now, the need is to make the proxy server also authenticate itself to the backend server. The proxy server has the directive "SSLProxyMachineCertficateFile" in it's httpd.conf. This directive has the value set to the its'(proxy's) client certificate. Should I need to set the value for SSLProxyCACertficateFile also? The error I see in the browser is: -- The proxy server received an invalid response from an upstream server. The proxy server could not handle the request GET /. Reason: SSL proxy connect failed (test:): peer 127.0.0.1:8443: key values mismatch --- Can anyone please throw light on this ? Thanks a lot in advance. Thanks and Regards, Anbu __ Do You Yahoo!? Yahoo! Tax Center - online filing with TurboTax http://taxes.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: client certificate disclosures
Ben - all client cert details are available to the servers that you present your certificate to. This is a dump of some of the standard details presented to the server in your client cert: Client Certificate -- SSL_CLIENT_A_KEYrsaEncryption SSL_CLIENT_A_SIGmd5WithRSAEncryption SSL_CLIENT_I_DN /C=GB/L=London/O=XXX Limited/OU=Certificate Authority/CN=XXX Limited (Primary CA)[EMAIL PROTECTED] SSL_CLIENT_I_DN_C GB SSL_CLIENT_I_DN_CN XXX Limited (Primary CA) SSL_CLIENT_I_DN_Email [EMAIL PROTECTED] SSL_CLIENT_I_DN_L London SSL_CLIENT_I_DN_O XXX Limited SSL_CLIENT_I_DN_OU Certificate Authority SSL_CLIENT_M_SERIAL D5 SSL_CLIENT_M_VERSION3 SSL_CLIENT_S_DN /C=GB/ST=20011211 110118/O=XXX Limited London/OU=Director/CN=Jeff [EMAIL PROTECTED] SSL_CLIENT_S_DN_C GB SSL_CLIENT_S_DN_CN Jeff xxx SSL_CLIENT_S_DN_Email [EMAIL PROTECTED] SSL_CLIENT_S_DN_O XXX Limited London SSL_CLIENT_S_DN_OU Director SSL_CLIENT_S_DN_ST 20011211 110118 SSL_CLIENT_V_ENDDec 11 11:02:06 2006 GMT SSL_CLIENT_V_START Dec 11 11:02:06 2001 GMT SSL_CLIENT_VERIFY SUCCESS The CLIENT_I vars contain details of the certificate issuer. The CLIENT_S vars contain details of the client. Basically the entire contents of the certificate are available to any server that you present this certificate to. In many browsers, you can control which certificate if any is presented to the server, the details are not automatically presented, unless this is how you configure your browser. In my experience with NS4.0-NS4.7x and MS IE5.01-6.0, they do NOT automatically present a cert, unless you change the default settings / internet options. The certificate details are not passed un-encrypted over the internet - they are passed to the server securely inside the SSL pipe, so details are not disclosed to network sniffers. Of course the web-server can do whatever it likes with the details, as it is one of the two trusted parties in the conversation. Regards Jeff -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Ben Elliston Sent: 10 May 2002 04:31 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: client certificate disclosures I have a client certificate that was issued to me by a CA that contains potentially sensitive information such as my name, my position within my organisation, my location, and so on. This certificate has been imported into my browser (Netscape). What are the rules in the SSL protocol regarding the disclosure of client certs to any HTTPS server I might connect to? Since the certs are signed and not encrypted, if SSL sends some or all of these certs to a foreign HTTPS server, won't my X.509 credentials be disclosed to the foreign server? I am hoping I have a fundamental misunderstanding here .. Thanks, Ben __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Problem Client Certificate Verification
Hello there, I've been running into problems using required client certificate verification (SSLVerifyClient require) on NT Server 4 using Apache 1.3.3 with mod_ssl 2.1.5 (and OpenSSL 0.9.1c). Netscape Communicator on NT Workstation 4 just crashes when browsing to the secure website with required client authentication (Netscape has been set to 'Ask Every Time' for the certificate he has to present). I've included my httpd.conf and mod_ssl logfile (loglevel debug). It's a website running three virtual sites on a test intranet 192.168.0.1 .2 and .3. The site configured for required client auth is .2. Everything was freshly compiled with VC5 and MASM6.13. Anybody who could help me out here? Christian. -- ir. Christian Buysschaert - Technical Manager GlobalSign nv-sa - http://www.globalsign.net httpd.conf ssl_engine.log
SSLProxy with Client Certificate
Hi Ralf I'm testing some of your new features in mod_ssl. I'm currently testing the unreleased patch for the SSLProxy. Am I right that client certificate handling is not yet finished? It seems that the private keys are not yet read what results in a SEGV deep in OpenSSL at the point where the private key is needed. I have some more questions which I will send each in a different mail for better handling. best regards Matthias And once again: Thank you very very much for your excellent software, and incredible productivity! --- Matthias Loepfe, AdNovum Informatik AG, Roentgenstr. 22, CH-8005 Zurich Email: [EMAIL PROTECTED] Voice: +41 1 272 6111 Fax: +41 1 272 6312 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: encrypted client certificate
Addressed to: [EMAIL PROTECTED] [EMAIL PROTECTED] ** Reply to note from Dominik Seitz <[EMAIL PROTECTED]> Tue, 4 Apr 2000 11:59:42 +0200 > > It seems that during the normal SSL handshake the client certificate > will be sent to the server unencrypted. > > My question: is there some way to make the browsers send the client > certificates encrypted? > > It seems that this happens if there is already an SSL session in place > not requiring a client certificate and the browser enters a directory > where authentication with a client certificate is needed. During the > renegotiation the client certificate is sent over an already encrypted > channel. > I believe that is the correct way for it to work. The certificate is the public key, the one you can give to anyone. There is no reason to keep it secret. All it does is give someone the ability to communicate with your server. Your server has the final authority who it will talk to. The data you must keep secret is the private key. (the .key file) With that information someone can impersonate you. As far as sending the certificate encrypted, it might be possible once a secure channel has been setup, but there is no way you could start to communicate with someone without giving them your certificate in the clear before you start. The certificate and the public key it contains are required for the key negitiation that must happen before you close the lock. Rick Widmer http://www.developersdesk.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
verify client certificate II
Hi again. I have verify these certificates from openssl command line: openssl verify openssl verify -CAfile PKIv6_3.2_ca_sub2.p7c.pem imladris.dif.um.esCert.pem where: PKIv6_3.2_ca_sub2.p7c.pem is a PEM certificates chain with "Root CA Certificate" and "Subordinate CA Certificate" imladris.dif.um.esCert.pem is the server certificate and the result is imladris.dif.um.esCert.pem: OK It's verified ¡¡¡ It seem to be a problem of modssl module 2.8.3. Can anybody help me? Thanks, Gabi. Gabriel López Millán wrote: > >Hi again. > >I have verify these certificates from openssl command line: > >openssl verify openssl verify -CAfile PKIv6_3.2_ca_sub2.p7c.pem > imladris.dif.um.esCert.pem > >where: >PKIv6_3.2_ca_sub2.p7c.pem is a PEM certificates chain with > "Root CA Certificate" and "Subordinate CA Certificate" >imladris.dif.um.esCert.pem is the server certificate > >and the result is > >imladris.dif.um.esCert.pem: OK > >It's verified ¡¡¡ > >It seem to be a problem of modssl module 2.8.3. > >Can anybody help me? > >Thanks, Gabi. > > > Gabriel López Millán wrote: > >> Hi all. >> >> I have a problem with a certificate chain and a server certificate, >> I need help. >> The certificate chain is formed by the Root CA Certificate and the >> Subordinate CA Certificate below showed. >> The server certificate is the last certificate. >> I have configured apache with modssl and when i try to access to >> https://imladris.dif.um.es I get the following error: >> >> Apache/1.3.19 (Unix) ApacheJServ/1.1.2 mod_ssl/2.8.3 OpenSSL/0.9.6g >> configured -- resuming normal operations >> [Thu Sep 19 10:13:14 2002] [error] mod_ssl: SSL handshake failed >> (server imladris.dif.um.es:443, client 2001:720:1710:f00::2) (OpenSSL >> library error follows) >> [Thu Sep 19 10:13:14 2002] [error] OpenSSL: error:14094412:SSL >> routines:SSL3_READ_BYTES:sslv3 alert bad certificate [Hint: Subject >> CN in certificate not server name or identical to CA!?] >> >> Obviously it's a mistake, server certificate's subject is the same >> than the server name (in httpd.conf file) >> and it's not a CA. >> >> I think the problem is in the path validation, in the >> NameConstraints extensions (2.5.29.30), but I'm not sure. >> I don't know if openssl supports this extensins and if it's well >> configured. >> >> Any idea? >> >> Thanks, Gabi. >> >> >> ** Root CA Certificate ** >> >> Certificate: >> Data: >> Version: 3 (0x2) >> Serial Number: 1 (0x1) >> Signature Algorithm: md5WithRSAEncryption >> Issuer: C=ES, O=umu, OU=umu, CN=PKIv6 3.2 ca root >> Validity >> Not Before: Sep 16 22:00:00 2002 GMT >> Not After : Sep 16 22:00:00 2004 GMT >> Subject: C=ES, O=umu, OU=umu, CN=PKIv6 3.2 ca root >> Subject Public Key Info: >> Public Key Algorithm: rsaEncryption >> RSA Public Key: (1024 bit) >> Modulus (1024 bit): >> 00:aa:e5:b5:5b:0a:f4:ef:79:2a:4d:8e:84:e1:ce: >> 43:59:81:2d:b6:53:8c:97:77:4f:db:07:08:69:b0: >> 68:ea:1d:cd:fe:c2:a4:a2:08:ec:ce:ed:b4:13:91: >> dc:da:bf:27:41:ef:f1:f3:3b:96:36:97:2f:9c:f3: >> 48:21:b3:a0:34:0d:8a:e8:04:cf:d5:c2:06:dd:cf: >> 5d:ea:7c:d5:9e:ab:92:65:7a:e1:32:ee:73:f4:4f: >> 99:be:18:5c:a0:84:5c:b0:09:f0:8a:68:61:1a:94: >> ec:c5:95:9b:10:c4:0b:4b:e9:e0:2f:48:7b:2b:23: >> 56:02:56:a7:2c:16:c4:2f:0d >> Exponent: 65537 (0x10001) >> X509v3 extensions: >> X509v3 Key Usage: critical >> Digital Signature, Certificate Sign, CRL Sign >> X509v3 Basic Constraints: critical >> CA:TRUE >> Netscape Cert Type: >> SSL Client, S/MIME, SSL CA, S/MIME CA, Object Signing CA >> Signature Algorithm: md5WithRSAEncryption >> >> >> *** Subordinate CA Certificate *** >> >> Certificate: >> Data: >> Version: 3 (0x2) >> Serial Number: 28 (0x1c) >> Signature Algorithm: md5WithRSAEncryption >> Issuer: C=ES, O=umu, OU=umu, CN=PKIv6 3.2 ca root >> Validity >> Not Before: Sep 17 11:25:36 2002 GMT >> Not After : Sep 17 11:25:36 2003 GMT >> Subject: C=ES, O=umu, OU=umu dd, CN=PKIv6 3.2 ca sub2 >> Subject Public Key Info: >> Public Key Algorithm: rsaEncryption >> RSA Public Key: (512 bit) >> Modulus (512 bit): >> 00:b5:e5:36:3f:7a:29:a0:da:3a:67:60:4f:ed:52: >> 81:09:26:21:4d:a7:14:77:54:56:be:87:1d:5a:62: >> 26:89:aa:f4:00:19:e6:c5:d8:c0:68:71:0f:2b:b5: >> 7b:54:25:7f:98:2e:75:e6:65:76:b4:9f:39:99:2e: >> 56:19:b6:5e:27 >> Exponent: 65537 (0x10001) >> X509v3 extensions: >>
Client certificate expiry handling
Hi, I know this has been raised before but please read on. Currently AFAIK client certificate expiry checking is done by openssl and the connection is terminated before apache comes into play, hence no error page can be sent. This is a problem as IE doesn't tell the user the client certificate is expired. Hence the user experiences a horrible disconnect page (not nice for issue tracking either as its pretty generic). Both Netscape and IIS can send back an error to the browser under this condition. The company I work for would also like apache to be able to do this. There is a good possiblity that the changes would be funded. I'm looking for someone who has experience with apache/mod_ssl/openssl to give an idea on the feasibility and a time estimate to do the work. Suggestions on who could do this are also welcome. Regards Matt __ Yahoo! Mail Mobile Take Yahoo! Mail with you! Check email on your mobile phone. http://mobile.yahoo.com/learn/mail __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
export client certificate CN?
I am currently using mod_ssl to verify client certs. are issued by trusted CAs (e.g. SSLVerifyClient require), but then using username/password for application identification/authorization, passing this to Oracle via Tomcat using JAVA. However, I'd like to be able to use client certs. for I/A by exporting the CN (or perhaps serial number) when verifying. I have tried to add "SSLOptions +ExportCertData", but I am not sure where this data is being exported too! This seemed like the appropriate SSL Option to be able to parse the cert data, but please correct me if I am wrong. Does anyone have any implementation suggestions exporting the CN from client certs, particularly for retrieving this information with JAVA? TIA! __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
wrong/different Client Certificate Signature
Hi everybody,
has anybody an idea why the SSL_CLIENT_CERT data change during
calls/sessions?
I'm working with 2-way-authentication and investigate the SSL_CLIENT_CERT
data.
If the same client (with the same cert) calls twice, I get different info
everytime.
