Re: SSLVerifyClient applies to parent directory
On Friday 27 June 2008, Florian Hackenberger wrote: > I have another question: Has anyone successfully established a > connection to an apache/mod_ssl server with client authentication > using a java client? My client (code below) generates the following > log (exception at the end) upon execution: Sorry, please scrap my posting. I made an embarrassing mistake: Instead of exporting the client certificate including the public/private keypair from the browser and importing that into the keystore, I imported the certificate only, without the public/private keypair... Thanks for your help once again! Florian -- DI Florian Hackenberger [EMAIL PROTECTED] www.hackenberger.at __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [email protected] Automated List Manager[EMAIL PROTECTED]
Re: SSLVerifyClient applies to parent directory
On Friday 27 June 2008, Joe Orton wrote:
> Yup. Changing the "SSLVerifyClient require" to:
> SSLVerifyClient optional
> SSLRequire %{SSL_CLIENT_VERIFY} eq "SUCCESS"
Thanks a lot! The workaround worked ;-). Please consider this issue
solved.
I have another question: Has anyone successfully established a
connection to an apache/mod_ssl server with client authentication using
a java client? My client (code below) generates the following log
(exception at the end) upon execution:
*** ServerHelloDone
*** Certificate chain
***
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1
main, WRITE: TLSv1 Handshake, length = 157
SESSION KEYGEN:
PreMaster Secret:
: 03 01 71 CC D3 DC AF 35 A3 A2 70 1C E5 9A 06
00 ..q5..p.
0010: 1F 8B 18 05 6E 55 69 4E 44 18 D2 E5 0A 57 FB
D4 nUiNDW..
0020: 71 62 17 14 57 2A FE 8F 4D 5A CF 7A 82 09 31 8C
qb..W*..MZ.z..1.
CONNECTION KEYGEN:
Client Nonce:
: 48 64 A7 92 45 15 E8 74 E3 75 A7 BD F7 E3 B8 82
Hd..E..t.u..
0010: 94 D4 1E 75 ED 3D D3 41 0E 5F BA 12 ED 47 E6
B1 ...u.=.A._...G..
Server Nonce:
: 48 64 A7 92 B5 6D 56 62 6D E3 7B 67 C7 08 78 13
Hd...mVbm..g..x.
0010: 45 47 5A 93 18 62 D4 E5 75 25 A1 65 F8 DD 85 86
EGZ..b..u%.e
Master Secret:
: 0C 65 EA 1D A6 E6 FC 3C AD AA 34 04 C6 82 81
50 .e.<..4P
0010: 07 78 38 FC B6 04 77 3E 7E 90 BC 24 A9 D3 B1 86 .x8...w>...
$
0020: F9 99 26 1A FD 08 9A C3 E0 32 43 D0 A1 59 21 5C ..&..2C..Y!
\
Client MAC write Secret:
: D0 7D F1 90 58 AF 0B 43 F7 02 39 0C 0C B2 87
C3 X..C..9.
Server MAC write Secret:
: 5C AD 45 74 3D 58 96 FB 41 37 72 99 12 D5 BD 3A
\.Et=X..A7r:
Client write key:
: 38 AE 1A 7E 63 26 C7 7F 9D E2 74 9E D2 12 55 C9
8...c&t...U.
Server write key:
: 7E 57 BF 54 A7 74 D8 72 72 AC 18 B8 5F 2D F6
06 .W.T.t.rr..._-..
... no IV used for this cipher
main, WRITE: TLSv1 Change Cipher Spec, length = 17
*** Finished
verify_data: { 150, 113, 105, 3, 36, 96, 160, 52, 133, 8, 145, 137 }
***
main, WRITE: TLSv1 Handshake, length = 32
main, waiting for close_notify or alert: state 3
main, READ: TLSv1 Alert, length = 18
main, RECV TLSv1 ALERT: fatal, handshake_failure
%% Invalidated: [Session-3, SSL_RSA_WITH_RC4_128_MD5]
main, called closeSocket()
main, Exception while waiting for close
javax.net.ssl.SSLHandshakeException: Received fatal alert:
handshake_failure
main, handling exception: javax.net.ssl.SSLHandshakeException: Received
fatal alert: handshake_failure
main, called close()
main, called closeInternal(true)
javax.net.ssl.SSLHandshakeException: Received fatal alert:
handshake_failure
at
com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at
com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:136)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1657)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:932)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.waitForClose(SSLSocketImpl.java:1435)
at
com.sun.net.ssl.internal.ssl.HandshakeOutStream.flush(HandshakeOutStream.java:103)
at
com.sun.net.ssl.internal.ssl.Handshaker.sendChangeCipherSpec(Handshaker.java:612)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.sendChangeCipherAndFinish(ClientHandshaker.java:808)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:734)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:197)
at
com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
at
com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:746)
at
com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:75)
at
java.io.BufferedInputStream.fill(BufferedInputStream.java:218)
at java.io.BufferedInputStream.read1
(BufferedInputStream.java:258)
at
java.io.BufferedInputStream.read(BufferedInputStream.java:317)
at
sun.net.www.http.HttpClient.parseHTTPHeader(HttpClient.java:687)
at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:632)
at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:652)
at
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1000)
at
com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnectionOldImpl.getInputStream(HttpsURLConnectionOldImpl.java:204)
at java.net.URL.openStream(URL.java:1009)
at URLClient.main(URLClient.java:17)
The server logs the following error:
[error] Re-negotiation handshake failed: Not accepted by client!?
