Re: Certs work, one doesn't, cannot determine why

2010-11-01 Thread Joe Orton
On Tue, Oct 19, 2010 at 04:35:49PM -0400, Jeff Blaine wrote:
 Works: SSL via my corporate cert, SSL via 3 other people's
 corporate certs
 Fails: 1 person's cert so far, yet is logged as SUCCESS
 when logging SSL_CLIENT_VERIFY via CustomLog

Your verbose description of something goes is not working is hard to 
follow or condense down. Are you saying with the below configuration, 
you are seeing the SSLRequire work for all the users but that with the 
jblaine cert?

It could be an SSLRequire implementation bug but it is hard to tell.  Is 
the order of the users within the SSLRequire list significant?  Why are 
you matching by the whole S_DN rather than based on e.g. S_DN_CN alone?

You might be better off trying the httpd users' list:

Regards, Joe

 Location /
 SetHandler perl-script
 PerlResponseHandler RT::Mason
 SSLVerifyClient require
 SSLRequire %{SSL_CLIENT_S_DN} in { \
 / Charles J., \
 / Marc W., \
 / Mary B, \
 / Barbara A. \
 Apache Interface to OpenSSL (mod_ssl)
 User Support Mailing List
 Automated List
Apache Interface to OpenSSL (mod_ssl)
User Support Mailing List
Automated List

Re: Certs work, one doesn't, cannot determine why

2010-11-01 Thread Jeff Blaine

On 11/1/2010 7:14 AM, Joe Orton wrote:

On Tue, Oct 19, 2010 at 04:35:49PM -0400, Jeff Blaine wrote:

Works: SSL via my corporate cert, SSL via 3 other people's
corporate certs
Fails: 1 person's cert so far, yet is logged as SUCCESS
when logging SSL_CLIENT_VERIFY via CustomLog

Your verbose description of something goes is not working is hard to
follow or condense down. Are you saying with the below configuration,
you are seeing the SSLRequire work for all the users but that with the
jblaine cert?

I was originally seeing it work fine for everyone but 1 user
(Simpson Mary B, below).  Now it almost seems somewhat random
in failure.  People who used to succeed are now failing.
I can get in fine (Blaine Charles J.)

Granted, I am messing with all sorts of things trying to get
it work after all this time dead in the water.

It could be an SSLRequire implementation bug but it is hard to tell.  Is
the order of the users within the SSLRequire list significant?

Ah, you mean if I reorder them, does the success/failure
situation change as well?  I don't know, I can try that.

 Why are you matching by the whole S_DN rather than based on
 e.g. S_DN_CN alone?

Why not?  It seems like the more fully correct way to match
for security.  It's documented and supposedly legit/correct.
The cert-extracted DN (reported in log) matches the configured
DN in the ssl.conf file exactly.

I will try the httpd list.

Thanks Joe

Location /
SetHandler perl-script
PerlResponseHandler RT::Mason
SSLVerifyClient require

SSLRequire %{SSL_CLIENT_S_DN} in { \
/ Charles J., \
/ Marc W., \
/ Mary B, \
/ Barbara A. \

Apache Interface to OpenSSL (mod_ssl)
User Support Mailing List
Automated List

Re: Certs work, one doesn't, cannot determine why

2010-10-19 Thread Jeff Blaine

Still trying to solve this, I stood up a separate
brand-spanking-new Apache 2.2.17 from source with builtin
SSL.  I am using the same Apache SSL config as quoted below.
I experience the following failure (further context is in
my quoted message below):

[Tue Oct 19 16:20:42 2010] [info] Subsequent (No.2) HTTPS request 
received for child 4 (server
[Tue Oct 19 16:20:42 2010] [error] [client 1xx.xx.9.45] client denied by 
server configuration: /apps/rtsrv1dev/share/html/favicon.ico
[19/Oct/2010:16:20:42 -0400] 1xx.xx.9.45 on TLSv1 AES128-SHA 128 
/ Charles J. SUCCESS 3 369E 
Blaine Charles J. - GET /favicon.ico HTTP/1.1 213
[Tue Oct 19 16:20:47 2010] [debug] ssl_engine_io.c(1900): OpenSSL: I/O 
error, 5 bytes expected to read on BIO#1c2e8170 [mem: 1c2f98b0]
[Tue Oct 19 16:20:47 2010] [info] [client 1xx.xx.9.45] (70007)The 
timeout specified has expired: SSL input filter read failed.
[Tue Oct 19 16:20:47 2010] [debug] ssl_engine_kernel.c(1884): OpenSSL: 
Write: SSL negotiation finished successfully
[Tue Oct 19 16:20:47 2010] [info] [client 1xx.xx.9.45] Connection closed 
to child 4 with standard shutdown (server

NOTE: SSL negotiation finished successfully
NOTE: /apps/rtsrv1dev/share/html and all files in it are
  world-readable (644)

Browser shows Forbidden

IE 8
and Chrome 6

On 10/15/2010 5:49 PM, Jeff Blaine wrote:

Hi folks. I'm *really* stumped here. If anyone has any
ideas, I would love to hear them. How can I debug this
further? I need more information that Apache + mod_ssl
is giving me right now.

All version information and configuration detail is after
this next paragraph.

