Hi, I am still struggling with my trials for reverse proxy and hoping to get help.... Meanwhile I have the manual SSL and TLS (Eric Rescorla) on hand, but still I am not getting much further. I am doing my tests now between 2 Linux systems. They are called proxy.ecb (For the gateway or proxy server) and app.ecb (for the application server on the intranet). I have taken some dumps via ssldumps, in the hope to solve my problem. And I am testing even with Apache 1.3.19 - mod_ssl-2.8.1 and openssl.0.9.5a To prove that the SSL connection works between the proxy.ecb and the app.ecb, I installed the proxy servers certificate and the Verisign CA certificate in the Netscape browser from the server proxy.ecb. The attachment dmp_netscape_proxy_to_app_with_certificate, shows the data and certificates that pass the wire. When I start it from the PC with MSIE 5.0, the connection that is not authenticated to the proxy works, but when the proxy calls the app, it terminates with a handshake error. See the file dmp_pc_proxy_app_failure_dh. Even after changing the SSLCipherSuite on the application server from ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL To :RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL or :RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP or RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2 Changes only the chipersSuite used, but I get still the handshake error. Adding the SSLProtocol and changing it for different setting does not help neither. See also an other example this time with Netscape 6 on the PC. dmp_NS6_from_pc_with_failed+app+SSL+protocl_SSLv2_no_chi_no_exp_no_null . Can someone explain me more precisely what the dumps mean? Can you explain me the real reason why the handshake occurs? Any suggestions on how to solve this problem? HHHHEEEELLLPPPPPPPP, Thanks in advanced. Herman De Taeye Unisys Belgium -----Original Message----- From: De Taeye, Herman Sent: Thursday, March 01, 2001 8:17 PM To: '[EMAIL PROTECTED]' Subject: Apache 1.3.17 - mod_ssl.2.8.0 - openssl.0.9.6 Reverse Proxy SSL Hi, I have setup on two system the apach/openssl/mod_ssl products. The first system named "gate.ecb" is configured as a reverse proxy. A Verisign CA test certificate, a verisign signed server certificate and his private key are installed. The second system is our application server and is named "serv.ecb". It has also a Verisign CA test certificate, a verisign signed application server certificate and this private key. A PC with browser is connected to the same network for my tests. The PC has the verisign CA certificate, but no private key nor a certificate. What we need is : PC -- > SSL with no client identification -- > Gate --> SSL with identification of the gate to --> Server. In the gate "SSLVerifyClient" is not defined or set to none. In the server SSLVerifyClient require is set. When the PC tries to connect to the server SERV via reverse proxy on GATE, it gets an error that the PC needs a client certificate. On the ssl_engine_log of the server we see following data: [01/Mar/2001 13:58:37 04468] [info] Connection to child 0 established (server serv.ecb:443, client 192.168.1.34) [01/Mar/2001 13:58:37 04468] [info] Seeding PRNG with 1160 bytes of entropy [01/Mar/2001 13:58:37 04468] [trace] OpenSSL: Handshake: start [01/Mar/2001 13:58:37 04468] [trace] OpenSSL: Loop: before/accept initialization [01/Mar/2001 13:58:37 04468] [debug] OpenSSL: read 11/11 bytes from BIO#000698B8 [mem: 000851E0] (BIO dump follows) [01/Mar/2001 13:58:37 04468] [trace] OpenSSL: Loop: SSLv3 read client hello A [01/Mar/2001 13:58:37 04468] [trace] OpenSSL: Loop: SSLv3 write server hello A [01/Mar/2001 13:58:37 04468] [debug] OpenSSL: write 1024/1024 bytes to BIO#000698B8 [mem: 00070F38] (BIO dump follows) [01/Mar/2001 13:58:37 04468] [trace] OpenSSL: Loop: SSLv3 write certificate A [01/Mar/2001 13:58:37 04468] [trace] OpenSSL: Loop: SSLv3 write key exchange A [01/Mar/2001 13:58:37 04468] [trace] OpenSSL: Loop: SSLv3 write certificate request A [01/Mar/2001 13:58:37 04468] [debug] OpenSSL: write 854/854 bytes to BIO#000698B8 [mem: 00070F38] (BIO dump follows) [01/Mar/2001 13:58:37 