Re: Certs work, one doesn't, cannot determine why
On 11/1/2010 7:14 AM, Joe Orton wrote:
On Tue, Oct 19, 2010 at 04:35:49PM -0400, Jeff Blaine wrote:
Works: SSL via my corporate cert, SSL via 3 other people's
corporate certs
Fails: 1 person's cert so far, yet is logged as SUCCESS
when logging SSL_CLIENT_VERIFY via CustomLog
Your verbose description of something goes is not working is hard to
follow or condense down. Are you saying with the below configuration,
you are seeing the SSLRequire work for all the users but that with the
jblaine cert?
I was originally seeing it work fine for everyone but 1 user
(Simpson Mary B, below). Now it almost seems somewhat random
in failure. People who used to succeed are now failing.
I can get in fine (Blaine Charles J.)
Granted, I am messing with all sorts of things trying to get
it work after all this time dead in the water.
It could be an SSLRequire implementation bug but it is hard to tell. Is
the order of the users within the SSLRequire list significant?
Ah, you mean if I reorder them, does the success/failure
situation change as well? I don't know, I can try that.
Why are you matching by the whole S_DN rather than based on
e.g. S_DN_CN alone?
Why not? It seems like the more fully correct way to match
for security. It's documented and supposedly legit/correct.
The cert-extracted DN (reported in log) matches the configured
DN in the ssl.conf file exactly.
I will try the httpd list.
Thanks Joe
Jeff
Location /
SetHandler perl-script
PerlResponseHandler RT::Mason
SSLVerifyClient require
SSLRequire %{SSL_CLIENT_S_DN} in { \
/O=our.org/OU=people/UID=jblaine/CN=Blaine Charles J., \
/O=our.org/OU=people/UID=mloveless/CN=Laveless Marc W., \
/O=our.org/OU=people/UID=mbs/CN=Simpson Mary B, \
/O=our.org/OU=people/UID=bcietta/CN=Cietta Barbara A. \
}
/Location
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Managermajord...@modssl.org
Re: Certs work, one doesn't, cannot determine why
Still trying to solve this, I stood up a separate
brand-spanking-new Apache 2.2.17 from source with builtin
SSL. I am using the same Apache SSL config as quoted below.
I experience the following failure (further context is in
my quoted message below):
...
[Tue Oct 19 16:20:42 2010] [info] Subsequent (No.2) HTTPS request
received for child 4 (server rtdev1.our.org:999)
[Tue Oct 19 16:20:42 2010] [error] [client 1xx.xx.9.45] client denied by
server configuration: /apps/rtsrv1dev/share/html/favicon.ico
[19/Oct/2010:16:20:42 -0400] 1xx.xx.9.45 on TLSv1 AES128-SHA 128
/O=our.org/OU=people/UID=jblaine/CN=Blaine Charles J. SUCCESS 3 369E
Blaine Charles J. - GET /favicon.ico HTTP/1.1 213
[Tue Oct 19 16:20:47 2010] [debug] ssl_engine_io.c(1900): OpenSSL: I/O
error, 5 bytes expected to read on BIO#1c2e8170 [mem: 1c2f98b0]
[Tue Oct 19 16:20:47 2010] [info] [client 1xx.xx.9.45] (70007)The
timeout specified has expired: SSL input filter read failed.
[Tue Oct 19 16:20:47 2010] [debug] ssl_engine_kernel.c(1884): OpenSSL:
Write: SSL negotiation finished successfully
[Tue Oct 19 16:20:47 2010] [info] [client 1xx.xx.9.45] Connection closed
to child 4 with standard shutdown (server rtdev1.our.org:999)
NOTE: SUCCESS
NOTE: SSL negotiation finished successfully
NOTE: /apps/rtsrv1dev/share/html and all files in it are
world-readable (644)
Browser shows Forbidden
IE 8
and Chrome 6
On 10/15/2010 5:49 PM, Jeff Blaine wrote:
Hi folks. I'm *really* stumped here. If anyone has any
ideas, I would love to hear them. How can I debug this
further? I need more information that Apache + mod_ssl
is giving me right now.
All version information and configuration detail is after
this next paragraph.
