https://bz.apache.org/bugzilla/show_bug.cgi?id=65415
Bug ID: 65415
Summary: ERR_BAD_SSL_CLIENT_AUTH_CERT by client certificate
Product: Apache httpd-2
Version: 2.4.41
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_ssl
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
CA certficate - OK
Server certificate: OK
Client certificate: OK
server and client signed by the same CA private key.
Environment.
OpenSSL 1.1.1f 31 Mar 2020
Ubuntu 20.04
Server version: Apache/2.4.41 (Ubuntu)
Server built: 2021-06-17T18:27:53
My problem:
connecting to a secure server requiring client certificate, i get the following
error when presenting my certificate:
ERR_BAD_SSL_CLIENT_AUTH_CERT
It started to fail after the previous one voided and i issued a new one.
CA, the same, server cert, renewed after previous voided.
server conf:
My server conf:
<VirtualHost *:443>
ServerAdmin webmaster@localhost
DocumentRoot /home/www/
# Available loglevels: trace8, ..., trace1, debug, info,
notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog /var/log/apache2/ssl_engine.log
LogLevel debug
#ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For
example the
# following line enables the CGI configuration for this host
only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
SSLProtocol all -SSLv3 -TLSv1.3
#SSLProtocol all
#SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM
EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256
EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP
!DSS"
# A self-signed (snakeoil) certificate can be created by
installing
# the ssl-cert package. See
# /usr/share/doc/apache2/README.Debian.gz for more info.
# If both key and certificate are stored in the same file,
only the
# SSLCertificateFile directive is needed.
SSLCertificateFile /etc/ssl/private/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
SSLCACertificatePath /etc/ssl/certs/
#SSLCACertificateFile
/etc/ssl/certs/PSign_TrustCenter_Root_CA-I.pem
SSLCACertificateFile /etc/ssl/private/fullchain.crt
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the
server
# certificate for convinience.
#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
# Note: Inside SSLCACertificatePath you need hash symlinks
# to point to the certificate files. Use the
provided
# Makefile to update the hash symlinks after
changes.
#SSLCACertificatePath /etc/ssl/certs/
#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
# Certificate Revocation Lists (CRL):
# Set the CA revocation path where to find CA CRLs for client
# authentication or alternatively one huge file containing
all
# of them (file must be PEM encoded)
# Note: Inside SSLCARevocationPath you need hash symlinks
# to point to the certificate files. Use the
provided
# Makefile to update the hash symlinks after
changes.
#SSLCARevocationPath /etc/apache2/ssl.crl/
#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional, require and optional_no_ca. Depth is a
# number which specifies how deeply to verify the certificate
# issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth 10
# SSL Engine Options:
# Set various options for the SSL engine.
# o FakeBasicAuth:
# Translate the client X.509 into a Basic Authorisation.
This means that
# the standard Auth/DBMAuth methods can be used for
access control. The
# user name is the `one line' version of the client's
X.509 certificate.
# Note that no password is obtained from the user. Every
entry in the user
# file needs this password: `xxj31ZMTZzkVA'.
# o ExportCertData:
# This exports two additional environment variables:
SSL_CLIENT_CERT and
# SSL_SERVER_CERT. These contain the PEM-encoded
certificates of the
# server (always existing) and the client (only existing
when client
# authentication is used). This can be used to import
the certificates
# into CGI scripts.
# o StdEnvVars:
# This exports the standard SSL/TLS related `SSL_*'
environment variables.