04468] [trace] OpenSSL: Loop: SSLv3 flush data [01/Mar/2001 13:58:38 04468] [debug] OpenSSL: read 5/5 bytes from BIO#000698B8 [mem: 000851E0] (BIO dump follows) [01/Mar/2001 13:58:38 04468] [debug] OpenSSL: read 2/2 bytes from BIO#000698B8 [mem: 000851E5] (BIO dump follows) [01/Mar/2001 13:58:38 04468] [trace] OpenSSL: Read: SSLv3 read client certificate A [01/Mar/2001 13:58:38 04468] [debug] OpenSSL: read 5/5 bytes from BIO#000698B8 [mem: 000851E0] (BIO dump follows) [01/Mar/2001 13:58:38 04468] [debug] OpenSSL: read 134/134 bytes from BIO#000698B8 [mem: 000851E5] (BIO dump follows) [01/Mar/2001 13:58:38 04468] [debug] OpenSSL: write 7/7 bytes to BIO#000698B8 [mem: 00070F38] (BIO dump follows) >>>>>HERE IT COMES >>>>> [01/Mar/2001 13:58:38 04468] [trace] OpenSSL: Write: SSLv3 read client certificate B <<<< THIS IS B [01/Mar/2001 13:58:38 04468] [trace] OpenSSL: Exit: error in SSLv3 read client certificate B [01/Mar/2001 13:58:38 04468] [trace] OpenSSL: Exit: error in SSLv3 read client certificate B [01/Mar/2001 13:58:38 04468] [error] SSL handshake failed (server serv.ecb:443, client 192.168.1.34) (OpenSSL library error follows) [01/Mar/2001 13:58:38 04468] [error] OpenSSL: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate [Hint: No CAs known to server for verification?] It seems that the authentication of the certificate of GATE was not successful, because the server requested a certificate from client A, but received some from client B and this fails. This is not what we need. We only need the GATE being authenticated. And when the GATE is trusted, all requests from external clients that do not have a certificate should pass via the gate to the server. When we set on the server SSLVerifyClient to none, then the PC can obtain the pages from the server without any problem. Please can you help? 1. Is this supposed to work as in our scenario? 2. Is there anything wrong with our configuration? 3. Please can you explain? Thanks for your assistance. Herman De Taeye Note: Following are fragments of the two httpd.conf files. Gate: In the httpd.conf : SSLCryptoDevice cswift SSLPassPhraseDialog builtin SSLSessionCache dbm:/usr/local/ap17e/logs/ssl_scache SSLSessionCacheTimeout 300 SSLMutex file:/usr/local/ap17e/logs/ssl_mutex SSLRandomSeed startup builtin SSLRandomSeed connect builtin <VirtualHost 192.168.1.34:443> ServerName gate.ecb Port 443 ProxyRequests off ProxyPass /serv/ https://serv.ecb/ ProxyPassReverse /serv/ https://serv.ecb/ Nocache * ErrorLog logs/ssl_proxy-error_log CustomLog logs/ssl_proxy-access_log common SSLEngine on SSLCipherSuite ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /usr/local/ap17e/conf/ssl.crt/server.crt SSLCertificateKeyFile /usr/local/ap17e/conf/ssl.key/server.key SSLCACertificateFile /usr/local/ap17e/conf/ssl.crt/verisign-ca.crt SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog /usr/local/ap17e/logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" </VirtualHost> Serv: In the httpd.conf : SSLCryptoDevice cswift SSLPassPhraseDialog builtin SSLSessionCache dbm:/usr/local/ap17e/logs/ssl_scache SSLSessionCacheTimeout 300 SSLMutex file:/usr/local/ap17e/logs/ssl_mutex SSLRandomSeed startup builtin SSLRandomSeed connect builtin <VirtualHost _default_:443> DocumentRoot "/usr/local/ap17e/htdocs" ServerName serv.ecb ServerAdmin [EMAIL PROTECTED] ErrorLog /usr/local/ap17e/logs/error_log TransferLog /usr/local/ap17e/logs/access_log SSLEngine on SSLProtocol all +SSLv3 SSLCipherSuite ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /usr/local/ap17e/conf/ssl.crt/server.crt SSLCertificateKeyFile /usr/local/ap17e/conf/ssl.key/server.key SSLCACertificateFile /usr/local/ap17e/conf/ssl.crt/verisign-ca.crt SSLVerifyClient require SSLVerifyDepth 1 <Files ~ "\.(cgi|shtml|phtml|php3?)$"> SSLOptions +StdEnvVars </Files> <Directory "/usr/local/ap17e/cgi-bin"> SSLOptions +StdEnvVars </Directory> SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog /usr/local/ap17e/logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" </VirtualHost>
dmp_netscape_proxy_to_app_with certificate
dmp_NS6_from_pc_with_failed+app+SSL+proctocol_SSLv2_no_chi_all_no_exp_no_null
