Re: Certs work, one doesn't, cannot determine why
On 11/1/2010 7:14 AM, Joe Orton wrote: On Tue, Oct 19, 2010 at 04:35:49PM -0400, Jeff Blaine wrote: Works: SSL via my corporate cert, SSL via 3 other people's corporate certs Fails: 1 person's cert so far, yet is logged as SUCCESS when logging SSL_CLIENT_VERIFY via CustomLog Your verbose description of something goes is not working is hard to follow or condense down. Are you saying with the below configuration, you are seeing the SSLRequire work for all the users but that with the jblaine cert? I was originally seeing it work fine for everyone but 1 user (Simpson Mary B, below). Now it almost seems somewhat random in failure. People who used to succeed are now failing. I can get in fine (Blaine Charles J.) Granted, I am messing with all sorts of things trying to get it work after all this time dead in the water. It could be an SSLRequire implementation bug but it is hard to tell. Is the order of the users within the SSLRequire list significant? Ah, you mean if I reorder them, does the success/failure situation change as well? I don't know, I can try that. Why are you matching by the whole S_DN rather than based on e.g. S_DN_CN alone? Why not? It seems like the more fully correct way to match for security. It's documented and supposedly legit/correct. The cert-extracted DN (reported in log) matches the configured DN in the ssl.conf file exactly. I will try the httpd list. Thanks Joe Jeff Location / SetHandler perl-script PerlResponseHandler RT::Mason SSLVerifyClient require SSLRequire %{SSL_CLIENT_S_DN} in { \ /O=our.org/OU=people/UID=jblaine/CN=Blaine Charles J., \ /O=our.org/OU=people/UID=mloveless/CN=Laveless Marc W., \ /O=our.org/OU=people/UID=mbs/CN=Simpson Mary B, \ /O=our.org/OU=people/UID=bcietta/CN=Cietta Barbara A. \ } /Location __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Re: Certs work, one doesn't, cannot determine why
Still trying to solve this, I stood up a separate brand-spanking-new Apache 2.2.17 from source with builtin SSL. I am using the same Apache SSL config as quoted below. I experience the following failure (further context is in my quoted message below): ... [Tue Oct 19 16:20:42 2010] [info] Subsequent (No.2) HTTPS request received for child 4 (server rtdev1.our.org:999) [Tue Oct 19 16:20:42 2010] [error] [client 1xx.xx.9.45] client denied by server configuration: /apps/rtsrv1dev/share/html/favicon.ico [19/Oct/2010:16:20:42 -0400] 1xx.xx.9.45 on TLSv1 AES128-SHA 128 /O=our.org/OU=people/UID=jblaine/CN=Blaine Charles J. SUCCESS 3 369E Blaine Charles J. - GET /favicon.ico HTTP/1.1 213 [Tue Oct 19 16:20:47 2010] [debug] ssl_engine_io.c(1900): OpenSSL: I/O error, 5 bytes expected to read on BIO#1c2e8170 [mem: 1c2f98b0] [Tue Oct 19 16:20:47 2010] [info] [client 1xx.xx.9.45] (70007)The timeout specified has expired: SSL input filter read failed. [Tue Oct 19 16:20:47 2010] [debug] ssl_engine_kernel.c(1884): OpenSSL: Write: SSL negotiation finished successfully [Tue Oct 19 16:20:47 2010] [info] [client 1xx.xx.9.45] Connection closed to child 4 with standard shutdown (server rtdev1.our.org:999) NOTE: SUCCESS NOTE: SSL negotiation finished successfully NOTE: /apps/rtsrv1dev/share/html and all files in it are world-readable (644) Browser shows Forbidden IE 8 and Chrome 6 On 10/15/2010 5:49 PM, Jeff Blaine wrote: Hi folks. I'm *really* stumped here. If anyone has any ideas, I would love to hear them. How can I debug this further? I need more information that Apache + mod_ssl is giving me right now. All version information and configuration detail is after this next paragraph. Works: SSL via my corporate cert, SSL via 3 other people's corporate certs Fails: 1 person's cert so far, yet is logged as SUCCESS when logging SSL_CLIENT_VERIFY via CustomLog Example: [15/Oct/2010:09:53:38 -0400] 1xx.xx.160.92 on TLSv1 RC4-MD5 128 /O=our.org/OU=People/UID=mbs/CN=Simpson Mary B SUCCESS 3 452E Simpson Mary B - GET /index.html HTTP/1.1 295 [Fri Oct 15 09:53:38 2010] [error] [client 1xx.xx.160.92] access to /apps/rtsrv1dev/share/html/index.html failed, reason: SSL requirement expression not fulfilled (see SSL logfile for more details) Config Specifics: OS: RHELv5 Apache: 2.2.3 mod_ssl: 2.2.3-43.el5 VirtualHost 1xx.xx.9.85:443 ServerName rtdev1.our.org:443 ErrorLog logs/ssl_error443_log TransferLog logs/ssl_access443_log LogLevel warn SSLEngine on SSLProtocol all -SSLv2 SSLCipherSuite ALL:!ADH:!EXPORT:SSLv3:RC4+RSA:+HIGH:+MEDIUM:+LOW SSLCertificateFile /apps/rtsrv1dev/PKI/rtdev1-signed.cer SSLCertificateKeyFile /apps/rtsrv1dev/PKI/rtdev1.key SSLCertificateChainFile /apps/rtsrv1dev/PKI/rtdev1-signed.cer SSLCACertificateFile /apps/rtsrv1dev/PKI/MITRE-cert-bundle.cer SSLVerifyClient require SSLVerifyDepth 2 SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire Files ~ \.