DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=15370>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=15370 SSLProxyCACertificateFile directive doesnt get picked up when passing client certificates onto a server reqesting a client cert. Summary: SSLProxyCACertificateFile directive doesnt get picked up when passing client certificates onto a server reqesting a client cert. Product: Apache httpd-2.0 Version: 2.0.43 Platform: PC OS/Version: Linux Status: NEW Severity: Major Priority: Other Component: mod_proxy AssignedTo: [email protected] ReportedBy: [EMAIL PROTECTED] (i think this is a bug, but no-one seems to be able to confirm this) I'll try and be a succinct as possible. I have configured two apache 2.0.43 servers, one acting as an ssl enabled server which requests a client cert via http://server:81, the other is acting as a client proxy which users connect to via their browser, via https://proxy:7800/server The proxy is configured to Proxy the client request using the client cert (in pem format) to the server (via the ProxyPass mechanism). I have confirmed my configs as I can s_client connect to both proxy and server to docroot. I can also connect to the endpoint server by installing my client cert in p12 format from my browser and it works ok. (and via commandline on the proxy using curl) I have noticed the following errors. a. the proxy cannot complete the ssl handshake to the server as it cannot find the end point servers client cert. from default_error_logs ------------------------ [Fri Dec 13 14:43:30 2002] [warn] Proxy client certificate callback: (217.199.xx.xx:443) downstream server wanted client certificate but none are configured [Fri Dec 13 14:43:30 2002] [error] SSL Proxy connect failed [Fri Dec 13 14:43:30 2002] [error] SSL Library Error: 336151568 error:14094410:lib(20):func(148):reason(1040) [Fri Dec 13 14:43:30 2002] [error] (20014)Error string not specified yet: proxy: request failed to 62.49.xx.xx:81 (server.somewhere.com) I have also run httpd on the proxy via strace and get the following errors at the same time.. ( pay particular attention to the client.pem open system call) as this is where the client pem cert is located as apache starts up. 30218 14:19:30 semget(IPC_PRIVATE, 1, IPC_CREAT|0x180|0600) = 2981895 30218 14:19:30 semctl(2981895, 0, 0x110 /* SEM_??? */, 0xbffff418) = 0 30218 14:19:30 geteuid32() = 0 30218 14:19:30 semctl(2981895, 0, 0x101 /* SEM_??? */, 0xbffff428) = 0 30218 14:19:30 gettimeofday({1039789170, 486809}, NULL) = 0 30218 14:19:30 write(9, "[Fri Dec 13 14:19:30 2002] [warn"..., 121) = 121 30218 14:19:30 open("/usr/local/apache2/conf/client.pem", O_RDONLY) = 10 30218 14:19:30 fstat64(10, {st_mode=S_IFREG|0644, st_size=3489, ...}) = 0 30218 14:19:30 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4002c000 30218 14:19:30 read(10, "Certificate:\n Data:\n V"..., 4096) = 3489 30218 14:19:30 read(10, "", 4096) = 0 30218 14:19:30 close(10) = 0 30218 14:19:30 munmap(0x4002c000, 4096) = 0 30218 14:19:30 open("/usr/local/apache2/conf/client.pem", O_RDONLY) = 10 30218 14:19:30 fstat64(10, {st_mode=S_IFREG|0644, st_size=3489, ...}) = 0 30218 14:19:30 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4002c000 30218 14:19:30 read(10, "Certificate:\n Data:\n V"..., 4096) = 3489 30218 14:19:30 read(10, "", 4096) = 0 30218 14:19:30 close(10) = 0 I have tried using the other SSLProxyCARevocationFile directive, and I get the same results. When i connect to the proxy via the browser I get this error. <from html browser error page> Server error! The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there was an error in a CGI script. If you think this is a server error, please contact the webmaster. Error 20014 proxy.somwhere.com Fri Dec 13 17:18:12 2002 Apache/2.0.43 (Unix) mod_ssl/2.0.43 OpenSSL extract from httpd.conf for proxy pass ProxyPass /server https://server.somewhere.com:81 ProxyPassReverse /server https://server.somewhere.com:81 This has been bugging me for nearly a week and I'm sure it's a bug, if it's not, please correct my errors... Regards Dan Cave --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