The following example servlet example demonstrates this:
(the same happens using cgi scripts)
//
// getting different client certificates / demo
// with apache 1.3.12, mod_ssl 2.6.4, openssl 0.9.5a, jserv 1.1.2
//
import java.io.*;
import java.util.*;
import java.lang.Long;
import javax.servlet.*;
import javax.servlet.http.*;
public class getClientCert extends HttpServlet {
static private ServletConfig cfg;
public void init(ServletConfig config) throws ServletException {
super.init(config);
cfg = config;
}
public void doGet (HttpServletRequest req, HttpServletResponse res)
throws ServletException, IOException
{
HttpSession session = req.getSession(true);
String cert;
// get client certificate
try {
// required Apache JServ Configuration
// ApJServEnvVar SSL_CLIENT_CERT SSL_CLIENT_CERT
cert=
req.getAttribute("org.apache.jserv.SSL_CLIENT_CERT").toString();
} catch (Exception e) {
// go out, don't get SSL info
cfg.getServletContext().log(e,"Don't get SSL_CLIENT_CERT");
return;
}
/*
** Check if its the first session
*/
if (session.isNew()) {
// save client cert for demo purpose
session.putValue("cert", cert);
} else {
// compare cert with the certificate from prev. call
if (cert.compareTo((String)session.getValue("cert")) != 0) {
// get different client cert data
cfg.getServletContext().log("ERROR: Certificates are not
equal");
} else {
// OK
cfg.getServletContext().log("OK: Certificates are equal");
}
}
}
}
The output in the log file:
[12/07/2000 17:01:54:190 GMT+01:00] cd/OK: Certificates are equal
[12/07/2000 17:01:59:014 GMT+01:00] cd/ERROR: Certificates are not equal
[12/07/2000 17:02:00:326 GMT+01:00] cd/ERROR: Certificates are not equal
[12/07/2000 17:02:01:284 GMT+01:00] cd/ERROR: Certificates are not equal
[12/07/2000 17:02:02:296 GMT+01:00] cd/ERROR: Certificates are not equal
[12/07/2000 17:02:03:304 GMT+01:00] cd/ERROR: Certificates are not equal
[12/07/2000 17:02:04:331 GMT+01:00] cd/OK: Certificates are equal
[12/07/2000 17:02:05:659 GMT+01:00] cd/ERROR: Certificates are not equal
[12/07/2000 17:02:06:472 GMT+01:00] cd/ERROR: Certificates are not equal
[12/07/2000 17:02:07:355 GMT+01:00] cd/ERROR: Certificates are not equal
[12/07/2000 17:02:08:317 GMT+01:00] cd/ERROR: Certificates are not equal
[12/07/2000 17:02:09:253 GMT+01:00] cd/ERROR: Certificates are not equal
[12/07/2000 17:02:10:295 GMT+01:00] cd/OK: Certificates are equal
[12/07/2000 17:02:11:694 GMT+01:00] cd/ERROR: Certificates are not equal
[12/07/2000 17:02:13:257 GMT+01:00] cd/ERROR: Certificates are not equal
[12/07/2000 17:02:14:317 GMT+01:00] cd/ERROR: Certificates are not equal
[12/07/2000 17:02:15:315 GMT+01:00] cd/ERROR: Certificates are not equal
[12/07/2000 17:02:16:310 GMT+01:00] cd/ERROR: Certificates are not equal
[12/07/2000 17:02:17:302 GMT+01:00] cd/OK: Certificates are equal
I printed the certificates and checked it with openssl x509 -noout -text -in
...
They only differ in the signature! Why??
Every fifth call they match! Has that something todo with CAs?
Thanks for any help
Robert
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: Requesting Client Certificate Serial
Try turning off that rule and then using apaches printenv script to see how SSL_CLIENT_M_SERIAL is seen by the server. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Creating client certificate on Win32
Hi,
I am trying to set up a system where client needs to authenticate itself
to the Server. Server authentication is not required. Both client and
server are on Win NT. The client code is written using JDK 1.2.2 and
JSSE1.0.2.
The setup is as follows:
Apache : 1.3.6
mod_ssl : 2.3.11
openssl : 0.9.6
I am using document at following link to do the setup:
http://www.pseudonym.org/ssl/wwwj-index.html#ssl_inst
I have completed the following:
(1) Created a self-signed CA certificate using the command
$SSLDIR/bin/openssl req -new -x509 -keyout ${SSLDIR}/private/CAkey.pem
\
-out ${SSLDIR}/private/CAcert.pem
-config /usr/local/ssl/openssl.cnf
The files generated are CAkey.pem and CAcert.pem.
(2) As server authentication is not required, I skipped to the step
to create client certificate.
(3) For creating client certificate and getting it signed by the CA
certificate generated in (1)
above, what are the options ?
I tried to create client certificate
via Netscape, assuming I can export it later to use it in my
code. The link in the HTML form entry,
http://www.pseudonym.org/cgi-bin/ns_key.pl">
said: This link failed, so we tried
to modify the perl script and run on our Apache web server. The error
we got was
[error] [client someIPAddress] (2)No
such file or directory: couldn't spawn child process: d:/apache/cgi-bin/nsexe.pl
Any help in steps to create client certificate certified by self-signed
CA certificate generated by me, so that I
can use it with the Java code using JSSE will be appreciated. The shell
scripts (e.g. cca.sh) do not work on NT.
If I need to go through NS or IE and then export it, please give details
of the same.
regards,
- divyen
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Client certificate not recognised...- reg...
Hi I installed client certificate but the server says client doesnot have client certificate. I made mandotary (client cert. needed) in IIS. Both the certificates are generated through stanalone CA in Windows 2000 server. I even connected mod-ssl test site which says client certificate filed is empty. How to install properly the client certificate. How to check whether it is installed properly in IE. - Selva __ Do You Yahoo!? Yahoo! Tax Center - online filing with TurboTax http://taxes.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problem Client Certificate Verification
I'm having a similar problem. Or maybe I just don't understand how this is supposed to work. I got a free trial demo certificate from Verisign. I can click on the 'Security' button in Netscape and it shows it installed. Then with SSLVerifyClient require in httpd.conf, I try to surf to the page and get a 'No User Certificate' error: "The site 'SITE.NAME.HERE' has requested client authentication, but you do not have a Personal Certificate to authenticate yourself. The site may choose not to give you access without one." This happens with: (1) SGI Irix 6.5, Apache 1.3.3, mod_ssl 2.1.6-1.3.3, openssl 0.9.1c, RSAref 2.0 (2) Red Hat 5.2 Linux 2.0.35, Red Hat Secure Web Server 2.0 The error from the Red Hat one looks like: [Fri Jan 29 11:36:47 1999] [error] mod_ssl: SSL_accept failed [Fri Jan 29 11:36:47 1999] [error] SSLeay: error:140890C4:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate I've poked around in the Netscape (Communicator 4.5) security and menu areas but can't find anything to tell it to cough up this certificate. Does this work for other people? Christian Buysschaert wrote: > I've been running into problems using required client > certificate verification (SSLVerifyClient require) > on NT Server 4 using Apache 1.3.3 with mod_ssl 2.1.5 > (and OpenSSL 0.9.1c). Netscape Communicator on NT > Workstation 4 just crashes when browsing to the secure > website with required client authentication (Netscape > has been set to 'Ask Every Time' for the certificate > he has to present). > > I've included my httpd.conf and mod_ssl logfile (loglevel > debug). It's a website running three virtual sites on a test > intranet 192.168.0.1 .2 and .3. The site configured for required > client auth is .2. Everything was freshly compiled with VC5 and MASM6.13. > > Anybody who could help me out here? -- Larry Mulcahy[EMAIL PROTECTED] http://babylon5.spaceimaging.com/ __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problem Client Certificate Verification
On Fri, Jan 29, 1999, Larry Mulcahy wrote: > I'm having a similar problem. Or maybe I just don't understand how this > is supposed to work. I got a free trial demo certificate from Verisign. > I can click on the 'Security' button in Netscape and it shows it > installed. > Then with > > SSLVerifyClient require > > in httpd.conf, I try to surf to the page and get a 'No User Certificate' > error: > > "The site 'SITE.NAME.HERE' has requested client authentication, but > you do not have a Personal Certificate to authenticate yourself. The > site may > choose not to give you access without one." > >[...] > [Fri Jan 29 11:36:47 1999] [error] mod_ssl: SSL_accept failed > [Fri Jan 29 11:36:47 1999] [error] SSLeay: error:140890C4:SSL > routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate > > I've poked around in the Netscape (Communicator 4.5) security and menu areas > but can't find anything to tell it to cough up this certificate. > > Does this work for other people? I think that's because NS 4.5 doesn't allow you to choose a certificate unless mod_ssl sends the list of accepted CA's and mod_ssl cannot send it unless you configure the CA with SSLCACertificatePath or SSLCACertificateFile. So, for instance put the Versign certificate which signed your _client_ cert into the ssl.crt dir. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problem Client Certificate Verification
"Ralf S. Engelschall" wrote: > I think that's because NS 4.5 doesn't allow you to choose a certificate unless > mod_ssl sends the list of accepted CA's and mod_ssl cannot send it unless you > configure the CA with SSLCACertificatePath or SSLCACertificateFile. So, for > instance put the Versign certificate which signed your _client_ cert into the > ssl.crt dir. Hmm. I had SSLCACertificatePath and SSLCACertificateFile pointing to a CA certificate I made myself with openssl. I changed these to point to the mod_ssl ssl.crt directory and ssl_crt/ca-bundle.crt, respectively, and, as you say, netscape was able to give my personal certificate to the mod_ssl server. OK, I've always wondered what that CA bundle business was for. What I'd really like is to have the server recongize the well known CAs, plus any I create myself. Is there a way to add CA certificates to the CA bundle? -- Larry Mulcahy[EMAIL PROTECTED] http://babylon5.spaceimaging.com/ __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problem Client Certificate Verification
On Fri, Jan 29, 1999, Larry Mulcahy wrote: > "Ralf S. Engelschall" wrote: > > > I think that's because NS 4.5 doesn't allow you to choose a certificate unless > > mod_ssl sends the list of accepted CA's and mod_ssl cannot send it unless you > > configure the CA with SSLCACertificatePath or SSLCACertificateFile. So, for > > instance put the Versign certificate which signed your _client_ cert into the > > ssl.crt dir. > > Hmm. I had SSLCACertificatePath and SSLCACertificateFile pointing to a CA > certificate I made myself with openssl. I changed these to point to the > mod_ssl ssl.crt directory and ssl_crt/ca-bundle.crt, respectively, and, as > you say, netscape was able to give my personal certificate to the mod_ssl > server. OK, I've always wondered what that CA bundle business was for. The CA bundle just contains a lot of well-known CA certs, nothing more. But you've spoken about a free Versign test client cert, so I guess the CA cert Versign uses for those test client certs isn't in the bundle file. > What I'd really like is to have the server recongize the well known CAs, > plus any I create myself. Is there a way to add CA certificates to the > CA bundle? You've to grab the CA certificate which was used by Versign to sign your test client cert from Versign and place it under the ssl.crt/ dir (run "make" there to update the links) or append it to the ca-bundle.crt file. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Client Certificate bits and mod_perl
Hi, I'am working on mod_perl AuthHandler to map between users client certificates and user ids in behalf of CGI programs written with basic authentication in mind. I managed to get something working thanks to Clayton Donley's AuthLDAP module and FakeBasicAuthentication, but need more info from the certificate to do a good job, rather than just the subjectDN. Do anybody know how to access that information from mod_perl? Or the only way would be to write EAPI extensions to mod_perl? Regards, Alfredo __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSLProxy with Client Certificate
On Wed, Jun 23, 1999, Matthias Loepfe wrote:
> I'm testing some of your new features in mod_ssl. I'm currently testing the
> unreleased patch for the SSLProxy.
>
> Am I right that client certificate handling is not yet finished?
Hmmm... there might be still a bug, yes. Client certificate handling should
finally work, of course. At least the patch is _proposed_ to be complete.
The patch was originally derived from Stronghold 2.4 and contributed to the
project by C2Net. I've then ported it to the latest OpenSSL API, overhauled
it, cleaned it up and integrated it into one of my development trees. But I've
still not tested it myself in depth (that is together with the lack of
documentation the reason why it's still not released with 2.3). So either the
client cert handling was already broken in Stronghold ;), the stuff was
forgotten to incorporated or I've broken it when I overhauled it. So in order
to find the bug we've to look at the whole code again.
> It seems that the private keys are not yet read what results in a SEGV deep in
> OpenSSL at the point where the private key is needed.
>
> I have some more questions which I will send each in a different mail for
> better handling.
Hmmm... the client handling should be done on-the-fly. But perhaps the
loading is already broken. You can find it in functions
SSL_CA_load_certs_file() and SSL_CA_load_certs_path() in ssl_util_ssl.c. The
on-the-fly handling is done by ssl_ext_mp_clientcert_cb() in ssl_engine_ext.c.
You can debug this by adding some ssl_log() calls to this function.
Perhaps no CA matches the client certs.
