Hello!
I'm working with security modules using Apache.
Background:
I have desinged a new proxy module with some extra functionallity. All requests passing
the proxy are checked by our AAA server. (Authentication, Authorization, Audit.) Some
resources (files) requires stronger authentication methods. One of the methods are SSL.
The goal is to control SSL certificate flow from an AAA server.
Current solution:
SSLVerifyClient are unset. What i do in the proxy are to change mod_ssl
sslDir->nVerifyClient / sslServer->nVerifyClient to SSL_CVERIFY_OPTIONAL_NO_CA.
This is set in "URI to filename translation" handler of Apache.
mod_ssl will then re-negotiate the request and ask for client certificate.
(Without any verify check by mod_ssl.)
SSLOptions +ExportCertData are set so that the proxy can fetch the certificate in
the response handler. (The AAA server verifies the certificate.)
In the end of the response handler, the proxy restores nVerifyClient to unset.
This solution works. I can control the SSL requirements from the AAA server.
Problem:
The problem occurs first time mod_ssl tries to re-negotiate.
[Tue Feb 5 09:55:33 2002] [error] mod_ssl: Re-negotiation handshake failed: Not accepted by client!?
[Tue Feb 5 09:55:33 2002] [error] mod_ssl: SSL error on writing data (OpenSSL library error follows)
[Tue Feb 5 09:55:33 2002] [error] OpenSSL: error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure
[Tue Feb 5 09:55:33 2002] [info] [client 192.168.64.102] client stopped connection before rflush completed
These lines appear in logfile. At this state, the request are 'restarted'.
(All apache handlers are restarting)
After restart, theese errors don't occur and my application (proxy) works as wanted.
Question:
This is probably not the best way to control ssl, but i havn't figured
out any better way. Don't have the knowledge to design own ssl code.
I have searched in openssl/mod_ssl documents / sourcecode about this.
I guess this is a tricky question and I probably post in wrong forum, but
if anyone have some ideas or suggestions i'll be happy!
And why does the request restart like that?
Regards,
Stefan Ullgren, Develop
Lemon Planet AB
Phone: +46 (0) 702 69 14 15
e-mail: [EMAIL PROTECTED]
Lemon Planet develops software components and provides services for the new mobile market and customers with high requirements on access, security and collaboration. http://www.lemonplanet.com