Has someone experience with java client verification or can someone
formulate an educated guess wha
Re: SSLVerifyClient applies to parent directory
On Fri, Jun 27, 2008 at 08:40:43AM +0200, Florian Hackenberger wrote:
> On Thursday 26 June 2008, Florian Hackenberger wrote:
> > On Thursday 26 June 2008, Joe Orton wrote:
> > It denies access for what type of request, a directory listing?
> Ok, I think I understood the intention of your question. Accessing a
> specific file works, but getting the directory listing fails. Would
> that be a result of apache trying to access the protected directory in
> oder to read attributes for the listing, causing the certificate
> verification to kick in?
Yup. Changing the "SSLVerifyClient require" to:
SSLVerifyClient optional
SSLRequire %{SSL_CLIENT_VERIFY} eq "SUCCESS"
might work around it; you'll still get a client cert request for the
subrequest, but it should end in a 403 rather than terminating the SSL
connection. (That will cause the protected directory to disappear from
the directory listing, unless you use "IndexOptions ShowForbidden")
Test this carefully though!
joe
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [email protected]
Automated List Manager[EMAIL PROTECTED]
Re: SSLVerifyClient applies to parent directory
On Friday 27 June 2008, Cuesta Gilles wrote: > For your issue, two questions: > - is a VerifyDepth 1 enough for verification chaining ? It is, however that is not relevant for the problem, because apache should not request a client certificate in the first place. > - No default VerifyClient by default for VirtualHost > Try adding: I tried your suggestion, but it does not help unfortunately. Cheers, Florian -- DI Florian Hackenberger [EMAIL PROTECTED] www.hackenberger.at __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [email protected] Automated List Manager[EMAIL PROTECTED]
Re: SSLVerifyClient applies to parent directory
Florian Hackenberger a écrit : On Friday 27 June 2008, Cuesta Gilles wrote: It's more an apache specific question; try setting Options +Indexes in your vhost, allowing directory listing. Thanks, but that is certainly not the problem, as apache creates a listing as soon as I remove 'SSLVerifyClient require'. Cheers, Florian That seems to point that it's already activated. For your issue, two questions: - is a VerifyDepth 1 enough for verification chaining ? - No default VerifyClient by default for VirtualHost Try adding: SSLVerifyClient none or SSLVerifyClient none Listen 443 SSLEngine On SSLCertificateFile /etc/apache2/ssl/acoveo.com.pem DocumentRoot "/usr/local/htdocs" SSLVerifyClient none SSLVerifyClient require SSLVerifyDepth 1 -- Chuck Norris comprend Lassie et Flipper le dauphin. C'est d'ailleurs lui qui à réalisé les traductions dans l'intégralité des épisodes ! Gilles CUESTA - Logiciels Libres 69139920 signature.asc Description: OpenPGP digital signature
Re: SSLVerifyClient applies to parent directory
On Friday 27 June 2008, Cuesta Gilles wrote: > It's more an apache specific question; try setting > Options +Indexes > in your vhost, allowing directory listing. Thanks, but that is certainly not the problem, as apache creates a listing as soon as I remove 'SSLVerifyClient require'. Cheers, Florian -- DI Florian Hackenberger [EMAIL PROTECTED] www.hackenberger.at __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [email protected] Automated List Manager[EMAIL PROTECTED]
Re: SSLVerifyClient applies to parent directory
Florian Hackenberger a écrit : On Thursday 26 June 2008, Florian Hackenberger wrote: On Thursday 26 June 2008, Joe Orton wrote: It denies access for what type of request, a directory listing? Ok, I think I understood the intention of your question. Accessing a specific file works, but getting the directory listing fails. Would that be a result of apache trying to access the protected directory in oder to read attributes for the listing, causing the certificate verification to kick in? It's more an apache specific question; try setting Options +Indexes in your vhost, allowing directory listing. -- Beaucoup d'hommes ont recherché la boîte de pandore à travers le monde, pendant ce temp Chuck Norris l'utilisait pour ranger ses chaussures. Gilles CUESTA - Logiciels Libres 69139920 signature.asc Description: OpenPGP digital signature
