DO NOT REPLY [Bug 47134] Last resolve handling when sending client certificate in SSLProxy

Tue, 10 May 2011 03:20:13 -0700 

https://issues.apache.org/bugzilla/show_bug.cgi?id=47134

J-H Johansen <[email protected]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #26959|0                           |1
        is obsolete|                            |

--- Comment #4 from J-H Johansen <[email protected]> 2011-05-10 10:19:29 UTC 
---
Created attachment 26981
  --> https://issues.apache.org/bugzilla/attachment.cgi?id=26981
Apache 2.2.17 w/mod_ssl patch

Here's the unified diff file for patching ssl_engine_kernel.c (as posted by
Martijn Schoemaker).
This resolved a problem related to the use of SSLProxy with a client
certificate.

The configuration used mod_proxy as a reverse proxy to a HTTPS server with a
certificate signed by CA.
The client certificate (SSLProxyMachineCertificateFile) was signed by the
aforementioned CA and the config was pointing to this CA
(SSLProxyCACertificateFile).
A standard Apache 2.2.17 installation did not find the client certificate and
therefore failed.

Here's an excerpt from the debug log while it was failing:
[Wed May 04 15:21:47 2011] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop:
SSLv3 read server hello A
[Wed May 04 15:21:47 2011] [debug] ssl_engine_kernel.c(1321): [client
127.0.0.10] Certificate Verification: depth: 1, subject:
/C=NO/ST=Oslo/L=Oslo/O=Dream County/OU=Test/CN=Example
CA/[email protected], issuer: /C=NO/ST=Oslo/L=Oslo/O=Dream
County/OU=Test/CN=Example CA/[email protected]
[Wed May 04 15:21:47 2011] [debug] ssl_engine_kernel.c(1321): [client
127.0.0.10] Certificate Verification: depth: 0, subject:
/C=NO/ST=Oslo/L=Oslo/O=Dream County/OU=Test/CN=client.example.com, issuer:
/C=NO/ST=Oslo/L=Oslo/O=Dream County/OU=Test/CN=Example
CA/[email protected]
[Wed May 04 15:21:47 2011] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop:
SSLv3 read server certificate A
[Wed May 04 15:21:47 2011] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop:
SSLv3 read server key exchange A
[Wed May 04 15:21:47 2011] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop:
SSLv3 read server certificate request A
[Wed May 04 15:21:47 2011] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop:
SSLv3 read server done A
[Wed May 04 15:21:47 2011] [debug] ssl_engine_kernel.c(1660): Proxy client
certificate callback: (www.example.com:443) entered
[Wed May 04 15:21:47 2011] [debug] ssl_engine_kernel.c(1705): Proxy client
certificate callback: (www.example.com:443) no client certificate found!?
[Wed May 04 15:21:47 2011] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop:
SSLv3 write client certificate A
[Wed May 04 15:21:47 2011] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop:
SSLv3 write client key exchange A
[Wed May 04 15:21:47 2011] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop:
SSLv3 write change cipher spec A
[Wed May 04 15:21:47 2011] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop:
SSLv3 write finished A
[Wed May 04 15:21:47 2011] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop:
SSLv3 flush data


After patching the client certificate was sent correctly.

[Wed May 04 16:49:06 2011] [debug] ssl_engine_kernel.c(1879): OpenSSL: Loop:
SSLv3 read server hello A
[Wed May 04 16:49:06 2011] [debug] ssl_engine_kernel.c(1321): [client
127.0.0.10] Certificate Verification: depth: 1, subject:
/C=NO/ST=Oslo/L=Oslo/O=Dream County/OU=Test/CN=Example
CA/[email protected], issuer: /C=NO/ST=Oslo/L=Oslo/O=Dream
County/OU=Test/CN=Example CA/[email protected]
[Wed May 04 16:49:06 2011] [debug] ssl_engine_kernel.c(1321): [client
127.0.0.10] Certificate Verification: depth: 0, subject:
/C=NO/ST=Oslo/L=Oslo/O=Dream County/OU=Test/CN=client.example.com, issuer:
/C=NO/ST=Oslo/L=Oslo/O=Dream County/OU=Test/CN=Example
CA/[email protected]
[Wed May 04 16:49:06 2011] [debug] ssl_engine_kernel.c(1879): OpenSSL: Loop:
SSLv3 read server certificate A
[Wed May 04 16:49:06 2011] [debug] ssl_engine_kernel.c(1879): OpenSSL: Loop:
SSLv3 read server key exchange A
[Wed May 04 16:49:06 2011] [debug] ssl_engine_kernel.c(1879): OpenSSL: Loop:
SSLv3 read server certificate request A
[Wed May 04 16:49:06 2011] [debug] ssl_engine_kernel.c(1879): OpenSSL: Loop:
SSLv3 read server done A
[Wed May 04 16:49:06 2011] [debug] ssl_engine_kernel.c(1660): Proxy client
certificate callback: (www.example.com:443) entered
[Wed May 04 16:49:06 2011] [debug] ssl_engine_kernel.c(1705): Proxy client
certificate callback: (www.example.com:443) no client certificate found!?
[Wed May 04 16:49:06 2011] [debug] ssl_engine_kernel.c(1633): Proxy client
certificate callback: (www.example.com:443) No acceptable cert found, sending
first in list., sending /C=NO/ST=Oslo/L=Oslo/O=Dream County/OU=Test/CN=Example
Client Cert/[email protected]
[Wed May 04 16:49:06 2011] [debug] ssl_engine_kernel.c(1879): OpenSSL: Loop:
SSLv3 write client certificate A
[Wed May 04 16:49:06 2011] [debug] ssl_engine_kernel.c(1879): OpenSSL: Loop:
SSLv3 write client key exchange A
[Wed May 04 16:49:07 2011] [debug] ssl_engine_kernel.c(1879): OpenSSL: Loop:
SSLv3 write certificate verify A
[Wed May 04 16:49:07 2011] [debug] ssl_engine_kernel.c(1879): OpenSSL: Loop:
SSLv3 write change cipher spec A
[Wed May 04 16:49:07 2011] [debug] ssl_engine_kernel.c(1879): OpenSSL: Loop:
SSLv3 write finished A
[Wed May 04 16:49:07 2011] [debug] ssl_engine_kernel.c(1879): OpenSSL: Loop:
SSLv3 flush data

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to