https://issues.apache.org/bugzilla/show_bug.cgi?id=46179
Summary: apr ssl client authentication
Product: Tomcat Native
Version: 1.1.14
Platform: PC
OS/Version: Linux
Status: NEW
Severity: major
Priority: P2
Component: Library
AssignedTo: [email protected]
ReportedBy: [EMAIL PROTECTED]
Created an attachment (id=22852)
--> (https://issues.apache.org/bugzilla/attachment.cgi?id=22852)
config file and keys/certificates
i am trying to use ssl client authentication together with apr. I have followed
the instructions contained in apr manual but no success.
When I try access server with the browser (get the prompt for user cert and
submit it), i get the error:
An error occurred during a connection to rzuem5008u.jap2.ch:8443.
SSL peer was unable to negotiate an acceptable set of security parameters.
(Error code: ssl_error_handshake_failure_alert)
When I try to access the server with:
openssl s_client -msg -CAfile /home/rejap/certs/REtest-RootCA.pem -cert
/home/rejap/certs/0D.pem -state -connect rzuem5008u.jap2.ch:8443
it produces the following error:
--- snip, snip ---
SSL_connect:SSLv3 write client certificate A
>>> TLS 1.0 Handshake [length 0086], ClientKeyExchange
10 00 00 82 00 80 7b a6 c2 cf 5e a1 44 60 1c 5d
...
71 06 75 4b 06 c4
SSL_connect:SSLv3 write client key exchange A
>>> TLS 1.0 Handshake [length 0106], CertificateVerify
0f 00 01 02 01 00 4a f4 64 74 56 b4 d0 51 b1 27
...
2b 90 55 46 fd c4
SSL_connect:SSLv3 write certificate verify A
>>> TLS 1.0 ChangeCipherSpec [length 0001]
01
SSL_connect:SSLv3 write change cipher spec A
>>> TLS 1.0 Handshake [length 0010], Finished
14 00 00 0c 70 b5 b4 08 35 3a ae 15 d3 28 2c e4
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
<<< TLS 1.0 Alert [length 0002], fatal decrypt_error
02 33
SSL3 alert read:fatal:decrypt error
SSL_connect:failed in SSLv3 read finished A
18383:error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1 alert decrypt
error:s3_pkt.c:1053:SSL alert number 51
18383:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:188:
The server.xml is all default except:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
sslProtocol="TLSv1"
SSLCertificateFile="/home/rejap/app/certs/rzuem5008u.crt"
SSLCertificateKeyFile="/home/rejap/app/certs/rzuem5008u.key"
SSLCertificateChainFile="/home/rejap/app/certs/cacert.pem"
SSLVerifyClient="require"
SSLVerifyDepth="10"
SSLCACertificateFile="/home/rejap/app/certs/all-cacerts.pem"
/>
Content of the certificate files:
rzuem5008u.crt - server certificate, signed by CA1
rzuem5008u.key - server private key
cacert.pem - CA1 certificate signed by ROOT
all-cacerts.pem - CA1 certificated (signed by ROOT) followed by ROOT (self
signed)
client sends the user certificate (0D.pem) singned by CA1
client has the ROOT certificate added to the trust
If I turn off the verify client (take out last 3 directives from config) the
server auth works ok.
I have verified the certs (chains) with apache server. I did parallel setup
with the same certs/keys and it appears to work.
I have verified the certs with the tomcat without native. Everything is tip
top.
I tried to switch to sslv3. I got similar but not exactly the same error.
verions:
tomcat 6.0.18
apr 1.2.11-1 (ubuntu)
openssl 0.9.8g-4ubuntu3.3
java version "1.6.0_07"
Pawel
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