Re: SSLVerifyClient applies to parent directory
On Thursday 26 June 2008, Florian Hackenberger wrote: > On Thursday 26 June 2008, Joe Orton wrote: > It denies access for what type of request, a directory listing? Ok, I think I understood the intention of your question. Accessing a specific file works, but getting the directory listing fails. Would that be a result of apache trying to access the protected directory in oder to read attributes for the listing, causing the certificate verification to kick in? Cheers, Florian -- DI Florian Hackenberger [EMAIL PROTECTED] www.hackenberger.at __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [email protected] Automated List Manager[EMAIL PROTECTED]
Re: SSLVerifyClient applies to parent directory
Florian Hackenberger a écrit : On Thursday 26 June 2008, Cuesta Gilles wrote: Maybe try this: Listen 443 SSLEngine On SSLCertificateFile /etc/apache2/ssl/acoveo.com.pem DocumentRoot "/usr/local/htdocs" SSLVerifyClient require SSLVerifyDepth 1 Unfortunately it leads to the same result, but thanks for the suggestion. Regarding mod_ssl: "In per-server context it applies to the client authentication process used in the standard SSL handshake when a connection is established. " "In per-directory context it forces a SSL renegotation with the reconfigured client verification level after the HTTP request was read but before the HTTP response is sent." So maybe: Listen 443 SSLEngine On SSLCertificateFile /etc/apache2/ssl/acoveo.com.pem DocumentRoot "/usr/local/htdocs" SSLVerifyClient require SSLVerifyDepth 1 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [email protected] Automated List Manager[EMAIL PROTECTED]
Re: SSLVerifyClient applies to parent directory
On Thursday 26 June 2008, Joe Orton wrote: > It denies access for what type of request, a directory listing? Yes -- DI Florian Hackenberger [EMAIL PROTECTED] www.hackenberger.at __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [email protected] Automated List Manager[EMAIL PROTECTED]
Re: SSLVerifyClient applies to parent directory
On Thu, Jun 26, 2008 at 05:55:45PM +0200, Florian Hackenberger wrote: > > SSLVerifyClient require > SSLVerifyDepth 1 > > > The problem is that apache denies access to: > https//MYSERVER/directory It denies access for what type of request, a directory listing? joe __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [email protected] Automated List Manager[EMAIL PROTECTED]
Re: SSLVerifyClient applies to parent directory
On Thursday 26 June 2008, Cuesta Gilles wrote: > Maybe try this: > > Listen 443 > > SSLEngine On > SSLCertificateFile /etc/apache2/ssl/acoveo.com.pem > DocumentRoot "/usr/local/htdocs" > > > SSLVerifyClient require > SSLVerifyDepth 1 > > Unfortunately it leads to the same result, but thanks for the suggestion. Cheers, Florian -- DI Florian Hackenberger [EMAIL PROTECTED] www.hackenberger.at __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [email protected] Automated List Manager[EMAIL PROTECTED]
Re: SSLVerifyClient applies to parent directory
Florian Hackenberger a écrit : Hi! First of all: Thanks for your great software, I've used it on several server and it proved to be very useful. I have a little problem with the SSLVerifyClient directive on apache 2.2.9 with mod_ssl compiled from source on debian etch. I have the following directory layout: /usr/local/htdocs/directory/subdirectory and the following configuration options (besides the defaults) in httpd.conf: Listen 443 SSLEngine On SSLCertificateFile /etc/apache2/ssl/acoveo.com.pem DocumentRoot "/usr/local/htdocs" SSLVerifyClient require SSLVerifyDepth 1 Maybe try this: Listen 443 SSLEngine On SSLCertificateFile /etc/apache2/ssl/acoveo.com.pem DocumentRoot "/usr/local/htdocs" SSLVerifyClient require SSLVerifyDepth 1 -- Chuck Norris était champion de CounterStrike avant que l'on n'invente Internet. Gilles CUESTA - Logiciels Libres 69139920 signature.asc Description: OpenPGP digital signature
