Thanks so much for your tip. Now I have a much better understanding of the problem.
Aaron > Hello, > > I faced the same issue. > Actually, client authentication has been disabled on recent versions. It > has nothing to do with your configuration. > > See (on my blog): > http://www.phocean.net/2009/11/28/openssl-cve-2009-3555-security-fix-and-mod_ssl-client-authentication-breakage.html > and then : > http://www.phocean.net/2010/01/09/ssltls-rfc-updated-against-cve-2009-3555.html > > Regards, > > -- > Jean-Christophe Baptiste <j...@phocean.net> > > > Le mardi 19 janvier 2010 à 16:53 -0600, aa...@cs.wisc.edu a écrit : >> I'm trying to go through the most basic tutorials on mod_ssl and I'm >> having a problem trying to get my server to issue a certificate request >> for a particular URL. I'm listing my Apache and OpenSSL version >> information. >> >> # httpd -v >> Server version: Apache/2.2.14 (Unix) >> Server built: Dec 3 2009 10:25:53 >> >> # openssl version >> OpenSSL 1.0.0-fips-beta4 10 Nov 2009 >> >> I've followed the steps of this tutorial: >> >> http://www.vanemery.com/Linux/Apache/apache-SSL.html >> >> I've also tried to follow the SSL HowTo on the Apache site: >> >> http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html >> >> I'll try to get at the heart of the issue. If I have the following in >> my >> ssl.conf file in the VirtualHost section >> >> SSLVerifyClient require >> SSLVerifyDepth 1 >> >> then everything works as expected. I have the client certificate >> installed in my client web browser, and when I click on the link to my >> https server, which is https://myserver, then it prompts me to get the >> certificate of the server and confirm a security exception, and also >> prompts me with a user identification request, at which point I can >> chose >> a certificate to identify the client to my server. I see my index.html >> page, which has a link to the directory https://myserver/Certneeded. I >> can click on this directory and see a list of the files in that >> directory. >> >> However, if I change my ssl.conf in an attempt to "force clients to >> authenticate using certificates for a particular URL, but still allow >> arbitrary clients to access the rest of the server", as per the Apache >> HowTo, then I never get prompted for this "user identification request" >> to >> which I can identify my client web browser to the server. >> >> In this case, my ssl.conf file changes to the following. >> >> SSLVerifyClient none >> <Location /Certneeded> >> Options Indexes >> SSLVerifyClient require >> SSLVerifyDepth 1 >> </Location> >> >> Now, when I click on the link to https://myserver/Certneeded, the client >> browser just hangs until a timeout is reached, I'm never prompted to >> present a certificate for identification, and the contents of the >> directory are not listed. >> >> In Wireshark, I see a client hello, followed by a server hello, followed >> by a change cipher spec, presumably because I was never prompted for an >> identification certificate by the server within a set time. >> >> In the "good" case, when my "SSLVerifyClient require" statement is in >> the >> VirtualHost section of the ssl.conf file, in Wireshark, I see a client >> hello, followed by a server hello, followed by a "certificate, server >> key >> exchange, certificate request", which seems to be where the window pops >> up >> in my client prompting me with a user identification request. >> >> In trying to debug this, I noticed that if I do a hack and revert back >> to >> an earlier RPM version of openssl, openssl-0.9.8g-11.fc10.i386.rpm, that >> both configurations (per-server and per-directory contexts) work as >> expected. What might be wrong here? >> >> Aaron >> >> >> ______________________________________________________________________ >> Apache Interface to OpenSSL (mod_ssl) www.modssl.org >> User Support Mailing List modssl-users@modssl.org >> Automated List Manager majord...@modssl.org > ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager majord...@modssl.org