Works: SSL via my corporate cert, SSL via 3 other people's
corporate certs
Fails: 1 person's cert so far, yet is logged as SUCCESS
when logging SSL_CLIENT_VERIFY via CustomLog
Example:
[15/Oct/2010:09:53:38 -0400] 1xx.xx.160.92 on TLSv1 RC4-MD5 128
/O=our.org/OU=People/UID=mbs/CN=Simpson Mary B SUCCESS 3 452E Simpson
Mary B - GET /index.html HTTP/1.1 295
[Fri Oct 15 09:53:38 2010] [error] [client 1xx.xx.160.92] access to
/apps/rtsrv1dev/share/html/index.html failed, reason: SSL requirement
expression not fulfilled (see SSL logfile for more details)
Config Specifics:
OS: RHELv5
Apache: 2.2.3
mod_ssl: 2.2.3-43.el5
VirtualHost 1xx.xx.9.85:443
ServerName rtdev1.our.org:443
ErrorLog logs/ssl_error443_log
TransferLog logs/ssl_access443_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:SSLv3:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /apps/rtsrv1dev/PKI/rtdev1-signed.cer
SSLCertificateKeyFile /apps/rtsrv1dev/PKI/rtdev1.key
SSLCertificateChainFile /apps/rtsrv1dev/PKI/rtdev1-signed.cer
SSLCACertificateFile /apps/rtsrv1dev/PKI/MITRE-cert-bundle.cer
SSLVerifyClient require
SSLVerifyDepth 2
SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
Files ~ \.(cgi|shtml|phtml|php3?)$
SSLOptions +StdEnvVars
/Files
Directory /apps/rtsrv1dev/share/html
SSLOptions +StdEnvVars
/Directory
SetEnvIf User-Agent .*MSIE.* \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_access443_log \
%h - - %t \%r\ %{HTTPS}x %{SSL_PROTOCOL}x
CustomLog logs/ssl_error443_log \
%t %h %{HTTPS}x %{SSL_PROTOCOL}x %{SSL_CIPHER}x
%{SSL_CIPHER_USEKEYSIZE}x %{SSL_CLIENT_S_DN}x %{SSL_CLIENT_VERIFY}x
%{SSL_CLIENT_M_VERSION}x %{SSL_CLIENT_M_SERIAL}x %{SSL_CLIENT_S_DN_CN}x
%{SSL_CLIENT_S_DN_UID}x \%r\ %b
DocumentRoot /apps/rtsrv1dev/share/html
AddDefaultCharset UTF-8
PerlRequire /apps/rtsrv1dev/bin/webmux.pl
SetHandler default
/Location
Location /
SetHandler perl-script
PerlResponseHandler RT::Mason
SSLVerifyClient require
SSLRequire %{SSL_CLIENT_S_DN} in { \
/O=our.org/OU=people/UID=jblaine/CN=Blaine Charles J., \
/O=our.org/OU=people/UID=mloveless/CN=Laveless Marc W., \
/O=our.org/OU=people/UID=mbs/CN=Simpson Mary B, \
/O=our.org/OU=people/UID=bcietta/CN=Cietta Barbara A. \
}
/Location
/VirtualHost
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Managermajord...@modssl.org
Certs work, one doesn't, cannot determine why
Hi folks. I'm *really* stumped here. If anyone has any
ideas, I would love to hear them. How can I debug this
further? I need more information that Apache + mod_ssl
is giving me right now.
All version information and configuration detail is after
this next paragraph.
Works: SSL via my corporate cert, SSL via 3 other people's
corporate certs
Fails: 1 person's cert so far, yet is logged as SUCCESS
when logging SSL_CLIENT_VERIFY via CustomLog
Example:
[15/Oct/2010:09:53:38 -0400] 1xx.xx.160.92 on TLSv1 RC4-MD5 128
/O=our.org/OU=People/UID=mbs/CN=Simpson Mary B SUCCESS 3 452E Simpson
Mary B - GET /index.html HTTP/1.1 295
[Fri Oct 15 09:53:38 2010] [error] [client 1xx.xx.160.92] access to
/apps/rtsrv1dev/share/html/index.html failed, reason: SSL requirement
expression not fulfilled (see SSL logfile for more details)
Config Specifics:
OS: RHELv5
Apache: 2.2.3
mod_ssl: 2.2.3-43.el5
VirtualHost 1xx.xx.9.85:443
ServerName rtdev1.our.org:443
ErrorLog logs/ssl_error443_log
TransferLog logs/ssl_access443_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:SSLv3:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /apps/rtsrv1dev/PKI/rtdev1-signed.cer
SSLCertificateKeyFile /apps/rtsrv1dev/PKI/rtdev1.key
SSLCertificateChainFile /apps/rtsrv1dev/PKI/rtdev1-signed.cer
SSLCACertificateFile /apps/rtsrv1dev/PKI/MITRE-cert-bundle.cer
SSLVerifyClient require
SSLVerifyDepth 2
SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
Files ~ \.(cgi|shtml|phtml|php3?)$
SSLOptions +StdEnvVars
/Files
Directory /apps/rtsrv1dev/share/html
SSLOptions +StdEnvVars
/Directory
SetEnvIf User-Agent .*MSIE.* \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_access443_log \
%h - - %t \%r\ %{HTTPS}x %{SSL_PROTOCOL}x
CustomLog logs/ssl_error443_log \
%t %h %{HTTPS}x %{SSL_PROTOCOL}x %{SSL_CIPHER}x
%{SSL_CIPHER_USEKEYSIZE}x %{SSL_CLIENT_S_DN}x %{SSL_CLIENT_VERIFY}x
%{SSL_CLIENT_M_VERSION}x %{SSL_CLIENT_M_SERIAL}x %{SSL_CLIENT_S_DN_CN}x
%{SSL_CLIENT_S_DN_UID}x \%r\ %b
DocumentRoot /apps/rtsrv1dev/share/html
AddDefaultCharset UTF-8
PerlRequire /apps/rtsrv1dev/bin/webmux.pl
SetHandler default
/Location
Location /
SetHandler perl-script
PerlResponseHandler RT::Mason
SSLVerifyClient require
SSLRequire %{SSL_CLIENT_S_DN} in { \
/O=our.org/OU=people/UID=jblaine/CN=Blaine Charles J., \
/O=our.org/OU=people/UID=mloveless/CN=Laveless Marc W., \
/O=our.org/OU=people/UID=mbs/CN=Simpson Mary B, \
/O=our.org/OU=people/UID=bcietta/CN=Cietta Barbara A. \
}
/Location
/VirtualHost
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Managermajord...@modssl.org
