[users@httpd] subjectAltName and SNI results in 403 error

Wed, 21 May 2014 08:03:12 -0700
I'm getting an odd error with a slightly edge Apache Subject Name Identifier (SNI) configuration: the SSL negotiation concludes correctly, but I get a 403 error, as if I was using a non-SNI compatible browser when I access an SNI domain with a subjectAltName (SAN) cert (SSLStrictSNIVHostCheck off is set in httpd-ssl.conf) 


As the SSL negotiation concludes without warnings, I believe the SSL 
certificates are set up at least superficially correctly and the SNI 
identification handshake has happened successfully because the expected 
domain-specific cert is presented and available in the client, however, 
Apache refuses send the page content, instead returning a 403 error.



I've anonymized the following, but the server is live and successfully 
serving SNI identified CACert signed domains, StartSSL signed domains 
with CAMs of the form sub1.domain.tld, DNS:sub2.domain.tld, and 
unsuccessfully serving CACert signed CAM identified domains of the form 
DNS:domain1.tld,DNS:domain2.tld.



I suspect that Apache is barfing on the domain identifier not matching 
the CN in the cert or something along those lines (though I believe CN 
should be ignored if SAN is set, though perhaps Apache isn't respecting 
this?)


Some additional detail:



I've modified openssl.cnf to reflect 
http://wiki.cacert.org/FAQ/subjectAltName and executed the following 
commands to generate the certificate:


# setenv OPENSSL /usr/local/bin/openssl
# setenv OPENSSL_CONF /etc/ssl/openssl_CACaltnames.cnf
# setenv identifier [your key identifier like "SANcert"]

# openssl genrsa -out "$identifier"-encrypted-key.key 4096

# openssl req -new -key "$identifier"-encrypted-key.key -sha512 -out 
"$identifier"-req.csr


# openssl req -in "$identifier"-req.csr -text -noout | less

# less "$identifier"-req.csr

paste the -req key in at CAcert.org

submit for class 3 cert (high security) signing and submit the form the 
paste the result into the cert.pem


# ee "$identifier"-cert.pem

paste in signed cert and check it

# openssl x509 -in "$identifier"-cert.pem -text -noout | less


# openssl rsa -in "$identifier"-encrypted-key.key -out 
"$identifier"-unencrypted-key.pem

# chmod 400 "$identifier"-unencrypted-key.pem



Then configured httpd-vhosts.conf for a sample domain where "multicert" 
is the identifier for the subjectAltName enabled cert.


<VirtualHost 10.0.0.10:80>
    ServerName domain1.org
    ServerAlias *.domain1.org www.domain1.org
    ServerAdmin ad...@domain1.com
    DocumentRoot /usr/local/www/data-dist/domain1
    ErrorLog /var/log/domain1-error_log
    CustomLog /var/log/domain1-access_log combined
    <Directory /usr/local/www/data-dist/domain1>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride all
        Require all granted
    </Directory>
</VirtualHost>

<VirtualHost 10.0.0.10:443>
    ServerName domain1.org
    ServerAlias *.domain1.org www.domain1.org
    ServerAdmin ad...@domain1.com
    DocumentRoot /usr/local/www/data-dist/domain1
    SSLEngine On
        SSLCertificateFile /usr/local/etc/ca/multicert-cert.pem

        SSLCertificateKeyFile 
/usr/local/etc/ca/multicert-unencrypted-key.pem

        SSLCertificateChainFile /usr/local/etc/ca/CAcert_chain.pem

        Header set Strict-Transport-Security "max-age=31536000; 
includeSubDomains"

    ErrorLog /var/log/domain1-error_log
    CustomLog /var/log/domain1-access_log combined
    <Directory /usr/local/www/data-dist/ea>
       Options Indexes FollowSymLinks MultiViews
       AllowOverride all
       Require all granted
    </Directory>
</VirtualHost>

Visiting http://domain1.org yields an expected result
Visiting https://domain1.org triggers the usual warnings and then results in

Access forbidden!


You don't have permission to access the requested directory. There is 
either no index document or the directory is read-protected.


If you think this is a server error, please contact the webmaster.
Error 403
www.domain1.org
Apache/2.4.9 (FreeBSD) OpenSSL/1.0.1g PHP/5.5.12


httpd-vhosts.conf also includes the following CACert certified domain 
(with a non subjectAltName enabled certificate)


<VirtualHost 10.0.0.10:80>
    ServerName gooddomain.com
    ServerAdmin ad...@domain1.com
    DocumentRoot /usr/local/www/data-dist/brt
    ServerAlias *.gooddomain.com www.gooddomain.com
    ErrorLog /var/log/gooddomain-error_log
    CustomLog /var/log/gooddomain-access_log combined
    ScriptAlias /cgi-prg /www/cgi-prg
</VirtualHost>

<VirtualHost 10.0.0.10:443>
    ServerName gooddomain.com
    ServerAdmin ad...@domain1.com
    DocumentRoot /usr/local/www/data-dist/brt
    ServerAlias *.gooddomain.com www.gooddomain.com
        SSLEngine On
        SSLCertificateFile /usr/local/etc/ca/brt.com-cert.pem
        SSLCertificateKeyFile /usr/local/etc/ca/brt.com-unencrypted-key.pem
        SSLCertificateChainFile /usr/local/etc/ca/CAcert_chain.pem

        Header set Strict-Transport-Security "max-age=31536000; 
includeSubDomains"

    ErrorLog /var/log/gooddomain-error_log
    CustomLog /var/log/gooddomain-access_log combined
    ScriptAlias /cgi-prg /www/cgi-prg
</VirtualHost>

Same server, same CA, same config - just a non SAN cert.  This works fine

http://gooddomain.com  fine
https://gooddomain.com fine


The issued SAN cert looks like:
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 145200 (0x23730)
        Signature Algorithm: sha512WithRSAEncryption

        Issuer: O=CAcert Inc., OU=http://www.CAcert.org, CN=CAcert 
Class 3 Root

        Validity
            Not Before: May 20 18:55:44 2014 GMT
            Not After : May 19 18:55:44 2016 GMT
        Subject: CN=www.gooddomain.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (4096 bit)
                Modulus (4096 bit):
                    ... (modhex removed)
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage:

                TLS Web Client Authentication, TLS Web Server 
Authentication, Netscape Server Gated Crypto, Microsoft Server Gated Crypto

            Authority Information Access:
                OCSP - URI:http://ocsp.cacert.org/

            X509v3 CRL Distribution Points:
                URI:http://crl.cacert.org/class3-revoke.crl

            X509v3 Subject Alternative Name:

                DNS:www.gooddomain.com, othername:<unsupported>, 
DNS:*.gooddomain.com, othername:<unsupported>, DNS:domain1.org, 
othername:<unsupported>, DNS:*.domain1.org, othername:<unsupported>, 
DNS:gooddomain.com, othername:<unsupported>, DNS:domain2.com, 
othername:<unsupported>, DNS:*.domain2.com, othername:<unsupported>

    Signature Algorithm: sha512WithRSAEncryption
        ... (sig hex removed)


I've tried with self-signed and with CACert and after several days of 
trial and error, have run out of ideas.  Any hints (other than 
generating per-domain certs, which seems to work fine).


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org















    











					Reply via email to