I append you the latest state of the patch which should apply fine against
2.3.5. I've currently no real time available for this patch, so it would be
great when you can help me here a little bit more.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
Index: modules/proxy/mod_proxy.c
===
RCS file: /e/modssl/cvs/mod_ssl/pkg.apache/src/modules/proxy/mod_proxy.c,v
retrieving revision 1.11
diff -u -r1.11 mod_proxy.c
--- modules/proxy/mod_proxy.c 1999/03/21 12:00:11 1.11
+++ modules/proxy/mod_proxy.c 1999/04/02 19:05:19
@@ -247,6 +247,10 @@
static void proxy_init(server_rec *r, pool *p)
{
ap_proxy_garbage_init(r, p);
+#ifdef EAPI
+ap_hook_use("ap::mod_proxy::init",
+AP_HOOK_SIG3(void,ptr,ptr), AP_HOOK_ALL, r, p);
+#endif
}
#ifdef EAPI
Index: modules/proxy/proxy_http.c
===
RCS file: /e/modssl/cvs/mod_ssl/pkg.apache/src/modules/proxy/proxy_http.c,v
retrieving revision 1.12
diff -u -r1.12 proxy_http.c
--- modules/proxy/proxy_http.c 1999/03/21 12:33:14 1.12
+++ modules/proxy/proxy_http.c 1999/04/02 19:05:51
@@ -188,6 +188,9 @@
const char *urlptr = NULL;
const char *datestr;
struct tbl_do_args tdo;
+#ifdef EAPI
+char *peer;
+#endif
void *sconf = r->server->module_config;
proxy_server_conf *conf =
@@ -248,12 +251,18 @@
err = ap_proxy_host2addr(proxyhost, &server_hp);
if (err != NULL)
return DECLINED;/* try another */
+#ifdef EAPI
+ peer = ap_psprintf(p, "%s:%u", proxyhost, proxyport);
+#endif
}
else {
server.sin_port = htons(destport);
err = ap_proxy_host2addr(desthost, &server_hp);
if (err != NULL)
return ap_proxyerror(r, HTTP_INTERNAL_SERVER_ERROR, err);
+#ifdef EAPI
+ peer = ap_psprintf(p, "%s:%u", desthost, destport);
+#endif
}
sock = ap_psocket(p, PF_INET, SOCK_STREAM, IPPROTO_TCP);
@@ -312,9 +321,9 @@
{
char *errmsg = NULL;
ap_hook_use("ap::mod_proxy::http::handler::new_connection",
-AP_HOOK_SIG3(ptr,ptr,ptr),
+AP_HOOK_SIG4(ptr,ptr,ptr,ptr),
AP_HOOK_DECLINE(NULL),
-&errmsg, r, f);
+&errmsg, r, f, peer);
if (errmsg != NULL)
return ap_proxyerror(r, HTTP_BAD_GATEWAY, errmsg);
}
Index: modules/ssl/mod_ssl.c
===
RCS file: /e/modssl/cvs/mod_ssl/pkg.apache/src/modules/ssl/mod_ssl.c,v
retrieving revision 1.55
diff -u -r1.55 mod_ssl.c
--- modules/ssl/mod_ssl.c 1999/05/06 09:56:35 1.55
+++ modules/ssl/mod_ssl.c 1999/05/15 10:39:20
@@ -151,6 +151,34 @@
"Enable or disable various SSL protocols"
"(`[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)")
+/*
+ * Proxy configuration for remote SSL connections
+ */
+AP_SRV_CMD(ProxyProtocol, RAW_ARGS,
+ "SSL Proxy: enable or dis
Re: SSLProxy with Client Certificate
Ralf S. Engelschall wrote: > > On Wed, Jun 23, 1999, Matthias Loepfe wrote: > > > I'm testing some of your new features in mod_ssl. I'm currently testing the > > unreleased patch for the SSLProxy. > > > > Am I right that client certificate handling is not yet finished? > > Hmmm... there might be still a bug, yes. Client certificate handling should > finally work, of course. At least the patch is _proposed_ to be complete. > > The patch was originally derived from Stronghold 2.4 and contributed to the > project by C2Net. I've then ported it to the latest OpenSSL API, overhauled > it, cleaned it up and integrated it into one of my development trees. But I've > still not tested it myself in depth (that is together with the lack of > documentation the reason why it's still not released with 2.3). So either the > client cert handling was already broken in Stronghold ;), the stuff was > forgotten to incorporated or I've broken it when I overhauled it. So in order > to find the bug we've to look at the whole code again. > > > It seems that the private keys are not yet read what results in a SEGV deep in > > OpenSSL at the point where the private key is needed. > > > > I have some more questions which I will send each in a different mail for > > better handling. > > Hmmm... the client handling should be done on-the-fly. But perhaps the > loading is already broken. You can find it in functions > SSL_CA_load_certs_file() and SSL_CA_load_certs_path() in ssl_util_ssl.c. The > on-the-fly handling is done by ssl_ext_mp_clientcert_cb() in ssl_engine_ext.c. > You can debug this by adding some ssl_log() calls to this function. > Perhaps no CA matches the client certs. I already stept through the code with the debugger before I sent the last mail. To me it looks as if the whole code for the loading of the private keys is missing. I think the name of the function which loads the certs 'SSL_CA_load_certs_file()' is strange (probably legacy). The 'CA' means for me it was written to load CA certs for which we never have to load a private key. The other thing is that if you load a file with multiple certs in it how can you easily assign and find the private keys. I expect for this usage that each file MUST contain the cert and the private key and only that. As the private keys are normaly encrypted I think we should add these certs and keys to the 'szPublicCertFile' and 'szPrivateKeyFile' arrays so that they get handled by the 'ssl_pphrase_Handle' function. What do you think? > > I append you the latest state of the patch which should apply fine against > 2.3.5. I've currently no real time available for this patch, so it would be > great when you can help me here a little bit more. Sure, I try to make it work. > >Ralf S. Engelschall >[EMAIL PROTECTED] >www.engelschall.com > --- Matthias Loepfe, AdNovum Informatik AG, Roentgenstr. 22, CH-8005 Zurich Email: [EMAIL PROTECTED] Voice: +41 1 272 6111 Fax: +41 1 272 6312 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSLProxy with Client Certificate
On Thu, Jun 24, 1999, Matthias Loepfe wrote: > [...] > > Hmmm... the client handling should be done on-the-fly. But perhaps the > > loading is already broken. You can find it in functions > > SSL_CA_load_certs_file() and SSL_CA_load_certs_path() in ssl_util_ssl.c. The > > on-the-fly handling is done by ssl_ext_mp_clientcert_cb() in ssl_engine_ext.c. > > You can debug this by adding some ssl_log() calls to this function. > > Perhaps no CA matches the client certs. > > I already stept through the code with the debugger before I sent the last > mail. To me it looks as if the whole code for the loading of the private keys > is missing. > > I think the name of the function which loads the certs > 'SSL_CA_load_certs_file()' is strange (probably legacy). The 'CA' means for me > it was written to load CA certs for which we never have to load a private key. > The other thing is that if you load a file with multiple certs in it how can > you easily assign and find the private keys. I expect for this usage that > each file MUST contain the cert and the private key and only that. Hmmm... SSL_CA_load_certs_file() calls PEM_X509_INFO_read_bio() and this is aware of both X509 certs and private keys. One actually gets back a stack of info structures which contain both certs and keys. So the code it correct, but the function names are bugus, of course. But you're right. This silently assumes that first the certs and keys are bundled together into the same file and second that the keys are all unencrypted. > As the private keys are normaly encrypted I think we should add these certs and > keys to the 'szPublicCertFile' and 'szPrivateKeyFile' arrays so that they get > handled by the 'ssl_pphrase_Handle' function. > > What do you think? Hmmm... yes, I think Strongholds old assumptions are too unrealistic. We should allow these client keys to be encrypted. And you're right, for these we've to pre-process the proxy stuff already at startup so they are handled by the pass phrase dialog. I think let us do the things step by step. First try to put certs and unecnrypted keys into own files to let the proxy stuff work the first time. Then we can add the support for encrypted keys be pre-processing the proxy configuration at startup. Thank you again for helping me out making this stuff working. It's very interesting stuff which should go into mod_ssl 2.4 in a useable fashion. Sorry that I've not time to work on this currently. That's why I'm very happy that you help out. Greetings, Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSLProxy with Client Certificate
Ralf S. Engelschall wrote: > > On Thu, Jun 24, 1999, Matthias Loepfe wrote: > > > [...] > > > Hmmm... the client handling should be done on-the-fly. But perhaps the > > > loading is already broken. You can find it in functions > > > SSL_CA_load_certs_file() and SSL_CA_load_certs_path() in ssl_util_ssl.c. The > > > on-the-fly handling is done by ssl_ext_mp_clientcert_cb() in ssl_engine_ext.c. > > > You can debug this by adding some ssl_log() calls to this function. > > > Perhaps no CA matches the client certs. > > > > I already stept through the code with the debugger before I sent the last > > mail. To me it looks as if the whole code for the loading of the private keys > > is missing. > > > > I think the name of the function which loads the certs > > 'SSL_CA_load_certs_file()' is strange (probably legacy). The 'CA' means for me > > it was written to load CA certs for which we never have to load a private key. > > The other thing is that if you load a file with multiple certs in it how can > > you easily assign and find the private keys. I expect for this usage that > > each file MUST contain the cert and the private key and only that. > > Hmmm... SSL_CA_load_certs_file() calls PEM_X509_INFO_read_bio() and this is > aware of both X509 certs and private keys. One actually gets back a stack of > info structures which contain both certs and keys. So the code it correct, but > the function names are bugus, of course. But you're right. This silently > assumes that first the certs and keys are bundled together into the same file > and second that the keys are all unencrypted. > > > As the private keys are normaly encrypted I think we should add these certs and > > keys to the 'szPublicCertFile' and 'szPrivateKeyFile' arrays so that they get > > handled by the 'ssl_pphrase_Handle' function. > > > > What do you think? > > Hmmm... yes, I think Strongholds old assumptions are too unrealistic. We > should allow these client keys to be encrypted. And you're right, for these > we've to pre-process the proxy stuff already at startup so they are handled by > the pass phrase dialog. > > I think let us do the things step by step. First try to put certs and > unecnrypted keys into own files to let the proxy stuff work the first time. With this assumptions the proxy stuff seams to work properly! > Then we can add the support for encrypted keys be pre-processing the proxy > configuration at startup. Thats what I wanna do now. I had a look at your code doing cert and key handling and have the following succestion and questions: 1. in the function 'ssl_ext_mp_init' the code for the loading of the certs must changed in the following way: - the real loading must be done in the 'ssl_pphrase_Handle' function so that foreach virtual host the original code will be called. Then for each encrypted key there must be something simmilar like the loop over sc->szPublicCertFile[i]. Then the X509_INFO stack must be converted to a stack of asn1 versions of the certs and keys. - the function 'ssl_ext_mp_init' must then (only in phase 2) convert the 'asn1' stack back to a X509_INFO stack 2. Some time ago I started implementing a more performant version of a ssl reverse proxy. I thought that a new construct like ... With that the proxy configuration is no longer tied 1:1 to the virtual host. It is possible to make different configurations for different logical destinations. There could be more than one destination server for fault tollerance and load balancing. The 'ProxyPass' or rewrite rule would simply name the logical proxy instead of the DNS name which gets resolved for each request. e.g. 'ProxyPass' /dest1 https:///theContent1 Unfortunately the support for such new configuration is not very good. eventhough I had a working implementation (attached). What do you think would it be worth to merge this with you code? What we would get is a stack or something simmilar with proxy destination configurations attached to the module. > > Thank you again for helping me out making this stuff working. It's very > interesting stuff which should go into mod_ssl 2.4 in a useable fashion. Sorry > that I've not time to work on this currently. That's why I'm very happy that > you help out. > > Greetings, >Ralf S. Engelschall >[EMAIL PROTECTED] >www.engelschall.com > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] regards Matthias --- Matthias Loepfe, AdNovum Informatik AG, Roentgenstr. 22, CH-8005 Zurich Email: [EMAIL PROTEC
Generating Client Certificate using openssl
$CA -config $CONFIG -spkac $req_file -out $result_file -days 360 -key $CAPSS is the command from SSLevy. What is the equivalent command for the above in openssl-0.9.4? I am working on generating a client certificate using openssl with Netscape Communicator 4.7. Is this possible? Thanks, __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Client certificate mapping in OpenLDAP
Hello all, I would like to know if anyone has experience with client certificate mapping in LDAP. I know that there is a module called mod_authz, but I don't know if it is any good. Thanks, Leus -- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
IE stops sending client certificate
Hi, We've been having problems with apache/modssl and client certificates in IE (5.5sp2, 6, 6sp1 all versions of Windows). When the client sets up a session ofr the first time he gets prompted for his client cert and after entering the cert password he is able to access the secure site (like he should). But after 15 mins or so he tries to access the page again and than he cannot access the page. In our logs we see that we're not recieving teh client cert. Apparently the bowser stops sending the client cert. Does anyone know how to resolve this? We've set ClientCacheTime and ServerCacheTime for the browser at 24hrs and SSLClientTimeout/SSLServerTimeout also to 24hrs
rewrite data form client certificate
HiI am
trying to get the SSL_CLIENT_S_DN_CN from a client certificateto use it in a
RewriteRule. But I always get empty quary string. The configis as
following:SSLOptions +StdEnvVarsRewriteEngine OnRewriteLog
logs/rewrite.logRewriteLogLevel 9RewriteCond %{ENV:SSL_CLIENT_S_DN_CN}
^Simpson*RewriteRule
^/$
/dir/index.html[L]Can I get environment variable like SSL_CLIENT_XXX
within Rewrite Module? Orare there any other possibilities to get access to
them?thanks for your
helpmario
Re: export client certificate CN?
I am trying to use mod_auth_ldap with apache2, and I am having trouble figuring out how to generate a trusted Certificate Authority certificate. I tried using the Netscape certificate database file as the apache docs suggest, but I'm still getting a complaint from LDAP that "LDAP: ssl connections not supported". Can I use openssl to make a DER_FILE or a BASE64_FILE? Has anyone here had experience getting this to work? Thanks for your time. Best, Andrew I am totally lost on this. I appreciate any help >>> [EMAIL PROTECTED] 8/22/2005 9:17 AM >>> I am currently using mod_ssl to verify client certs. are issued by trusted CAs (e.g. SSLVerifyClient require), but then using username/password for application identification/authorization, passing this to Oracle via Tomcat using JAVA. However, I'd like to be able to use client certs. for I/A by exporting the CN (or perhaps serial number) when verifying. I have tried to add "SSLOptions +ExportCertData", but I am not sure where this data is being exported too! This seemed like the appropriate SSL Option to be able to parse the cert data, but please correct me if I am wrong. Does anyone have any implementation suggestions exporting the CN from client certs, particularly for retrieving this information with JAVA? TIA! __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] Andrew Musselman [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
RE: export client certificate CN?