# Per default this exportation is switched off for
performance reasons,
# because the extraction step is an expensive operation
and is usually
# useless for serving static content. So one usually
enables the
# exportation for CGI and SSI requests only.
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation
handling when SSL
# directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
# SSL Protocol Adjustments:
# The safe and default but still SSL/TLS standard compliant
shutdown
# approach is that mod_ssl sends the close notify alert but
doesn't wait for
# the close notify alert from client. When you need a
different shutdown
# approach you can use one of the following variables:
# o ssl-unclean-shutdown:
# This forces an unclean shutdown when the connection is
closed, i.e. no
# SSL close notify alert is send or allowed to received.
This violates
# the SSL/TLS standard but is needed for some brain-dead
browsers. Use
# this when you receive I/O errors because of the
standard approach where
# mod_ssl sends the close notify alert.
# o ssl-accurate-shutdown:
# This forces an accurate shutdown when the connection
is closed, i.e. a
# SSL close notify alert is send and mod_ssl waits for
the close notify
# alert of the client. This is 100% SSL/TLS standard
compliant, but in
# practice often causes hanging connections with
brain-dead browsers. Use
# this only for browsers where you know that their SSL
implementation
# works correctly.
# Notice: Most problems of broken clients are also related to
the HTTP
# keep-alive facility, so you usually additionally want to
disable
# keep-alive for those clients, too. Use variable
"nokeepalive" for this.
# Similarly, one has to force some clients to use HTTP/1.0 to
workaround
# their broken HTTP/1.1 implementation. Use variables
"downgrade-1.0" and
# "force-response-1.0" for this.
# BrowserMatch "MSIE [2-6]" \
# nokeepalive ssl-unclean-shutdown \
# downgrade-1.0 force-response-1.0
# private
Alias /ssl/ /home/www/html-ssl-certs/
<location /ssl/>
SSLVerifyClient require
SSLVerifyDepth 5
SSLOptions +StdEnvVars +ExportCertData
AuthType Basic
AuthName "Protected User access required"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
DirectoryIndex phpinfo.php
DirectoryIndexRedirect permanent
Order deny,allow
Allow from all
</location>
</VirtualHost>
LOG:
[Tue Jun 29 19:15:43.024571 2021] [socache_shmcb:debug] [pid 241359]
mod_socache_shmcb.c(530): AH00835: socache_shmcb_retrieve (0xae -> subcache 14)
[Tue Jun 29 19:15:43.024597 2021] [socache_shmcb:debug] [pid 241359]
mod_socache_shmcb.c(916): AH00851: shmcb_subcache_retrieve found no match
[Tue Jun 29 19:15:43.024605 2021] [socache_shmcb:debug] [pid 241359]
mod_socache_shmcb.c(541): AH00836: leaving socache_shmcb_retrieve successfully
[Tue Jun 29 19:15:43.024632 2021] [ssl:debug] [pid 241359]
ssl_engine_kernel.c(2387): [client 127.0.0.1:57022] AH02044: No matching SSL
virtual host for servername localhost found (using default/first virtual host)
[Tue Jun 29 19:15:43.024700 2021] [ssl:debug] [pid 241359]
ssl_engine_kernel.c(2387): [client 127.0.0.1:57022] AH02044: No matching SSL
virtual host for servername localhost found (using default/first virtual host)
[Tue Jun 29 19:15:43.024711 2021] [core:debug] [pid 241359] protocol.c(2313):
[client 127.0.0.1:57022] AH03155: select protocol from , choices=h2,http/1.1
for server hp15pw
[Tue Jun 29 19:15:43.026143 2021] [ssl:info] [pid 241355] [client