(cgi|shtml|phtml|php3?)$ SSLOptions +StdEnvVars /Files Directory /apps/rtsrv1dev/share/html SSLOptions +StdEnvVars /Directory SetEnvIf User-Agent .*MSIE.* \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog logs/ssl_access443_log \ %h - - %t \%r\ %{HTTPS}x %{SSL_PROTOCOL}x CustomLog logs/ssl_error443_log \ %t %h %{HTTPS}x %{SSL_PROTOCOL}x %{SSL_CIPHER}x %{SSL_CIPHER_USEKEYSIZE}x %{SSL_CLIENT_S_DN}x %{SSL_CLIENT_VERIFY}x %{SSL_CLIENT_M_VERSION}x %{SSL_CLIENT_M_SERIAL}x %{SSL_CLIENT_S_DN_CN}x %{SSL_CLIENT_S_DN_UID}x \%r\ %b DocumentRoot /apps/rtsrv1dev/share/html AddDefaultCharset UTF-8 PerlRequire /apps/rtsrv1dev/bin/webmux.pl SetHandler default /Location Location / SetHandler perl-script PerlResponseHandler RT::Mason SSLVerifyClient require SSLRequire %{SSL_CLIENT_S_DN} in { \ /O=our.org/OU=people/UID=jblaine/CN=Blaine Charles J., \ /O=our.org/OU=people/UID=mloveless/CN=Laveless Marc W., \ /O=our.org/OU=people/UID=mbs/CN=Simpson Mary B, \ /O=our.org/OU=people/UID=bcietta/CN=Cietta Barbara A. \ } /Location /VirtualHost __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Certs work, one doesn't, cannot determine why
Hi folks. I'm *really* stumped here. If anyone has any ideas, I would love to hear them. How can I debug this further? I need more information that Apache + mod_ssl is giving me right now. All version information and configuration detail is after this next paragraph. Works: SSL via my corporate cert, SSL via 3 other people's corporate certs Fails: 1 person's cert so far, yet is logged as SUCCESS when logging SSL_CLIENT_VERIFY via CustomLog Example: [15/Oct/2010:09:53:38 -0400] 1xx.xx.160.92 on TLSv1 RC4-MD5 128 /O=our.org/OU=People/UID=mbs/CN=Simpson Mary B SUCCESS 3 452E Simpson Mary B - GET /index.html HTTP/1.1 295 [Fri Oct 15 09:53:38 2010] [error] [client 1xx.xx.160.92] access to /apps/rtsrv1dev/share/html/index.html failed, reason: SSL requirement expression not fulfilled (see SSL logfile for more details) Config Specifics: OS: RHELv5 Apache: 2.2.3 mod_ssl: 2.2.3-43.el5 VirtualHost 1xx.xx.9.85:443 ServerName rtdev1.our.org:443 ErrorLog logs/ssl_error443_log TransferLog logs/ssl_access443_log LogLevel warn SSLEngine on SSLProtocol all -SSLv2 SSLCipherSuite ALL:!ADH:!EXPORT:SSLv3:RC4+RSA:+HIGH:+MEDIUM:+LOW SSLCertificateFile /apps/rtsrv1dev/PKI/rtdev1-signed.cer SSLCertificateKeyFile /apps/rtsrv1dev/PKI/rtdev1.key SSLCertificateChainFile /apps/rtsrv1dev/PKI/rtdev1-signed.cer SSLCACertificateFile /apps/rtsrv1dev/PKI/MITRE-cert-bundle.cer SSLVerifyClient require SSLVerifyDepth 2 SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire Files ~ \.(cgi|shtml|phtml|php3?)$ SSLOptions +StdEnvVars /Files Directory /apps/rtsrv1dev/share/html SSLOptions +StdEnvVars /Directory SetEnvIf User-Agent .*MSIE.* \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog logs/ssl_access443_log \ %h - - %t \%r\ %{HTTPS}x %{SSL_PROTOCOL}x CustomLog logs/ssl_error443_log \ %t %h %{HTTPS}x %{SSL_PROTOCOL}x %{SSL_CIPHER}x %{SSL_CIPHER_USEKEYSIZE}x %{SSL_CLIENT_S_DN}x %{SSL_CLIENT_VERIFY}x %{SSL_CLIENT_M_VERSION}x %{SSL_CLIENT_M_SERIAL}x %{SSL_CLIENT_S_DN_CN}x %{SSL_CLIENT_S_DN_UID}x \%r\ %b DocumentRoot /apps/rtsrv1dev/share/html AddDefaultCharset UTF-8 PerlRequire /apps/rtsrv1dev/bin/webmux.pl SetHandler default /Location Location / SetHandler perl-script PerlResponseHandler RT::Mason SSLVerifyClient require SSLRequire %{SSL_CLIENT_S_DN} in { \ /O=our.org/OU=people/UID=jblaine/CN=Blaine Charles J., \ /O=our.org/OU=people/UID=mloveless/CN=Laveless Marc W., \ /O=our.org/OU=people/UID=mbs/CN=Simpson Mary B, \ /O=our.org/OU=people/UID=bcietta/CN=Cietta Barbara A. \ } /Location /VirtualHost __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org