>I am trying to use mod_auth_ldap with apache2, and I am having >trouble figuring out how to generate a trusted Certificate >Authority certificate. I tried using the Netscape certificate >database file as the apache docs suggest, but I'm still >getting a complaint from LDAP that "LDAP: ssl connections not >supported". Not sure but this sounds like you haven't enabled SSL, not that it cant negotiate the session. >Can I use openssl to make a DER_FILE or a BASE64_FILE? Has >anyone here had experience getting this to work? Here's how I've generated server cert requests (PKCS #10 which works fine with Netscape): openssl req -config openssl.cnf -new -out hostname.csr openssl rsa -in privkey.pem -out hostname.key Then you'll need to tell point apache to the right certs: SSLCertificateFile /server.crt SSLCertificateKeyFile /server.key SLCACertificateFile /CA.crt If you want to generate the certs yourself rather then submit the CSRs to a CA: openssl x509 -in hostname.csr -out hostname.crt -req -signkey hostname.key -days 365 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
RE: export client certificate CN?
Add the following line to you httpd configuration:
JkEnvVar SSL_CLIENT_S_DN none
JkEnvVar SSL_CLIENT_CERT none
This will make the client cert and distinguished name available through Apache
enviroment variables.
Then in Java (within a JSP/servlet):
String DN = (String) request.getAttribute("SSL_CLIENT_S_DN"); // can also get
the whole cert: SSL_CLIENT_CERT
And parse out the common name.
Nadeem
From: [EMAIL PROTECTED] on behalf of August West
Sent: Mon 8/22/2005 12:17 PM
To: modssl-users@modssl.org
Subject: export client certificate CN?
I am currently using mod_ssl to verify client certs.
are issued by trusted CAs (e.g. SSLVerifyClient
require), but then using username/password for
application identification/authorization, passing this
to Oracle via Tomcat using JAVA. However, I'd like to
be able to use client certs. for I/A by exporting the
CN (or perhaps serial number) when verifying. I have
tried to add "SSLOptions +ExportCertData", but I am
not sure where this data is being exported too! This
seemed like the appropriate SSL Option to be able to
parse the cert data, but please correct me if I am
wrong. Does anyone have any implementation
suggestions exporting the CN from client certs,
particularly for retrieving this information with
JAVA?
TIA!
__
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]
<>
Mod_proxy and client certificate auth
Hi, I'm trying to get mod_proxy to work as an SSL proxy using a client certificate on the proxy to connect to a backend IIS server that's set up to use any client certificate signed by my OpenSSL-based CA. If I use a browser with the same certificate bundled up as a PKCS12 bundle, through the proxy, it all works, but what I really need is for Apache/mod_ssl to use a locally stored version of the cert/key to connect, then let the IIS server do its normal basic auth. That's one single client cert/key for all externally connecting users (yes, I understand the ramifaction- it's not for user authentication,) not a per-user proxy cert. Here's what I have in my Apache ssl.conf file: RequestHeader set Front-End-Https "On" CacheDisable * SSLProxyEngine On ProxyPass /app https://iisserver/app ProxyPassReverse /app https://iisserver/app SSLProxyMachineCertificatePath conf/cert SSLEngine on conf/cert contains user.pem, a .pem cert file with an RSA private key catenated to it. I also have a hash link to the user.pem cert file. Just in case, I've also added "export OPENSSL_ALLOW_PROXY_CERTS=1" to bin/envvars. Can anyone tell me what I'm doing wrong? Thanks, Paul - Paul D. Robertson "My statements in this message are personal opinions [EMAIL PROTECTED] which may have no basis whatsoever in fact." __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Multiple Requests for Client Certificate
hi, i'm in the setup of a ssl-enabled apache2 server with mod_ssl - works fine so far *but* when a client-browser opens multiple simulanous connections for one page to the server the Client-Certificate gets requested the same number of times from the user. The corresponding Browser-Configuration for firefox for example is named network.http.max-persistent-connections-per-server I am looking for a way to avoid these multiple questions for a client-cert but i have no influence on the Browser-Configurations. Is there a way to avoid those multi-questions? best regards -- Mit freundlichen Grüßen Wolfram Eifler Entwicklung Mail [EMAIL PROTECTED] e.siqia Informationstechnologien GmbH Saarbrücker Str. 36 10405 Berlin Tel. +49 30.284730-68 Fax +49 30.284730-99 Support via Tel: +49 (9001) 374742 (*1 Support via Tel: +49 (9001) esiqia (*2 http://www.esiqia.com Sitz: Berlin - Registergericht Berlin - AG Charlottenburg HRB 74684 - Geschäftsführer: Rainer Böhnke *1 = 1,85€/min (Festnetz Telekom,Versatel) *2 = 1,99€/min (Mobilfunk T-Com,Vodafone) Aus Rechts- und Sicherheitsgründen ist die in dieser eMail gegebene Information nicht rechtsverbindlich. Eine rechtsverbindliche Bestätigung reichen wir Ihnen gerne auf Anforderung in schriftlicher Form oder per qualifizierter elektronischer Signatur nach. Diese Nachricht ist vertraulich und ausschließlich für den Adressaten bestimmt. Jeder Gebrauch durch Dritte ist verboten. Die Nachricht ist vor Versand auf Viren geprüft. Falls Sie die Daten irrtümlich erhalten haben, nehmen Sie bitte Kontakt mit dem Absender auf und löschen Sie die Daten auf jeden Computer und Datenträger. For legal and security reasons this e-mail is not legally binding. However, we can on request provide you with legally binding written confirmation or with qualified electronical signed document at any time. This message is confidential and intended solely for the use by the adressee. The message is virus proofed before sending. Any use of this message by a third party is prohibited. If you received this message in error, please contact the sender and delete the data from any computer and data carrier. The sender is neither liable for the proper and complete transmission of the information in the message nor for any delay in its receipt. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
redirect on failed client certificate authentication
Is there anyone who was able to enable redirection on another URL when client certificate authentication fail? Thank you in advance. Enrico Zaffaroni [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Importing client certificate generated under Windows
Hello, I'm trying to get a SSL connection working using a client certificate. I'm running with apache/modssl on Solaris and trying to connect to a partner's IIS web server. I have been sent a client certificate that was generated on the Windows server in a pfx format. In essence, when a user would hit one of our pages, we make a call to a remote server with a client certificate on our web servers, the data from the remote call is parsed, and presented to the user hitting our pages. However, I can't seem to get the IIS server to see the solaris client certificate. I've tried setting different environment variables in my httpd.conf file, such as HTTPS_CERT_FILE, HTTPS_KEY_FILE , and SSL_CLIENT_CERT all pointing to the certificate they sent using an absolute path. Whenever I access the file that is trying to make the remote call, I get the following message in the error logs "Service description 'https://services.theirserver.com/test.wsdl' can't be loaded: 403 Access Forbidden". I've also tried converting the file using openssl pkcs12 to a .pem, but still get the same error. I've seen some messages in the archive about breaking out the certificate into two files, the certificate and the key. Do I need to do this or am I just not loading the client certificate correctly? Thanks in advance, Suzanne __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Client certificate not recognised...- reg...
Try modify the httpd.conf file. Add a line of SSLVerifyClient require In my machine the file is locate at /usr/local/apache/conf/. In your machine the file location depend on where you set the apache path. Regard... :) M.Hanizan On Thursday 18 April 2002 04:17 pm, you wrote: > Hi > > I installed client certificate but the server says > client doesnot have client certificate. I made > mandotary (client cert. needed) in IIS. Both the > certificates are generated through stanalone CA in > Windows 2000 server. I even connected mod-ssl test > site which says client certificate filed is empty. > > How to install properly the client certificate. How to > check whether it is installed properly in IE. > > > - Selva > > > > __ > Do You Yahoo!? > Yahoo! Tax Center - online filing with TurboTax > http://taxes.yahoo.com/ > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Client Certificate bits and mod_perl
On Thu, Mar 04, 1999, Alfredo Raul Pena wrote: > I'am working on mod_perl AuthHandler to map between users client > certificates and user ids in behalf of CGI programs written with basic > authentication in mind. > I managed to get something working thanks to Clayton Donley's > AuthLDAP module and FakeBasicAuthentication, but need more info from the > certificate to do a good job, rather than just the subjectDN. > Do anybody know how to access that information from mod_perl? Or the > only way would be to write EAPI extensions to mod_perl? Since mod_ssl 2.1 you can get _all_ ingredients of a certificate via environment variables SSL_. What ingredients are you missing? Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Client Certificate bits and mod_perl
"Ralf S. Engelschall" wrote: > Since mod_ssl 2.1 you can get _all_ ingredients of a certificate via > environment variables SSL_. What ingredients are you missing? I think the problem is that I'm not using mod_perl for CGI scripts (where you have the info via the environment) but from a AuthHandler... From there I tried accessing subprocess_env without success, none of the SSL_ veriables are there. Thanks, Alfredo __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Client Certificate bits and mod_perl
I'm sorry about the insistence, but what do anyone thinks about this? Regards, Alfredo Alfredo Raul Pena wrote: > "Ralf S. Engelschall" wrote: > > > Since mod_ssl 2.1 you can get _all_ ingredients of a certificate via > > environment variables SSL_. What ingredients are you missing? > > I think the problem is that I'm not using mod_perl for CGI scripts (where you > have the info via the environment) but from a AuthHandler... From there I > tried accessing subprocess_env without success, none of the SSL_ > veriables are there. > > Thanks, > Alfredo __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Client Certificate bits and mod_perl
On Fri, Mar 05, 1999, Alfredo Raul Pena wrote: > I'm sorry about the insistence, but what do anyone thinks about this? > Regards, Alfredo > > > > Since mod_ssl 2.1 you can get _all_ ingredients of a certificate via > > > environment variables SSL_. What ingredients are you missing? > > > > I think the problem is that I'm not using mod_perl for CGI scripts (where you > > have the info via the environment) but from a AuthHandler... From there I > > tried accessing subprocess_env without success, none of the SSL_ > > veriables are there. mod_ssl _does_ set the vars in the subprocess_env table, but it does it in the Fixup handler which comes _after_ the auth handler. As a workaround you can try to do your jobs inside another Fixup handler. Hmmm.. I'm not sure whether I should move the stuff in mod_ssl from Fixup to Auth. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Client Certificate bits and mod_perl
"Ralf S. Engelschall" wrote: > > > I think the problem is that I'm not using mod_perl for CGI scripts (where you > > > have the info via the environment) but from a AuthHandler... From there I > > > tried accessing subprocess_env without success, none of the SSL_ > > > veriables are there. > > mod_ssl _does_ set the vars in the subprocess_env table, but it does it in the > Fixup handler which comes _after_ the auth handler. As a workaround you can > try to do your jobs inside another Fixup handler. Hmmm.. I'm not sure whether > I should move the stuff in mod_ssl from Fixup to Auth. Doing the authentication and authorization there would be the same (from a security and operational point of view) than doing it in the "normal" place? What about writing a perl module for EAPI? I think I could do it if there isn't any very hard issues. Regards, Alf __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Client Certificate bits and mod_perl
