Answers inline.
--
Erwann ABALEA
-----
paléocapridé: genre de vieille bique, cf paléotalpidé (vieille taupe) ou
paléogadidé (vieille morue)
Le 13/11/2012 19:34, Sanford Staab a écrit :
I have been struggling with openssl for a few months now writing batch
scripts on windows trying to make a .net web client with a client
certificate work with 2-way ssl against an apache web server.
So you've looked at Apache documentation in addition to OpenSSL doc, right?
Do you guys just want to continue to answer questions on this alias
and not FIX the docs somewhat over time? I could go into a litany of
how much information is just missing from the docs with INCOMPLETE
everywhere. (see this link
<http://www.wolmarans.com/drupal/?q=node/22> for one of the 900k+ hits
on a google search of “openssl+docs+suck” for how much hell you guys
are putting people through trying to figure out this tool)
openssl is used all over the world by tons of people (so I feel dumb
having problems here – but I know from Google I am not alone.) but it
is just *unbelievable* to me that the docs remain so terse and useless
for so many years.
I have sent email to this alias previously asking how I can help with
this. It seems to me there should be an openssl docs forum where
content from this eventually finds its way into the online docs
themselves.
A tool is only as good as people are able to use it.
So let me get specific here – one simple specific question (of many
that I have) that has me clueless:
The command of:
openssl s_client -connect www.pawnmasterpro.com:443 -CApath ssl\certs
-cert ssl\certs\client_1.crt -key ssl\keys\client_1.key -pass
file:ssl\keys\Client_1_pwd.txt
results in output containing:
No client certificate CA names sent
That's a warning. OpenSSL client warns you that your Apache server
hasn't sent any CA name to the client to help decide which certificate
it should present. That's the result of your Apache configuration.
from the docs for the s_client command, –cert option says:
**-cert certname**
The certificate to use, if one is requested by the server. The
default is not to use a certificate.
*My guess from this is that this command is referring to the
CLIENT SSL certificate - no? *If my assumption is correct, then
why am I getting this error? Or is this a notification of
something normal and I should be looking elsewhere?
This isn't an error, and OpenSSL has tried to present the certificate
you asked it to.
I have checked the Apache httpd-ssl.cnf file I am using and
verified that all the certificate related parts are filled in and
I have verified the integrity of all the certificates referenced
by it.
I have been able to do straight one-way SSL with the server as
well with both IE and Chrome browsers. Two-way SSL fails with the
server logs indicating that the client “refused” the connection.
I am using a self-signed CA which was used to sign the server
certificate. The client certificate is also signed by the same CA
self-signed certificate.
Apache error logs give me this:
[Tue Nov 13 12:38:56 2012] [error] [client 127.0.0.1] Invalid method in request
Which is about as useful as the openssl docs are.
It indicates Apache didn't receive a valid HTTP request. That's not
OpenSSL's job.
Right now (19:29 UTC), your server doesn't do TLS, only plain HTTP on
port 443. Trying to do TLS on such a server might give this error
message in your Apache.
I am also seeing this in openssl’s s_client output:
verify error:num=19:self signed certificate in certificate chain
From what I think I understand, this should not be a showstopper problem
as all root CA certs would naturally be self-signed no?
Full output of this operation with the –showcerts command is attached for
reference.
I have read through many forum examples of how to do this and it seems
simple enough but then when it doesn’t work, figuring out what things MEAN and
how to address what is wrong proves to be be very difficult indeed.
Having read the provided output of your tests, it seems you configured
your Apache server to send both its own certificate and the root as
intermediate certificates. That's both wrong and useless. OpenSSL
s_client tells you that he found a self-signed certificate in the
returned chain (which is true). Disable the "SSLCertificateChainFile"
directive in your Apache, it should get better.
Anyway, the output shows that the TLS connexion went OK, and that Apache
received something that looked like a valid request.
Go read Apache doc again.