127.0.0.1:57024] AH01964: Connection to child 0 established (server hp15pw:443)
[Tue Jun 29 19:15:43.026407 2021] [socache_shmcb:debug] [pid 241355]
mod_socache_shmcb.c(530): AH00835: socache_shmcb_retrieve (0x07 -> subcache 7)
[Tue Jun 29 19:15:43.026424 2021] [socache_shmcb:debug] [pid 241355]
mod_socache_shmcb.c(916): AH00851: shmcb_subcache_retrieve found no match
[Tue Jun 29 19:15:43.026429 2021] [socache_shmcb:debug] [pid 241355]
mod_socache_shmcb.c(541): AH00836: leaving socache_shmcb_retrieve successfully
[Tue Jun 29 19:15:43.026449 2021] [ssl:debug] [pid 241355]
ssl_engine_kernel.c(2387): [client 127.0.0.1:57024] AH02044: No matching SSL
virtual host for servername localhost found (using default/first virtual host)
[Tue Jun 29 19:15:43.026489 2021] [ssl:debug] [pid 241355]
ssl_engine_kernel.c(2387): [client 127.0.0.1:57024] AH02044: No matching SSL
virtual host for servername localhost found (using default/first virtual host)
[Tue Jun 29 19:15:43.026497 2021] [core:debug] [pid 241355] protocol.c(2313):
[client 127.0.0.1:57024] AH03155: select protocol from , choices=h2,http/1.1
for server hp15pw
[Tue Jun 29 19:15:43.321198 2021] [ssl:debug] [pid 241359]
ssl_engine_kernel.c(2254): [client 127.0.0.1:57022] AH02041: Protocol: TLSv1.2,
Cipher: ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)
[Tue Jun 29 19:15:43.323322 2021] [ssl:debug] [pid 241359]
ssl_engine_kernel.c(415): [client 127.0.0.1:57022] AH02034: Initial (No.1)
HTTPS request received for child 4 (server hp15pw:443)
[Tue Jun 29 19:15:43.323413 2021] [ssl:debug] [pid 241355]
ssl_engine_kernel.c(2254): [client 127.0.0.1:57024] AH02041: Protocol: TLSv1.2,
Cipher: ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)
[Tue Jun 29 19:15:43.323733 2021] [ssl:debug] [pid 241359]
ssl_engine_kernel.c(782): [client 127.0.0.1:57022] AH02255: Changed client
verification type will force renegotiation
[Tue Jun 29 19:15:43.323837 2021] [ssl:info] [pid 241359] [client
127.0.0.1:57022] AH02221: Requesting connection re-negotiation
[Tue Jun 29 19:15:43.323893 2021] [ssl:debug] [pid 241359]
ssl_engine_kernel.c(984): [client 127.0.0.1:57022] AH02260: Performing full
renegotiation: complete handshake protocol (client does support secure
renegotiation)
[Tue Jun 29 19:15:43.324148 2021] [ssl:debug] [pid 241359]
ssl_engine_kernel.c(2254): [client 127.0.0.1:57022] AH02041: Protocol: TLSv1.2,
Cipher: ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)
[Tue Jun 29 19:15:43.324265 2021] [ssl:info] [pid 241359] [client
127.0.0.1:57022] AH02226: Awaiting re-negotiation handshake
[Tue Jun 29 19:15:43.324869 2021] [ssl:debug] [pid 241359]
ssl_engine_kernel.c(2387): [client 127.0.0.1:57022] AH02044: No matching SSL
virtual host for servername localhost found (using default/first virtual host)
[Tue Jun 29 19:15:43.331104 2021] [ssl:error] [pid 241359] [client
127.0.0.1:57022] AH02261: Re-negotiation handshake failed
[Tue Jun 29 19:15:43.331256 2021] [ssl:debug] [pid 241359]
ssl_engine_io.c(1368): (70014)End of file found: [client 127.0.0.1:57022]
AH02007: SSL handshake interrupted by system [Hint: Stop button pressed in
browser?!]
[Tue Jun 29 19:15:43.331328 2021] [ssl:info] [pid 241359] [client
127.0.0.1:57022] AH01998: Connection closed to child 4 with abortive shutdown
(server hp15pw:443)
[Tue Jun 29 19:15:45.526753 2021] [ssl:info] [pid 241355] (70014)End of file
found: [client 127.0.0.1:57024] AH01991: SSL input filter read failed.