On Fri, Mar 05, 1999, Alfredo Raul Pena wrote: > > > > I think the problem is that I'm not using mod_perl for CGI scripts (where you > > > > have the info via the environment) but from a AuthHandler... From there I > > > > tried accessing subprocess_env without success, none of the SSL_ > > > > veriables are there. > > > > mod_ssl _does_ set the vars in the subprocess_env table, but it does it in the > > Fixup handler which comes _after_ the auth handler. As a workaround you can > > try to do your jobs inside another Fixup handler. Hmmm.. I'm not sure whether > > I should move the stuff in mod_ssl from Fixup to Auth. > > Doing the authentication and authorization there would be the same (from a security > and operational point of view) than doing it in the "normal" place? > What about writing a perl module for EAPI? I think I could do it if there isn't any > very hard issues. Writing an EAPI interface for mod_perl would be cool. Actually with EAPI Doug also could solve the nasty "PERL_SSI doesn't work under DSO" problem, because with EAPI mod_include could use mod_perl even under the DSO situation. For getting the SSL_XXX variables from mod_perl all you've to do is to write an XS function which calls mod_ssl the same way mod_rewrite does it to resolve SSL variables. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
HTTPS Client with Client Certificate Function
Hi, i am searching a client with that a can time triggered get files from an apache server restricted with password and client certificate authorization. i created an apache server with modssl. created my own ca an created a client certificate. if i try this certificate in IE i will be working. if i try the certificate with curl he can´t set the public key file. curl will only be working if i cat the private key and the certificate in one file and using this. -can someone tell me an other tool than curl witch well be commercial? -is it ok that curl need the private key and when why? thx for help Jochen __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Log errors in client certificate auth
I found this error in my ssl_engine.log when I access to apache+modssl site with client certificate authentication. what does it mean by this error and how do I fix this? Actually I dont have problems in accessing it but some of our users encountered page cannot be displayed. snip-- [30/Sep/2002 11:36:56 20984] [trace] OpenSSL: Exit: failed in SSLv3 read client certificate A [30/Sep/2002 11:36:56 20984] [error] Re-negotiation handshake failed: Not accepted by client!? [30/Sep/2002 11:36:56 20984] [debug] OpenSSL: read 0/34821 bytes from BIO#08217818 [mem: 082C6BE8] (BIO dump follows) +-+ +-+ [30/Sep/2002 11:36:56 20984] [trace] OpenSSL: Exit: failed in SSLv3 read client certificate A [30/Sep/2002 11:36:56 20984] [error] SSL error on writing data (OpenSSL library error follows) [30/Sep/2002 11:36:56 20984] [error] OpenSSL: error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure [30/Sep/2002 11:36:56 20984] [info] Connection to child 5 closed with unclean shutdown (server mail.server.com:443, client 192.168.1.1) -snip- TIA --- Glynn --- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Certificate verification problem (required client certificate)
Hello, I'm having a strange problem with Apache 2.0.45 / openssl 0.9.6 (and possibly tomcat 4.1.27). The web-server should run all applications only over SSL and with client certificate verification enabled. So I set up all the necessary configuration, including server and client certificates (our company has it's own internal CA), and moved three different applications from the non-SSL to the SSL virtual-host. Everything works fine, the applications can access the "environment variables", where the user-ID coming from the certificate is stored, in order to authenticate the users and provide user-specific content. However the 4th application doesn't work. One of the working applications is PHP, another also working application is JSP based, so using Tomcat. The fourth application is not JSP, but a Servlet/Applet combination. What happens when accessing the page is that the "index.html" downloads to the client, but then the applet should be retrieved by the browser (IE), but the JAVA Plug-In just says "applet not found", and in the web-server error file (put in INFO) I see the following errors.: [Tue Aug 05 18:56:52 2003] [info] Connection to child 4 established (server esds v07.bbn.hp.com:443, client 15.191.1.8) [Tue Aug 05 18:56:52 2003] [info] Seeding PRNG with 136 bytes of entropy [Tue Aug 05 18:56:52 2003] [info] SSL library error 1 in handshake (server esdsv 07.bbn.hp.com:443, client 15.191.1.8) [Tue Aug 05 18:56:52 2003] [info] SSL Library Error: 336105671 error:140890C7:SS L routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate No CAs known to server for verification? [Tue Aug 05 18:56:52 2003] [info] Connection to child 4 closed with abortive shu tdown(server esdsv07.bbn.hp.com:443, client 15.191.1.8) [Tue Aug 05 18:56:52 2003] [info] Connection to child 69 established (server esd sv07.bbn.hp.com:443, client 15.136.126.30) [Tue Aug 05 18:56:52 2003] [info] Seeding PRNG with 136 bytes of entropy [Tue Aug 05 18:56:53 2003] [info] SSL library error 1 in handshake (server esdsv 07.bbn.hp.com:443, client 15.136.126.30) [Tue Aug 05 18:56:53 2003] [info] SSL Library Error: 336105671 error:140890C7:SS L routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate No CAs known to server for verification? [Tue Aug 05 18:56:53 2003] [info] Connection to child 69 closed with abortive sh utdown(server esdsv07.bbn.hp.com:443, client 15.136.126.30) I know, normally this "peer did not return a certificate" indicates that either my browser does not have a certificate (which it has) or that the certificate can not be verified by the server due to a missing CA certificate (which it has). If one of these or both problems were there, the other three applications would not work as well, but they do! Now I was wondering if it could be an issue somewhere inbetween mod_ssl, mod_jk, Tomcat?? In principal the connector between Apache and Tomcat works, otherwise the JSP application would not work as well. That can be easily verified by inserting a bug in this configuration and voila, the JSP app stops working. Any ideas? thanks in advance Herbert PS: if I switch on debug level, I get even more info, which does not help me, but it first says something about client certificate A (success) and then something about a certificate B? what is this about? [Tue Aug 05 19:14:46 2003] [info] Loading certificate & private key of SSL-aware server [Tue Aug 05 19:14:46 2003] [info] Init: Requesting pass phrase from dialog filte r program (/opt/hpws/apache/conf/passPhrase.dialog) [Tue Aug 05 19:14:46 2003] [debug] ssl_engine_pphrase.c(499): encrypted RSA priv ate key - pass phrase requested [Tue Aug 05 19:14:48 2003] [info] Configuring server for SSL protocol [Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(436): Creating new SSL cont ext (protocols: SSLv2, SSLv3, TLSv1) [Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(553): Configuring client au thentication [Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(1096): CA certificate: /O=my.com/OU=IT Infrastructure/C=US/O=MY Company/CN=MY Primary Class 2 Certification Authority [Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(611): Configuring permitted SSL ciphers [!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL] [Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(739): Configuring RSA serve r certificate [Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(778): Configuring RSA serve r private key [Tue Aug 05 19:14:49 2003] [info] Loading certificate & private key of SSL-aware server [Tue Aug 05 19:14:49 2003] [info] esdsv07.my.com:443 reusing existing RSA pr ivate key on restart [Tue Aug 05 19:14:51 2003] [info] Configuring server for SSL protocol [Tue Aug 05 19:14:51 2003] [debug] ssl_engine_init.c(436): Creating new SSL cont ext (protocols: SSLv2, SSLv3, TLSv1) [Tue Aug 05 19:14:51 2003] [debug] ssl_engine_init.c(553): Confi
Re: Mod_proxy and client certificate auth
>From everything I've heard and read, mod-proxy will not proxy HTTPS on the back like what you are asking. You can have HTTPS on the front end but not on the back. It will have to be HTTP to the back. If you get this working I would LOVE to hear how you got it done On 6/6/06, Paul D. Robertson <[EMAIL PROTECTED]> wrote: Hi,I'm trying to get mod_proxy to work as an SSL proxy using a clientcertificate on the proxy to connect to a backend IIS server that's set upto use any client certificate signed by my OpenSSL-based CA. If I use a browser with the same certificate bundled up as a PKCS12bundle, through the proxy, it all works, but what I really need is forApache/mod_ssl to use a locally stored version of the cert/key to connect, then let the IIS server do its normal basic auth. That's one singleclient cert/key for all externally connecting users (yes, I understandthe ramifaction- it's not for user authentication,) not a per-user proxy cert.Here's what I have in my Apache ssl.conf file:RequestHeader set Front-End-Https "On"CacheDisable *SSLProxyEngine OnProxyPass /app https://iisserver/app ProxyPassReverse /app https://iisserver/appSSLProxyMachineCertificatePath conf/certSSLEngine onconf/cert contains user.pem, a .pem cert file with an RSA private key catenated to it. I also have a hash link to the user.pem cert file.Just in case, I've also added "export OPENSSL_ALLOW_PROXY_CERTS=1" tobin/envvars.Can anyone tell me what I'm doing wrong? Thanks,Paul-Paul D. Robertson "My statements in this message are personal opinions [EMAIL PROTECTED] which may have no basis whatsoever in fact."__Apache Interface to OpenSSL (mod_ssl) www.modssl.orgUser Support Mailing List modssl-users@modssl.orgAutomated List Manager[EMAIL PROTECTED]-- We are all slave to our own paradigm. -- Joshua Williams
Re: Mod_proxy and client certificate auth
On Wed, 7 Jun 2006, BJ Swope wrote: > >From everything I've heard and read, mod-proxy will not proxy HTTPS on the > back like what you are asking. You can have HTTPS on the front end but not > on the back. It will have to be HTTP to the back. > > If you get this working I would LOVE to hear how you got it done > > I'm getting end-to-end SSL, just the undesired (this time) effect of having the client cert passed all the way through the chain, which I'd expect folks to want as normal behavior. Paul - Paul D. Robertson "My statements in this message are personal opinions [EMAIL PROTECTED] which may have no basis whatsoever in fact." http://fora.compuwar.net Infosec discussion boards __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Mod_proxy and client certificate auth
Guess I've been hearing wrong for 3 years now ;) Time to go digging...On 6/8/06, Paul D. Robertson <[EMAIL PROTECTED]> wrote: On Wed, 7 Jun 2006, BJ Swope wrote:> >From everything I've heard and read, mod-proxy will not proxy HTTPS on the> back like what you are asking. You can have HTTPS on the front end but not> on the back. It will have to be HTTP to the back. >> If you get this working I would LOVE to hear how you got it done>>I'm getting end-to-end SSL, just the undesired (this time) effect ofhaving the client cert passed all the way through the chain, which I'd expect folks to want as normal behavior.Paul-Paul D. Robertson "My statements in this message are personal opinions [EMAIL PROTECTED] which may have no basis whatsoever in fact."http://fora.compuwar.net Infosec discussion boards __Apache Interface to OpenSSL (mod_ssl) www.modssl.orgUser Support Mailing List modssl-users@modssl.orgAutomated List Manager[EMAIL PROTECTED]-- We are all slave to our own paradigm. -- Joshua Williams
Re: Mod_proxy and client certificate auth
On Tue, Jun 06, 2006 at 03:36:37PM -0400, Paul D. Robertson wrote:
> I'm trying to get mod_proxy to work as an SSL proxy using a client
> certificate on the proxy to connect to a backend IIS server that's set up
> to use any client certificate signed by my OpenSSL-based CA.
>
> If I use a browser with the same certificate bundled up as a PKCS12
> bundle, through the proxy, it all works, but what I really need is for
> Apache/mod_ssl to use a locally stored version of the cert/key to connect,
> then let the IIS server do its normal basic auth. That's one single
> client cert/key for all externally connecting users (yes, I understand
> the ramifaction- it's not for user authentication,) not a per-user proxy
> cert.
There's no way to do this with mod_ssl without modifying the source.
With httpd 2.2.x (and also I believe mod_ssl-2.8-for-1.3) what you can
do is to pass through the client's SSL certificate (in PEM format) as a
request header to the backend, then extract that on the backend server
and then verify that against a CA cert independently; see
http://httpd.apache.org/docs/2.2/mod/mod_headers.html#header and the
%{...}s stuff.
That is the traditional approach used when passing through client certs
to Tomcat etc, and doesn't require an SSL connection between proxy and
backend. Doing this with an IIS backend might be a challenge.
> Just in case, I've also added "export OPENSSL_ALLOW_PROXY_CERTS=1" to
> bin/envvars.
That affects handling of rfc3820 "proxy certificates" (which you not
using unless you are doing some serious PKI voodoo ;).
