apr ssl tomcat 6.0.18 client authentication

Sat, 08 Nov 2008 04:46:06 -0800 

hi,

i am trying to use ssl client authentication together with apr. I have
followed the instructions contained in apr manual but no success.
When I try access server with the browser (get the prompt for user cert), i
get the error:

  An error occurred during a connection to rzuem5008u.jap2.ch:8443.
  SSL peer was unable to negotiate an acceptable set of security parameters. 
  (Error code: ssl_error_handshake_failure_alert)

When I try to access the server with: 
  openssl s_client -msg  -CAfile /home/rejap/certs/REtest-RootCA.pem -cert
/home/rejap/certs/0D.pem  -state -connect rzuem5008u.jap2.ch:8443
it produces the following error:
--- snip, snip ---
 SSL_connect:SSLv3 write client certificate A
>>> TLS 1.0 Handshake [length 0086], ClientKeyExchange
    10 00 00 82 00 80 7b a6 c2 cf 5e a1 44 60 1c 5d
 ...
    71 06 75 4b 06 c4
SSL_connect:SSLv3 write client key exchange A
>>> TLS 1.0 Handshake [length 0106], CertificateVerify
    0f 00 01 02 01 00 4a f4 64 74 56 b4 d0 51 b1 27
...
    2b 90 55 46 fd c4
SSL_connect:SSLv3 write certificate verify A
>>> TLS 1.0 ChangeCipherSpec [length 0001]
    01
SSL_connect:SSLv3 write change cipher spec A
>>> TLS 1.0 Handshake [length 0010], Finished
    14 00 00 0c 70 b5 b4 08 35 3a ae 15 d3 28 2c e4
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
<<< TLS 1.0 Alert [length 0002], fatal decrypt_error
    02 33
SSL3 alert read:fatal:decrypt error
SSL_connect:failed in SSLv3 read finished A
18383:error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1 alert decrypt
error:s3_pkt.c:1053:SSL alert number 51
18383:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:188:

The server.xml is all default except:
    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               sslProtocol="TLSv1"
               SSLCertificateFile="/home/rejap/app/certs/rzuem5008u.crt"
               SSLCertificateKeyFile="/home/rejap/app/certs/rzuem5008u.key"
               SSLCertificateChainFile="/home/rejap/app/certs/cacert.pem"

               SSLVerifyClient="require"
               SSLVerifyDepth="10"
               SSLCACertificateFile="/home/rejap/app/certs/all-cacerts.pem" 
               />

What is in the certificate files:

rzuem5008u.crt - server certificate, signed by CA1
rzuem5008u.key - server private key
cacert.pem - CA1 certificate signed by ROOT
all-cacerts.pem - CA1 certificated (signed by ROOT) followed by ROOT (self
signed)

client sends the user certificate singned by CA1
client has the ROOT certificate added to the trust

If I turn off the verify client (take out last 3 directives from config) the
server auth works ok.
I have verified the certs (chains) with apache server. I did parallel setup
with the same certs/keys and it appears to work.
I tried to switch to sslv3. I got similar but not exactly the same error.

Is there any way to enable logging of apr/openssl to learn more about the
problem?
Did anybody manage to setup apr ssh with user authentication?
Did anybody manage to setup apr ssh with chained certificates?
If yes, it would help me to take a look at the user certificate to find out
what algorithms are used.

Thanks
Pawel


For the reference, user certificate:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 13 (0xd)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CH, O=RUAG Electronics, OU=Certification Authorities,
OU=NEO, CN=REtest-CA1
        Validity
            Not Before: Nov  5 16:06:10 2008 GMT
            Not After : Nov  5 16:06:10 2010 GMT
        Subject: O=RUAG Electronics, OU=NEO, CN=Pawel Jasinski, C=CH
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:98:1a:b2:6f:f8:4f:37:0b:3d:38:45:53:87:cb:
                    ...
                    77:75
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: 
                Digital Signature
            Netscape Comment: 
                Authorization Certificate of RUAG Electronics
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication
            X509v3 Subject Key Identifier: 
                2F:D4:2A:C3:55:31:7B:1C:BB:B7:AA:81:16:A5:9B:15:77:6D:40:57
            X509v3 Authority Key Identifier: 
               
keyid:6E:FA:E6:81:EF:C4:50:CC:9F:71:7D:97:CB:17:9F:59:54:DC:3D:AA
                DirName:/CN=REtest-RootCA/OU=Certification
Authorities/OU=NEO/O=RUAG Electronics/C=CH
                serial:02

            X509v3 Subject Alternative Name: 
                email:[EMAIL PROTECTED]
            X509v3 Issuer Alternative Name: 
                <EMPTY>

            Netscape CA Revocation Url: 
                http://neoca.jap2.ch/pki/pub/crl/cacrl.crl
            Netscape Revocation Url: 
                http://neoca.jap2.ch/pki/pub/crl/cacrl.crl
            X509v3 CRL Distribution Points: 
                URI:http://neoca.jap2.ch/pki/pub/crl/cacrl.crl







-- 
View this message in context: 
http://www.nabble.com/apr-ssl-tomcat-6.0.18-client-authentication-tp20395697p20395697.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to