[Tue Jun 29 19:15:45.527179 2021] [ssl:debug] [pid 241355]
ssl_engine_io.c(1102): [client 127.0.0.1:57024] AH02001: Connection closed to
child 0 with standard shutdown (server hp15pw:443)
[Tue Jun 29 19:15:45.537952 2021] [ssl:info] [pid 241357] [client
127.0.0.1:57026] AH01964: Connection to child 2 established (server hp15pw:443)
[Tue Jun 29 19:15:45.538859 2021] [socache_shmcb:debug] [pid 241357]
mod_socache_shmcb.c(530): AH00835: socache_shmcb_retrieve (0x68 -> subcache 8)
[Tue Jun 29 19:15:45.538910 2021] [socache_shmcb:debug] [pid 241357]
mod_socache_shmcb.c(916): AH00851: shmcb_subcache_retrieve found no match
[Tue Jun 29 19:15:45.538929 2021] [socache_shmcb:debug] [pid 241357]
mod_socache_shmcb.c(541): AH00836: leaving socache_shmcb_retrieve successfully
[Tue Jun 29 19:15:45.538994 2021] [ssl:debug] [pid 241357]
ssl_engine_kernel.c(2387): [client 127.0.0.1:57026] AH02044: No matching SSL
virtual host for servername localhost found (using default/first virtual host)
[Tue Jun 29 19:15:45.539162 2021] [ssl:debug] [pid 241357]
ssl_engine_kernel.c(2387): [client 127.0.0.1:57026] AH02044: No matching SSL
virtual host for servername localhost found (using default/first virtual host)
[Tue Jun 29 19:15:45.539188 2021] [core:debug] [pid 241357] protocol.c(2313):
[client 127.0.0.1:57026] AH03155: select protocol from , choices=h2,http/1.1
for server hp15pw
[Tue Jun 29 19:15:45.574552 2021] [ssl:debug] [pid 241357]
ssl_engine_kernel.c(2254): [client 127.0.0.1:57026] AH02041: Protocol: TLSv1.2,
Cipher: ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)
[Tue Jun 29 19:15:45.589868 2021] [ssl:debug] [pid 241357]
ssl_engine_kernel.c(415): [client 127.0.0.1:57026] AH02034: Initial (No.1)
HTTPS request received for child 2 (server hp15pw:443)
[Tue Jun 29 19:15:45.590043 2021] [ssl:debug] [pid 241357]
ssl_engine_kernel.c(782): [client 127.0.0.1:57026] AH02255: Changed client
verification type will force renegotiation
[Tue Jun 29 19:15:45.590051 2021] [ssl:info] [pid 241357] [client
127.0.0.1:57026] AH02221: Requesting connection re-negotiation
[Tue Jun 29 19:15:45.590124 2021] [ssl:debug] [pid 241357]
ssl_engine_kernel.c(984): [client 127.0.0.1:57026] AH02260: Performing full
renegotiation: complete handshake protocol (client does support secure
renegotiation)
[Tue Jun 29 19:15:45.590251 2021] [ssl:debug] [pid 241357]
ssl_engine_kernel.c(2254): [client 127.0.0.1:57026] AH02041: Protocol: TLSv1.2,
Cipher: ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)
[Tue Jun 29 19:15:45.590261 2021] [ssl:info] [pid 241357] [client
127.0.0.1:57026] AH02226: Awaiting re-negotiation handshake
[Tue Jun 29 19:15:45.590535 2021] [ssl:debug] [pid 241357]
ssl_engine_kernel.c(2387): [client 127.0.0.1:57026] AH02044: No matching SSL
virtual host for servername localhost found (using default/first virtual host)
[Tue Jun 29 19:15:45.592237 2021] [socache_shmcb:debug] [pid 241357]
mod_socache_shmcb.c(555): AH00837: socache_shmcb_remove (0x4c -> subcache 12)
[Tue Jun 29 19:15:45.592290 2021] [socache_shmcb:debug] [pid 241357]
mod_socache_shmcb.c(570): AH00839: leaving socache_shmcb_remove successfully
[Tue Jun 29 19:15:45.592363 2021] [ssl:error] [pid 241357] [client
127.0.0.1:57026] AH02261: Re-negotiation handshake failed
[Tue Jun 29 19:15:45.592456 2021] [ssl:error] [pid 241357] SSL Library Error:
error:1417C0C7:SSL routines:tls_process_client_certificate:peer did not return
a certificate -- No CAs known to server for verification?
[Tue Jun 29 19:15:45.592643 2021] [ssl:debug] [pid 241357]
ssl_engine_io.c(1368): [client 127.0.0.1:57026] AH02007: SSL handshake
interrupted by system [Hint: Stop button pressed in browser?!]
[Tue Jun 29 19:15:45.592662 2021] [ssl:info] [pid 241357] [client
127.0.0.1:57026] AH01998: Connection closed to child 2 with abortive shutdown
(server hp15pw:443)
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