joe
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]
Client certificate do not work / renegociate
Hello, In a host where client certificate is optional and in some directories requirement. Server is SNI, and this configuration works fine before SNI. > > SSLVerifyClient optional > > SSLVerifyClient require ... I use SNI client (firefox) with client certificate that works on optional locations but do not in certrequirement location. > [info] Initial (No.1) HTTPS request received for child 5 (server > www.1pc.es:443) > [debug] ssl_engine_kernel.c(487): [client 192.168.1.40] Changed client > verification type will force renegotiation, referer: http: > [info] [client 192.168.1.40] Requesting connection re-negotiation, referer: > http://www.1pc.es/ > [debug] ssl_engine_kernel.c(724): [client 192.168.1.40] Performing full > renegotiation: complete handshake protocol, referer: http > [debug] ssl_engine_kernel.c(1861): OpenSSL: Handshake: start > [debug] ssl_engine_kernel.c(1869): OpenSSL: Loop: SSL renegotiate ciphers > [debug] ssl_engine_kernel.c(1869): OpenSSL: Loop: SSLv3 write hello request A > [debug] ssl_engine_kernel.c(1869): OpenSSL: Loop: SSLv3 flush data > [debug] ssl_engine_kernel.c(1869): OpenSSL: Loop: SSLv3 write hello request C > [info] [client 192.168.1.40] Awaiting re-negotiation handshake, referer: > http://www.1pc.es/ > [debug] ssl_engine_kernel.c(1861): OpenSSL: Handshake: start > [debug] ssl_engine_kernel.c(1869): OpenSSL: Loop: before accept initialization > [debug] ssl_engine_io.c(1873): OpenSSL: read 5/5 bytes from BIO#7f4325589ef0 > [mem: 7f4325577083] (BIO dump follows) > [debug] ssl_engine_kernel.c(1874): OpenSSL: Read: SSLv3 read client hello B > [debug] ssl_engine_kernel.c(1893): OpenSSL: Exit: failed in SSLv3 read client > hello B > [error] [client 192.168.1.40] Re-negotiation handshake failed: Not accepted > by client!?, referer: http://www.1pc.es/ > openssl-1.0.0-0.13.beta4.fc12.x86_64 > httpd-2.2.14-1.fc12.x86_64 > mod_ssl-2.2.14-1.fc12.x86_64 Anyone knows where is the problem? Why do not work in required, and do the job in optional? -- http://www.1pc.es/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Request for feature - Client certificate fingerprint variable
Hello modssl users, I have an web application (CGI script) that uses SSL Client certificate fingerprint to pass/reject users. Currently in modssl I have many SSL_CLIENT_S_X variables, but no way to find out the certificate fingerprint (the one I see with openssl x509 -fingerprint command). I had personal patch for Apache-SSL some years ago to insert this environment variable, but now I'd like to move this application to modssl and like to have this 32-byte fingerprint in modssl too somehow. Do I have to patch modssl too or maybe it is reasonable to insert this useful variable into STDEnvVars for all of us? This is actually simple task and probably too easy code fragment to contribute you, Ralf? Regards, Märt. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: redirect on failed client certificate authentication
I found by myself an answer to the question. The solution is reported at http://www.ust.hk/itsc/webguide/technical/access/sslauth.html along with other interesting configuration examples. Hope this can be useful Bye Enrico Zaffaroni wrote: > Is there anyone who was able to enable redirection on another URL when > client certificate authentication fail? > > Thank you in advance. > > Enrico Zaffaroni > [EMAIL PROTECTED] > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
newbie question about client certificate authentication errors
ok, running mod_ssl 2.8.1 and apache 1.3.19, made my own CA for the server and can connect via 443 with no problems. wanting to do plain certificate authentication via a client certificate, so in did: openssl pkcs12 -export -in /usr/local/apache/conf/ssl.crt/ca.crt -inkey /usr/local/apache/conf/ssl.key/ca.key -out file.p12 -name "my certificate" and loaded this "client certificate" in the client browser..having changed the httpd.conf to require SSLVerifyClient with a depth of 1 and the SSLCertificateFile set to conf/ssl.crt/ca.crt. and I get this in the logs/ssl_engine_log file: [08/Mar/2001 12:43:57 02392] [error] SSL handshake failed (server xxx.xxx.com:443, client xxx.xxx.xxx.xxx) (OpenSSL library error follows) [08/Mar/2001 12:43:57 02392] [error] OpenSSL: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate [Hint: No CAs known to server for verification?] any ideas/advise as to which rabbit hole I should follow? -- william f guyton jr senior network engineer INFORMS 334.277.0372 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
client certificate requested for EVERY html page
Hi, i've set up an Apache/mod_ssl web server, create a CA, installed the server certifcate, etc, etc. The i went trough the CLIENT CERTIFICATE process. everything worked fine (Client Request -> CA Sign the cert -> Browser LOAD the cert) THE PROBLEM IS that the SERVER REQUEST THE CERTIFICATE EVERY TIME I LOAD A NEW HTML PAGE. This means that the browser - NETSCAPE 6.2.1 - display continuously the CLIENT CERTIFICATE REQUEST windows! This is the httpd config: - SSLVerifyClient none SSLCACertificateFile /...correct_path_here.../cacert.pem SSLVerifyClient require SSLVerifyDepth 1 and i have 3 HTML pages in /work dir, each containing a LINK to the others (to test the system) AM I MISSING SOMETHING REALLY ...obvious...? TIA luca. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Certificate verification problem (required client certificate)
Hello, I have seen the similar questions posted on the openssl mailing list before, but I have not seen much discussion. One thing that you may want to try to upgrade the version of the openssl itself, but I have no clue that applies to your problem. Why don't you post this question on the openssl mailing list?, hopoing to get that somebody solves the question since then. -Kiyoshi Kiyoshi Watanabe > Hello, > > I posted this question already some days ago, but did not yet receive any > hint. Does really no-one have any idea what could be the problem? > > --- > > I'm having a strange problem with Apache 2.0.45, mod_ssl with openssl > 0.9.6i (and possibly a factor also tomcat 4.1.27 server, client IE6 with > Java 1.4 plugin from Sun). > > The web-server should run all applications only over SSL and with client > certificate verification enabled. > > So I set up all the necessary configuration, including server and client > certificates (our company has it's own internal CA), and moved three > different applications from the non-SSL to the SSL virtual-host. > Everything works fine, the applications can access the "environment > variables", where the user-ID coming from the certificate is stored, in > order to authenticate the users and provide user-specific content. One of > the working applications is PHP based, another one is JSP based, so via > Tomcat. (only explaining this so that it is clear the whole server > combination including the SSL setup seems to be right in principal). > > However the 4th application doesn't work. > > The fourth application is not JSP, but a Servlet/Applet combination. > > What happens when accessing the page is that the "index.html" downloads to > the client, but then the applet should be retrieved by the browser > (IE/Java plug-in), but the JAVA Plug-In just says "applet not found", and > in the web-server error file (put in INFO) I see the following: > > [Tue Aug 05 18:56:52 2003] [info] Connection to child 4 established > (server esdsv07.my.com:443, client 115.191.1.8) > [Tue Aug 05 18:56:52 2003] [info] Seeding PRNG with 136 bytes of entropy > [Tue Aug 05 18:56:52 2003] [info] SSL library error 1 in handshake (server > esdsv07.my.com:443, client 115.191.1.8) > [Tue Aug 05 18:56:52 2003] [info] SSL Library Error: 336105671 > error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not > return a certificate No CAs known to server for verification? > [Tue Aug 05 18:56:52 2003] [info] Connection to child 4 closed with > abortive shutdown(server esdsv07.my.com:443, client 115.191.1.8) > [Tue Aug 05 18:56:52 2003] [info] Connection to child 69 established > (server esdsv07.my.com:443, client 115.136.126.30) > [Tue Aug 05 18:56:52 2003] [info] Seeding PRNG with 136 bytes of entropy > [Tue Aug 05 18:56:53 2003] [info] SSL library error 1 in handshake (server > esdsv07.my.com:443, client 115.136.126.30) > [Tue Aug 05 18:56:53 2003] [info] SSL Library Error: 336105671 > error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not > return a certificate No CAs known to server for verification? > [Tue Aug 05 18:56:53 2003] [info] Connection to child 69 closed with > abortive shutdown(server esdsv07.my.com:443, client 115.136.126.30) > > > I know, normally this "peer did not return a certificate" indicates that > either my browser does not have a certificate (which it has) or that the > certificate can not be verified by the server due to a missing CA > certificate (which it has). If one of these or both problems were there, > the other three applications would not work as well, right? But they do! > > Any ideas? > > If I switch on debug level, I get even more info (which does not tell me a > lot more). First there is a verification/handshake on client certificate A > (successful) and then there is something about a certificate B? what > is this about? What is certificate A and B? > >Thanks in advance > > Herbert > > Debugging info: > > [Tue Aug 05 19:14:46 2003] [info] Loading certificate & private key of > SSL-aware server > [Tue Aug 05 19:14:46 2003] [info] Init: Requesting pass phrase from dialog > filter program (/opt/hpws/apache/conf/passPhrase.dialog) > [Tue Aug 05 19:14:46 2003] [debug] ssl_engine_pphrase.c(499): encrypted > RSA private key - pass phrase requested > [Tue Aug 05 19:14:48 2003] [info] Configuring server for SSL protocol [Tue > Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(436): Creating new SSL > context (protocols: SSLv2, SSLv3, TLSv1) > [Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(553): Configuring > client authentication > [Tue Aug 05 19:14:48 2003] [debug]
RE: Certificate verification problem (required client certificate)
Hello, I posted this question already some days ago, but did not yet receive any hint. Does really no-one have any idea what could be the problem? --- I'm having a strange problem with Apache 2.0.45, mod_ssl with openssl 0.9.6i (and possibly a factor also tomcat 4.1.27 server, client IE6 with Java 1.4 plugin from Sun). The web-server should run all applications only over SSL and with client certificate verification enabled. So I set up all the necessary configuration, including server and client certificates (our company has it's own internal CA), and moved three different applications from the non-SSL to the SSL virtual-host. Everything works fine, the applications can access the "environment variables", where the user-ID coming from the certificate is stored, in order to authenticate the users and provide user-specific content. One of the working applications is PHP based, another one is JSP based, so via Tomcat. (only explaining this so that it is clear the whole server combination including the SSL setup seems to be right in principal). However the 4th application doesn't work. The fourth application is not JSP, but a Servlet/Applet combination. What happens when accessing the page is that the "index.html" downloads to the client, but then the applet should be retrieved by the browser (IE/Java plug-in), but the JAVA Plug-In just says "applet not found", and in the web-server error file (put in INFO) I see the following: [Tue Aug 05 18:56:52 2003] [info] Connection to child 4 established (server esdsv07.my.com:443, client 115.191.1.8) [Tue Aug 05 18:56:52 2003] [info] Seeding PRNG with 136 bytes of entropy [Tue Aug 05 18:56:52 2003] [info] SSL library error 1 in handshake (server esdsv07.my.com:443, client 115.191.1.8) [Tue Aug 05 18:56:52 2003] [info] SSL Library Error: 336105671 error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate No CAs known to server for verification? [Tue Aug 05 18:56:52 2003] [info] Connection to child 4 closed with abortive shutdown(server esdsv07.my.com:443, client 115.191.1.8) [Tue Aug 05 18:56:52 2003] [info] Connection to child 69 established (server esdsv07.my.com:443, client 115.136.126.30) [Tue Aug 05 18:56:52 2003] [info] Seeding PRNG with 136 bytes of entropy [Tue Aug 05 18:56:53 2003] [info] SSL library error 1 in handshake (server esdsv07.my.com:443, client 115.136.126.30) [Tue Aug 05 18:56:53 2003] [info] SSL Library Error: 336105671 error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate No CAs known to server for verification? [Tue Aug 05 18:56:53 2003] [info] Connection to child 69 closed with abortive shutdown(server esdsv07.my.com:443, client 115.136.126.30) I know, normally this "peer did not return a certificate" indicates that either my browser does not have a certificate (which it has) or that the certificate can not be verified by the server due to a missing CA certificate (which it has). If one of these or both problems were there, the other three applications would not work as well, right? But they do! Any ideas? If I switch on debug level, I get even more info (which does not tell me a lot more). First there is a verification/handshake on client certificate A (successful) and then there is something about a certificate B? what is this about? What is certificate A and B? Thanks in advance Herbert Debugging info: [Tue Aug 05 19:14:46 2003] [info] Loading certificate & private key of SSL-aware server [Tue Aug 05 19:14:46 2003] [info] Init: Requesting pass phrase from dialog filter program (/opt/hpws/apache/conf/passPhrase.dialog) [Tue Aug 05 19:14:46 2003] [debug] ssl_engine_pphrase.c(499): encrypted RSA private key - pass phrase requested [Tue Aug 05 19:14:48 2003] [info] Configuring server for SSL protocol [Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(436): Creating new SSL context (protocols: SSLv2, SSLv3, TLSv1) [Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(553): Configuring client authentication [Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(1096): CA certificate: /O=my.com/OU=IT Infrastructure/C=US/O=MY Company/CN=MY Primary Class 2 Certification Authority [Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(611): Configuring permitted SSL ciphers [!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL] [Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(739): Configuring RSA server certificate [Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(778): Configuring RSA server private key [Tue Aug 05 19:14:49 2003] [info] Loading certificate & private key of SSL-aware server [Tue Aug 05 19:14:49 2003] [info] esdsv07.my.com:443 reusing existing RSA private key on restart [Tue Aug 05 19:14:51 2003] [info] Configuring server for SSL protocol [Tue Aug 05 19:14:51 2003] [debug] ssl_engine_init.c(436): Creating new SSL context (pr
Re: Client certificate do not work / renegociate
Hi, That is not a bug, it is a feature! With the TLS renegotiation there is a theoretical man-in-the-middle-attack possible. To prevent that the developers decided to deactivate the TLS renegotiation. Solution: use SSLInsecureRenegotiation on http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslinsecurerenegotiation >From the changelog: Comprehensive fix of the TLS renegotiation prefix injection attack when compiled against OpenSSL version 0.9.8m or later. Introduces the 'SSLInsecureRenegotiation' directive to reopen this vulnerability and offer unsafe legacy renegotiation with clients which do not yet support the new secure renegotiation protocol. Mario __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
failed in SSLv3 read client certificate with IE5
Hi. I test Apache (1.3.12) + mod_ssl (2.6.1) on Windows NT4. When trying to access the server with Netscape, it is ok. But with IE5.0 I have the following error: [31/Oct/2000 11:57:12 00422] [info] Connection to child 4 established (server ZINNEMAN:443, client 10.11.1.6) [31/Oct/2000 11:57:12 00422] [info] Seeding PRNG with 0 bytes of entropy [31/Oct/2000 11:57:12 00422] [trace] OpenSSL: Handshake: start [31/Oct/2000 11:57:12 00422] [trace] OpenSSL: Loop: before/accept initialization [31/Oct/2000 11:57:12 00422] [trace] OpenSSL: Loop: SSLv3 read client hello A [31/Oct/2000 11:57:12 00422] [trace] OpenSSL: Loop: SSLv3 write server hello A [31/Oct/2000 11:57:12 00422] [trace] OpenSSL: Loop: SSLv3 write certificate A [31/Oct/2000 11:57:12 00422] [trace] OpenSSL: Loop: SSLv3 write key exchange A [31/Oct/2000 11:57:12 00422] [trace] OpenSSL: Loop: SSLv3 write server done A [31/Oct/2000 11:57:12 00422] [trace] OpenSSL: Loop: SSLv3 flush data [31/Oct/2000 11:57:12 00422] [trace] OpenSSL: Loop: SSLv3 read client key exchange A [31/Oct/2000 11:57:12 00422] [trace] OpenSSL: Loop: SSLv3 read finished A [31/Oct/2000 11:57:12 00422] [trace] OpenSSL: Loop: SSLv3 write change cipher spec A [31/Oct/2000 11:57:12 00422] [trace] OpenSSL: Loop: SSLv3 write finished A [31/Oct/2000 11:57:12 00422] [trace] OpenSSL: Loop: SSLv3 flush data [31/Oct/2000 11:57:12 00422] [trace] OpenSSL: Handshake: done [31/Oct/2000 11:57:12 00422] [info] Connection: Client IP: 10.11.1.6, Protocol: SSLv3, Cipher: EXP-RC4-MD5 (40/128 bits) [31/Oct/2000 11:57:12 00422] [trace] OpenSSL: Write: SSL negotiation finished successfully [31/Oct/2000 11:57:12 00422] [info] Connection to child 4 closed with standard shutdown (server ZINNEMAN:443, client 10.11.1.6) [31/Oct/2000 11:57:25 00422] [info] Connection to child 5 established (server ZINNEMAN:443, client 10.11.1.6) [31/Oct/2000 11:57:25 00422] [info] Seeding PRNG with 0 bytes of entropy [31/Oct/2000 11:57:25 00422] [trace] OpenSSL: Handshake: start [31/Oct/2000 11:57:25 00422] [trace] OpenSSL: Loop: before/accept initialization [31/Oct/2000 11:57:25 00422] [trace] OpenSSL: Loop: SSLv3 read client hello A [31/Oct/2000 11:57:25 00422] [trace] OpenSSL: Loop: SSLv3 write server hello A [31/Oct/2000 11:57:25 00422] [trace] OpenSSL: Loop: SSLv3 write certificate A [31/Oct/2000 11:57:25 00422] [trace] OpenSSL: Loop: SSLv3 write key exchange A [31/Oct/2000 11:57:25 00422] [trace] OpenSSL: Loop: SSLv3 write server done A [31/Oct/2000 11:57:25 00422] [trace] OpenSSL: Loop: SSLv3 flush data [31/Oct/2000 11:57:25 00422] [trace] OpenSSL: Exit: failed in SSLv3 read client certificate A [31/Oct/2000 11:57:25 00422] [info] Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?] In my httpd.conf, I put: SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP SSLVerifyClient none So I do not understand why the server tries to verify the client certificate (this is not the case with Netscape Navigator) Can someone help me? Best regards. Carole Hébrard. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Client certificate related protocol error - certificates A & B ?