Works: SSL via my corporate cert, SSL via 3 other people's
corporate certs
Fails: 1 person's cert so far, yet is logged as SUCCESS
when logging SSL_CLIENT_VERIFY via CustomLog


[15/Oct/2010:09:53:38 -0400] 1xx.xx.160.92 on TLSv1 RC4-MD5 128
/ Mary B SUCCESS 3 452E Simpson
Mary B - GET /index.html HTTP/1.1 295

[Fri Oct 15 09:53:38 2010] [error] [client 1xx.xx.160.92] access to
/apps/rtsrv1dev/share/html/index.html failed, reason: SSL requirement
expression not fulfilled (see SSL logfile for more details)

Config Specifics:

Apache: 2.2.3
mod_ssl: 2.2.3-43.el5

VirtualHost 1xx.xx.9.85:443

ErrorLog logs/ssl_error443_log
TransferLog logs/ssl_access443_log
LogLevel warn

SSLEngine on
SSLProtocol all -SSLv2
SSLCertificateFile /apps/rtsrv1dev/PKI/rtdev1-signed.cer
SSLCertificateKeyFile /apps/rtsrv1dev/PKI/rtdev1.key
SSLCertificateChainFile /apps/rtsrv1dev/PKI/rtdev1-signed.cer
SSLCACertificateFile /apps/rtsrv1dev/PKI/MITRE-cert-bundle.cer
SSLVerifyClient require
SSLVerifyDepth 2

SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire

Files ~ \.(cgi|shtml|phtml|php3?)$
SSLOptions +StdEnvVars
Directory /apps/rtsrv1dev/share/html
SSLOptions +StdEnvVars

SetEnvIf User-Agent .*MSIE.* \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

CustomLog logs/ssl_access443_log \
%h - - %t \%r\ %{HTTPS}x %{SSL_PROTOCOL}x

CustomLog logs/ssl_error443_log \
%{SSL_CLIENT_S_DN_UID}x \%r\ %b

DocumentRoot /apps/rtsrv1dev/share/html
AddDefaultCharset UTF-8
PerlRequire /apps/rtsrv1dev/bin/
SetHandler default

Location /
SetHandler perl-script
PerlResponseHandler RT::Mason
SSLVerifyClient require

SSLRequire %{SSL_CLIENT_S_DN} in { \
/ Charles J., \
/ Marc W., \
/ Mary B, \
/ Barbara A. \

Apache Interface to OpenSSL (mod_ssl)
User Support Mailing List
Automated List

Certs work, one doesn't, cannot determine why

2010-10-15 Thread Jeff Blaine

Hi folks.  I'm *really* stumped here.  If anyone has any
ideas, I would love to hear them.  How can I debug this
further?  I need more information that Apache + mod_ssl
is giving me right now.

All version information and configuration detail is after
this next paragraph.

Works: SSL via my corporate cert, SSL via 3 other people's
   corporate certs
Fails: 1 person's cert so far, yet is logged as SUCCESS
   when logging SSL_CLIENT_VERIFY via CustomLog


[15/Oct/2010:09:53:38 -0400] 1xx.xx.160.92 on TLSv1 RC4-MD5 128 
/ Mary B SUCCESS 3 452E Simpson 
Mary B - GET /index.html HTTP/1.1 295

[Fri Oct 15 09:53:38 2010] [error] [client 1xx.xx.160.92] access to 
/apps/rtsrv1dev/share/html/index.html failed, reason: SSL requirement 
expression not fulfilled (see SSL logfile for more details)

Config Specifics:

Apache: 2.2.3
mod_ssl: 2.2.3-43.el5

VirtualHost 1xx.xx.9.85:443

ErrorLog logs/ssl_error443_log
TransferLog logs/ssl_access443_log
LogLevel warn

SSLEngine on
SSLProtocol all -SSLv2
SSLCertificateFile /apps/rtsrv1dev/PKI/rtdev1-signed.cer
SSLCertificateKeyFile /apps/rtsrv1dev/PKI/rtdev1.key
SSLCertificateChainFile /apps/rtsrv1dev/PKI/rtdev1-signed.cer
SSLCACertificateFile /apps/rtsrv1dev/PKI/MITRE-cert-bundle.cer
SSLVerifyClient require
SSLVerifyDepth  2

SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire

Files ~ \.(cgi|shtml|phtml|php3?)$
SSLOptions +StdEnvVars
Directory /apps/rtsrv1dev/share/html
SSLOptions +StdEnvVars

SetEnvIf User-Agent .*MSIE.* \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

CustomLog logs/ssl_access443_log \
%h - - %t \%r\ %{HTTPS}x %{SSL_PROTOCOL}x

CustomLog logs/ssl_error443_log \
%{SSL_CLIENT_S_DN_UID}x \%r\ %b

DocumentRoot /apps/rtsrv1dev/share/html
AddDefaultCharset UTF-8
PerlRequire /apps/rtsrv1dev/bin/
SetHandler default

Location /
SetHandler perl-script
PerlResponseHandler RT::Mason
SSLVerifyClient require

SSLRequire %{SSL_CLIENT_S_DN} in { \
 / Charles J., \
 / Marc W., \
 / Mary B, \
 / Barbara A. \
Apache Interface to OpenSSL (mod_ssl)
User Support Mailing List
Automated List