I'm having some hard to track problems using a Stronghold v 3.0 web-server with modssl. Our application calls for a java client, using https tunneling via a proxy web-server which forwards calls via a pluging to a weblogic applications server. java client and web-server should use two-way authenticated SSL and client certificates. Simple calls using just one SSL connection to the mod_ssl enabled web-server work correctly, indicating the client, server and CA certificates appear to be installed correctly. However when using RMI calls via the tunneling proxy pluging (which results in multiple HTTP GET/PUT requests and thus multiple SSL connections) we get the following error on the last request: [21/Feb/2001 14:47:56 06764] [trace] OpenSSL: Loop: SSLv3 read client certificate A [21/Feb/2001 14:47:56 06763] [trace] OpenSSL: Write: SSLv3 read client certificate B [21/Feb/2001 14:47:56 06763] [trace] OpenSSL: Exit: error in SSLv3 read client certificate B [21/Feb/2001 14:47:56 06763] [trace] OpenSSL: Exit: error in SSLv3 read client certificate B [21/Feb/2001 14:47:56 06763] [error] SSL handshake failed (server webserver:443, client 192.168.17.112) (OpenSSL library error follows) [21/Feb/2001 14:47:56 06763] [error] OpenSSL: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate [Hint: No CAs known to server for verification?] Now this is almost certainly the fault of the clients (weblogics) java SSL implementation - however I'd still like to know how this log entry should be read. All other connections only ever request a "certificate A" - why is the server attempting to read a client certificate B all of a sudden ? and how to certificates "A" and "B" differ ? Are these just some kind of "slot" allowing the client to submit multiple client certificates ? Thanks for any help, -- yours sincerely, Rory Chisholm __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: client certificate requested for EVERY html page
I found this in my old notes - it may help you? Q) Netscape keeps asking me which certificate to use for every single page on a site - why? A) The Netscape security settings are incorrect. To fix this problem: . Click on the padlock at the bottom left of the window to display 'Security Info' . Click on 'Navigator' to display the Navigator security settings . Under 'Certificate to identify you to a web site:' choose 'Select Automatically' . Click on the 'Ok' button to save this change. Note that Apache is doing what you have asked it to do, in that all items under location /work require a client cert. There are SSL settings called keepalive which were ment to help speed up the SSL connection, but MS IE does not work properly with them, so you cannot turn them on unless you only have Netscape clients. Regards Jeff -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED] Sent: 13 May 2002 16:55 To: [EMAIL PROTECTED] Subject: client certificate requested for EVERY html page Hi, i've set up an Apache/mod_ssl web server, create a CA, installed the server certifcate, etc, etc. The i went trough the CLIENT CERTIFICATE process. everything worked fine (Client Request -> CA Sign the cert -> Browser LOAD the cert) THE PROBLEM IS that the SERVER REQUEST THE CERTIFICATE EVERY TIME I LOAD A NEW HTML PAGE. This means that the browser - NETSCAPE 6.2.1 - display continuously the CLIENT CERTIFICATE REQUEST windows! This is the httpd config: - SSLVerifyClient none SSLCACertificateFile /...correct_path_here.../cacert.pem SSLVerifyClient require SSLVerifyDepth 1 and i have 3 HTML pages in /work dir, each containing a LINK to the others (to test the system) AM I MISSING SOMETHING REALLY ...obvious...? TIA luca. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Another unwanted SSLv3 request of a client certificate
Hello, maybe you remember my postings about the SSL-Problems with a sequence of redirection scripts on an SSL-Server. (we now use apache-1.3.12,mod_ssl-2.6.2 and openssl-0.9.5 on Linux) By updating the server we succeeded to get rid of the errors with the Netscape Browsers, but now, a new problem appears with the IE5 on NT and Win98: [31/Mar/2000 11:09:29 26799] [info] Seeding PRNG with 0 bytes of entropy [31/Mar/2000 11:09:29 26799] [trace] OpenSSL: Handshake: start [31/Mar/2000 11:09:29 26799] [trace] OpenSSL: Loop: before/accept initialization [31/Mar/2000 11:09:29 26799] [trace] OpenSSL: Loop: SSLv3 read client hello A [31/Mar/2000 11:09:29 26799] [trace] OpenSSL: Loop: SSLv3 write server hello A [31/Mar/2000 11:09:29 26799] [trace] OpenSSL: Loop: SSLv3 write certificate A [31/Mar/2000 11:09:29 26799] [trace] OpenSSL: Loop: SSLv3 write key exchange A [31/Mar/2000 11:09:29 26799] [trace] OpenSSL: Loop: SSLv3 write server done A [31/Mar/2000 11:09:29 26799] [trace] OpenSSL: Loop: SSLv3 flush data [31/Mar/2000 11:09:29 26799] [trace] OpenSSL: Exit: failed in SSLv3 read client certificate A [31/Mar/2000 11:09:29 26799] [info] Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?] Again the client is asked for a certificate and subsequently an error occurs. SSLVerifyClient none SSLOptions -FakeBasicAuthentication should stop the server to ask for certificates but doesn't in all cases (at least for IE5). Questions: -> Is that connected to the Problem already discussed with the step-up certificates (error message is identical) which could be solved by prohibiting the 56-Bit-Key as I understand? -> As suggested in the mailing-list in another context SSLProtocol SSLv2 solves the problem. But don't I loose features or security "downgrading" like that? -> Is that a bug ? And if yes: In mod_ssl or in openssl? Maybe you have some answers. Thanks Olaf __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
SSL Reverse Proxy with Client Certificate is restarting
Hi, I have a problem using Apache/mod_ssl 2.0.39 as a SSL reverse proxy to connect to a SSL Server. |HTTP Client|-http>|Reverse Proxy|https>|Web Server| There is a Client Certificate on the Reverse Proxy which must be presented to the Web Server for authentication. But I see from the log files, after the initial SSL handshaking, immediately after the "Proxy client certificate callback: (xxx.xxx.xxx:80) found acceptable cert", the child process on the Reverse Proxy just dies without any error in the log file. The child process initialises itself all over again. My browser on the front end receives a "Page not found" error. I double checked my cert pathing using "openssl" and curl to go into the SSL server and it works. So I think the certificate should be ok. Are there anything else that I have left out? I have also tested against both a IIS 5.0 and an Apache 2.0 web server. Both returns the same error. Really appreciate any help that might come along. Thanks in advace. regards, Lee Hoo Wah [debug] ssl_engine_kernel.c(1854): OpenSSL: Loop: SSLv3 read server hello A [debug] ssl_engine_kernel.c(1294): Certificate Verification: depth: 2, subject: /C=US/O=GTE Corporation/CN=GTE CyberTrust Root, issuer: /C=US/O=GTE Corporation/CN=GTE CyberTrust Root [debug] ssl_engine_kernel.c(1294): Certificate Verification: depth: 1, subject: /C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority, issuer: /C=US/O=GTE Corporation/CN=GTE CyberTrust Root [debug] ssl_engine_kernel.c(1294): Certificate Verification: depth: 0, subject: /C=SG/ST=Singapore/L=Singapore/O=xxx/OU=xxx/CN=xxx, issuer: /C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority [debug] ssl_engine_kernel.c(1854): OpenSSL: Loop: SSLv3 read server certificate A [debug] ssl_engine_kernel.c(1854): OpenSSL: Loop: SSLv3 read server certificate request A [debug] ssl_engine_kernel.c(1854): OpenSSL: Loop: SSLv3 read server done A [debug] ssl_engine_kernel.c(1620): Proxy client certificate callback: (xxx.xxx.xxx:80) entered [debug] ssl_engine_kernel.c(1593): Proxy client certificate callback: (xxx.xxx.xxx:80) found acceptable cert, sending /C=xx/O=xxx/OU=xxx/OU=xxx/SN=xxx/CN= [notice] Parent: child process exited with status 3221225477 -- Restarting. <<<<<< CHILD PROCESS DIES [debug] mpm_winnt.c(562): Parent: Marked listeners as not inheritable. [info] Init: Initializing OpenSSL library ___ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
SSL Reverse Proxy with Client Certificate is dying
Hi, I have a problem using Apache/mod_ssl 2.0.40 as a SSL reverse proxy to connect to a SSL Server. |HTTP Client|-http>|Reverse Proxy|https>|Web Server| There is a Client Certificate on the Reverse Proxy which must be presented to the Web Server for authentication. But I see from the log files, after the initial SSL handshaking, immediately after the "Proxy client certificate callback: (xxx.xxx.xxx:80) found acceptable cert", the child process on the Reverse Proxy just dies without any error in the log file. The child process initialises itself all over again. My browser on the front end receives a "Page not found" error. I double checked my cert pathing using "openssl" and curl to go into the SSL server and it works. So I think the certificate should be ok. Are there anything else that I have left out? I have also tested against both a IIS 5.0 and an Apache 2.0 web server. Both returns the same error. Really appreciate any help that might come along. Thanks in advace. regards, Lee Hoo Wah [debug] ssl_engine_kernel.c(1854): OpenSSL: Loop: SSLv3 read server hello A [debug] ssl_engine_kernel.c(1294): Certificate Verification: depth: 2, subject: /C=US/O=GTE Corporation/CN=GTE CyberTrust Root, issuer: /C=US/O=GTE Corporation/CN=GTE CyberTrust Root [debug] ssl_engine_kernel.c(1294): Certificate Verification: depth: 1, subject: /C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority, issuer: /C=US/O=GTE Corporation/CN=GTE CyberTrust Root [debug] ssl_engine_kernel.c(1294): Certificate Verification: depth: 0, subject: /C=SG/ST=Singapore/L=Singapore/O=xxx/OU=xxx/CN=xxx, issuer: /C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority [debug] ssl_engine_kernel.c(1854): OpenSSL: Loop: SSLv3 read server certificate A [debug] ssl_engine_kernel.c(1854): OpenSSL: Loop: SSLv3 read server certificate request A [debug] ssl_engine_kernel.c(1854): OpenSSL: Loop: SSLv3 read server done A [debug] ssl_engine_kernel.c(1620): Proxy client certificate callback: (xxx.xxx.xxx:80) entered [debug] ssl_engine_kernel.c(1593): Proxy client certificate callback: (xxx.xxx.xxx:80) found acceptable cert, sending /C=xx/O=xxx/OU=xxx/OU=xxx/SN=xxx/CN= [notice] Parent: child process exited with status 3221225477 -- Restarting. <<<<<< CHILD PROCESS DIES [debug] mpm_winnt.c(562): Parent: Marked listeners as not inheritable. [info] Init: Initializing OpenSSL library ___ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
SSLProxy - Howto delegate Client Certificate to backend server
Hi all, I have the following scenario: Apache webserver 2.0.44 with mod_ssl requires client authentication during SSL handshake for a particular URL. All further requests coming in over the established SSL connection are delegated to a backend server. The connection between the webserver and the backend server is also configured to be a SSL connection with client authentication, so the webserver has to provide a client certificate to the backend server. I'd like to pass the client certificate provided by the end user to the backend server. Is there a chance to do this with mod_ssl? Any help and comments appreciated. Best regards Ulrich Deutscher Sparkassen Verlag GmbH Am Wallgraben 115 70565 Stuttgart Telefon: 0711/782-0 Webseite: http://www.dsv-gruppe.de Dieses E-Mail einschließlich evtl. angehängter Dateien enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind und Sie dieses E-Mail irrtümlich erhalten haben, dürfen Sie weder den Inhalt dieses E-Mails nutzen noch dürfen Sie die evtl. angehängten Dateien öffnen und auch nichts kopieren oder weitergeben/verbreiten. Bitte verständigen Sie den Absender und löschen Sie dieses E-Mail und evtl. angehängte Dateien umgehend. Vielen Dank! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
re: client certificate authentication and IE friendly errors
Hello,
I'm having a problem with Internet Explorer's "Show friendly HTTP error
messages" in response to a 403 generated by an SSLRequire directive, when
trying client certificate authentication.
I've come across some information about over-riding the browser config by
setting the size of the message [greater than 512 bytes for a 403], which
doesn't appear to work. Unfortunately I can't rely on users having unchecked
this setting in the browser options.
The config directives that I'm using are an SSLRequire %{SSL_CLIENT_VERIFY} eq
"SUCCESS" in conjunction with an SSLVerifyClient Optional, both within the
same Location directive. I've combined these because there is a likelihood
that the resource will be accessed by clients without certificates, and I'm
trying to trap this in as friendly a way as possible.
Everything works fine in my testing [good cert, no cert, wrong cert], except
when I try to hit the server with an expired client certificate in IE. Because
of some testing constraints around where I get the certificates from I've been
simulating expiry by adjusting the time on both the desktop and server - just
the client cert is expired at the chosen time; not the issuing CA cert or web
server's.
With an expired client certificate, my ErrorDocument 403 is correctly
displayed if the 'show friendly messages' is unchecked, but the browser shows
a 'page cannot be displayed' error if the setting is enabled. I can't see
anything in the logs to distinguish the two states. A reload on the browser
correctly renders the error.
Is this something that anyone else has come across? I've checked the archives,
and although people have cited problems with friendly errors
[http://marc.info/?l=apache-modssl&m=101554001204754&w=2] the circumstances
seem different.
Is there a saner way of handling the access attempts from browsers attempting
to access the same resource both with and without client certs?
Version info:
- desktop: XP SP2, IE version 6.0.29...
- server: Suse Linux 10.1; Apache 1.3.37; mod_ssl 2.8.28-1.3.33; openssl
0.9.8e
I have the SetEnvIf HTTP_USER_AGENT ".*MSIE.*" ... enabled as per default
config. SSLCACertificateFile has a single entry for the issuing CA.
Thanks,
Donal
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]
Problem transforming pem into p12 (problem generating client certificate)
Hi I'm pretty new to encryption stuff. I'm stuck at transforming the client certificate from pem format into p12: openssl pkcs12 -export \ -in sabrecert.pem \ -inkey sabrekey.pem \ -name "Sabre certificate" \ -certfile /usr/local/apache/1.3.9/conf/ssl.crt/ca.crt \ -out sabre.p12 Enter PEM pass phrase: No certificate matches private key Any ideas? The following is what I've done: 1) install apache 2) compile the rsa library 3) compile openssl, test openssl 4) configure mod_ssl 5) remake apache (wth openssl) 6) make certificate TYPE=custom (making my own CA) 7) make install 8) openssl genrsa -des3 -out sabrekey.pem 1024 9) openssl req -new -key sabrekey.pem -out sabrereq.pem 10) openssl ca -keyfile /usr/local/apache/1.3.9/conf/ssl.key/ca.key \ -cert /usr/local/apache/1.3.9/conf/ssl.crt/ca.crt \ -in sabrereq.pem \ -outdir ./ -out sabrecert.pem 11) openssl pkcs12 -export \ -in sabrecert.pem \ -inkey sabrekey.pem \ -name "Sabre certificate" \ -certfile /usr/local/apache/1.3.9/conf/ssl.crt/ca.crt \ -out sabre.p12 ^^ Ed Yu, IBM Certified Specialist - AIX System Administrator Information Technology Manager, University of South Carolina, Advanced Solutions Group, Physics Dept., Columbia, SC 29208 Office (803)777-8831, FAX (803)777-8833, Email [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
How to create a client certificate when use x509?
Hi: Any one knows how to create client certificates when use x509? I can create server certificates without any problem. But what is the requirments for client certificates? I use Microsoft windows NT. Any hint will be appreciated. Steve __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Avoid client certificate dialog, when client has no certificate
Hi, I like to have an optional authetification with client certificates. Everythings works well, except that the browser (IE 5.5) pops up a dialog (which lists no certificates) also the client has no certificates installed. Netscape 4.7 gives me an error message that there are no certificates installed. After confiming these dialogs, everything works as excepted. I have SSLVerifyDepth 1 SSLVerifyClient optional in my httpd.conf Is there any chance to avoid this useless dialog? Gerald - Gerald Richterecos electronic communication services gmbh Internetconnect * Webserver/-design/-datenbanken * Consulting Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz E-Mail: [EMAIL PROTECTED] Voice:+49 6133 925131 WWW:http://www.ecos.de Fax: +49 6133 925152 - __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: SSL Reverse Proxy with Client Certificate is dying
Hi all, Apologies for duplicating this email again. I had some problems with my mailbox and thought that the original email did not get through. I also updated the version of the Apache version from 2.0.39 to 2.0.40 because I tested both with the same results. Regarding the question itself, I would really appreciate if somebody could give some suggestions. Thanks again. regards, Lee Hoo Wah -Original Message- From: Lee Hoo Wah [mailto:[EMAIL PROTECTED]] Sent: Sunday, September 22, 2002 10:33 AM To: [EMAIL PROTECTED] Subject: SSL Reverse Proxy with Client Certificate is dying Hi, I have a problem using Apache/mod_ssl 2.0.40 as a SSL reverse proxy to connect to a SSL Server. |HTTP Client|-http>|Reverse Proxy|https>|Web Server| There is a Client Certificate on the Reverse Proxy which must be presented to the Web Server for authentication. But I see from the log files, after the initial SSL handshaking, immediately after the "Proxy client certificate callback: (xxx.xxx.xxx:80) found acceptable cert", the child process on the Reverse Proxy just dies without any error in the log file. The child process initialises itself all over again. My browser on the front end receives a "Page not found" error. I double checked my cert pathing using "openssl" and curl to go into the SSL server and it works. So I think the certificate should be ok. Are there anything else that I have left out? I have also tested against both a IIS 5.0 and an Apache 2.0 web server. Both returns the same error. Really appreciate any help that might come along. Thanks in advace. regards, Lee Hoo Wah [debug] ssl_engine_kernel.c(1854): OpenSSL: Loop: SSLv3 read server hello A [debug] ssl_engine_kernel.c(1294): Certificate Verification: depth: 2, subject: /C=US/O=GTE Corporation/CN=GTE CyberTrust Root, issuer: /C=US/O=GTE Corporation/CN=GTE CyberTrust Root [debug] ssl_engine_kernel.c(1294): Certificate Verification: depth: 1, subject: /C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority, issuer: /C=US/O=GTE Corporation/CN=GTE CyberTrust Root [debug] ssl_engine_kernel.c(1294): Certificate Verification: depth: 0, subject: /C=SG/ST=Singapore/L=Singapore/O=xxx/OU=xxx/CN=xxx, issuer: /C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority [debug] ssl_engine_kernel.c(1854): OpenSSL: Loop: SSLv3 read server certificate A [debug] ssl_engine_kernel.c(1854): OpenSSL: Loop: SSLv3 read server certificate request A [debug] ssl_engine_kernel.c(1854): OpenSSL: Loop: SSLv3 read server done A [debug] ssl_engine_kernel.c(1620): Proxy client certificate callback: (xxx.xxx.xxx:80) entered [debug] ssl_engine_kernel.c(1593): Proxy client certificate callback: (xxx.xxx.xxx:80) found acceptable cert, sending /C=xx/O=xxx/OU=xxx/OU=xxx/SN=xxx/CN= [notice] Parent: child process exited with status 3221225477 -- Restarting. <<<<<< CHILD PROCESS DIES [debug] mpm_winnt.c(562): Parent: Marked listeners as not inheritable. [info] Init: Initializing OpenSSL library ___ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSLProxy - Howto delegate Client Certificate to backend server
On Fri, Feb 21, 2003 at 07:39:07AM +0100, [EMAIL PROTECTED] wrote: > I'd like to pass the client certificate provided by the end user to the > backend server. Is there a > chance to do this with mod_ssl? > Currently there isn't a solution with mod_ssl. There is however a couple of ways to do this if you don't mind hacking the code. I made a POC module for Apache 1.3 http://www.toftum.org/www2/apache/ which is just a very simple example of how this can be done. There has also been sent a patch to the [EMAIL PROTECTED] list recently - they have not been included, but see http://marc.theaimsgroup.com/?t=10449923556&r=1&w=2 vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSLProxy - Howto delegate Client Certificate to backend server
Hello ulrich, Friday, February 21, 2003, 7:39:07 AM, you wrote: uldgd> I have the following scenario: uldgd> Apache webserver 2.0.44 with mod_ssl requires client authentication during uldgd> SSL handshake uldgd> for a particular URL. All further requests coming in over the established uldgd> SSL connection are uldgd> delegated to a backend server. The connection between the webserver and the uldgd> backend uldgd> server is also configured to be a SSL connection with client uldgd> authentication, so the webserver uldgd> has to provide a client certificate to the backend server. uldgd> I'd like to pass the client certificate provided by the end user to the uldgd> backend server. Is there a uldgd> chance to do this with mod_ssl? I believe everything you are looking for is in the patch I posted on Wed, 19 Feb 2003 (RE: Patches and Enhancements for a SSL-Proxy Based on Apache 2.0 (mod_ssl, mod_proxy, mod_headers)). If you find my patch useful I would appreciate any help to make it part of future Apache distributions. -- Best regards, Maikmailto:[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Client certificate verification && Error handling in apache2 with mod_ssl
Hello, Does mod_ssl support any type of error handling for the client certificate authentification? I'd really like to have another page load than a server not found one when a client presents an invalid certificate. If not, is it possible to bypass some verifications such as the cert date, so my servlet engine can check that itself and display an appropriated error page instead of the server not found one? So Apache would just take the certificate, not check anything, export it, and I'll handle all cert related errors somewhere else. Thanks, Michael Lamot
Problem with reading client certificate - downgrade doens't seem to work
Hi Some of our users have the following problem: when users are submiting their order[https and POST], the app send the confirmation page but nothing is displayed on the user's browser. First here is our stting: OS: Solaris 2.7 Web Sever: Apache 1.3.23 + mod_ssl-2.8.7-1.3.23 + openssl-0.9.6c App server: NewAtlanta ServletExec 4.1 apache vhost config: ... SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 ... Our logs show for 2 of the failing requests [I replaced IPs with Browser1 and Browser2]: SSL LOG: [11/Mar/2002:11:21:51 +] Browser1 TLSv1 RC4-MD5 "GET /main HTTP/1.1" 14514 [11/Mar/2002:15:26:29 +] Browser2 SSLv3 RC4-MD5 "POST /main HTTP/1.1" 23618 Apache Logs shows the folowing User Agents: -- Browser1: Mozilla/4.0 (compatible;MSIE 6.0; AOL 7.0; Windows 98) Browser2: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0) app server logs show: - [Mon Mar 11 11:20:32 GMT 2002] Unknown certificate data: [Mon Mar 11 11:20:32 GMT 2002] ClientCert: oop init: java.util.NoSuchElementException [Mon Mar 11 11:20:32 GMT 2002] java.util.NoSuchElementException [Mon Mar 11 11:20:32 GMT 2002] at java.util.StringTokenizer.nextToken(StringTokenizer.java:235) [Mon Mar 11 11:20:32 GMT 2002] at com.newatlanta.servletexec.ClientCert.parseCert(ClientCert.java:204) .... Retrieving the client certificate data [Mon Mar 11 15:26:28 GMT 2002] java.net.SocketException: Connection reset by peer: Connection reset by peer [Mon Mar 11 15:26:28 GMT 2002] at java.net.SocketInputStream.socketRead(Native Method) [Mon Mar 11 15:26:28 GMT 2002] at java.net.SocketInputStream.read(SocketInputStream.java:90) It looks like it is not possible to get anything from the client, and the connection is broken. I am a bit confused, according to the SetEnvIf directive IE response should be HTTP/1.0, also we force the form method to POST, which has no effect. Thanks for any help. Bruno Georges __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problem with reading client certificate - downgrade doens'tseem to work
On Mon, 2002-03-11 at 08:45, Bruno Georges wrote: > It looks like it is not possible to get anything from the client, and > the connection is broken. > I am a bit confused, according to the SetEnvIf directive IE response > should be HTTP/1.0, also we force the form method to POST, which has no > effect. I had this problem w/ 1.3.20 + 1.3.22 + the appropriate mod_ssl + mod_perl-1.2.26 on linux systems. It "magically" fixed itself with the release of apache-1.3.23 + mod_ssl-2.8.6. Try this and see what happens (to see if your setenvif is working): [jon@devotchka jon]$ openssl s_client -quiet -connect devotchka:23456 < GET / HTTP/1.1 > Host: devotchka > User-Agent: Mozilla/4.0 Compatible (MSIE) > > EOF Inside of my reply, I get (among other things): > HTTP/1.0 200 OK > Date: Mon, 11 Mar 2002 19:27:28 GMT > Server: Apache/1.3.23 (Unix) mod_ssl/2.8.6 OpenSSL/0.9.6b > mod_perl/1.26 I haven't upgraded to 2.8.7 yet, so i wonder if this problem was reintroduced -jon -- [EMAIL PROTECTED] || www.divisionbyzero.com gpg key: www.divisionbyzero.com/pubkey.asc think i have a virus?: www.divisionbyzero.com/pgp.html "You are in a twisty little maze of Sendmail rules, all confusing." signature.asc Description: This is a digitally signed message part
cannot get Client-Certificate-Chain sended web browser to Apache+modssl
Hello! I'm trying to get a Client-Certificate-Chain by using SSL_CLIENT_CERT_CHAIN_n in my CGI which works on Apache 1.3.19 + mod_ssl2.8.3. Now I can get a data of SSL_CLIENT_CERT and SSL_SERVER_CERT(and client authentication is success), but I can't get any data of SSL_CLIENT_CERT_CHAIN_n(with n=0,1,2,..)... ~~~ When I use "openssl s_server" command and connect its sample server from Netscape4.7 and IE5.5, I can see Client-Certificate-Chain data on Network Analizer(ethereal). But I don't see the data like Client-Certificate-Chain when I start up Apache+mod_ssl and send Client-Certificate-Chain to Apache from Netscape4.7 and IE5.5(BUT Client Authentication is SUCCESS!(Why?)). Is there any relation between "I can't get SSL_CLIENT_CERT_CHAIN_n" and "There is no data like Client-Certificate-Chain on network"? If there is no relation, why I can't get Client-Certificate-Chain though I can get SSL_CLIENT_CERT. Can anyone help out? Please help! Thanks a lot -- kentaro __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
