Still trying to solve this, I stood up a separate
brand-spanking-new Apache 2.2.17 from source with builtin
SSL. I am using the same Apache SSL config as quoted below.
I experience the following failure (further context is in
my quoted message below):
...
[Tue Oct 19 16:20:42 2010] [info] Subsequent (No.2) HTTPS request
received for child 4 (server rtdev1.our.org:999)
[Tue Oct 19 16:20:42 2010] [error] [client 1xx.xx.9.45] client denied by
server configuration: /apps/rtsrv1dev/share/html/favicon.ico
[19/Oct/2010:16:20:42 -0400] 1xx.xx.9.45 on TLSv1 AES128-SHA 128
/O=our.org/OU=people/UID=jblaine/CN=Blaine Charles J. SUCCESS 3 369E
Blaine Charles J. - "GET /favicon.ico HTTP/1.1" 213
[Tue Oct 19 16:20:47 2010] [debug] ssl_engine_io.c(1900): OpenSSL: I/O
error, 5 bytes expected to read on BIO#1c2e8170 [mem: 1c2f98b0]
[Tue Oct 19 16:20:47 2010] [info] [client 1xx.xx.9.45] (70007)The
timeout specified has expired: SSL input filter read failed.
[Tue Oct 19 16:20:47 2010] [debug] ssl_engine_kernel.c(1884): OpenSSL:
Write: SSL negotiation finished successfully
[Tue Oct 19 16:20:47 2010] [info] [client 1xx.xx.9.45] Connection closed
to child 4 with standard shutdown (server rtdev1.our.org:999)
NOTE: "SUCCESS"
NOTE: "SSL negotiation finished successfully"
NOTE: /apps/rtsrv1dev/share/html and all files in it are
world-readable (644)
Browser shows "Forbidden"
IE 8
and Chrome 6
On 10/15/2010 5:49 PM, Jeff Blaine wrote:
Hi folks. I'm *really* stumped here. If anyone has any
ideas, I would love to hear them. How can I debug this
further? I need more information that Apache + mod_ssl
is giving me right now.
All version information and configuration detail is after
this next paragraph.
Works: SSL via my corporate cert, SSL via 3 other people's
corporate certs
Fails: 1 person's cert so far, yet is logged as "SUCCESS"
when logging SSL_CLIENT_VERIFY via CustomLog
Example:
[15/Oct/2010:09:53:38 -0400] 1xx.xx.160.92 on TLSv1 RC4-MD5 128
/O=our.org/OU=People/UID=mbs/CN=Simpson Mary B SUCCESS 3 452E Simpson
Mary B - "GET /index.html HTTP/1.1" 295
[Fri Oct 15 09:53:38 2010] [error] [client 1xx.xx.160.92] access to
/apps/rtsrv1dev/share/html/index.html failed, reason: SSL requirement
expression not fulfilled (see SSL logfile for more details)
Config Specifics:
OS: RHELv5
Apache: 2.2.3
mod_ssl: 2.2.3-43.el5
<VirtualHost 1xx.xx.9.85:443>
ServerName rtdev1.our.org:443
ErrorLog logs/ssl_error443_log
TransferLog logs/ssl_access443_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:SSLv3:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /apps/rtsrv1dev/PKI/rtdev1-signed.cer
SSLCertificateKeyFile /apps/rtsrv1dev/PKI/rtdev1.key
SSLCertificateChainFile /apps/rtsrv1dev/PKI/rtdev1-signed.cer
SSLCACertificateFile /apps/rtsrv1dev/PKI/MITRE-cert-bundle.cer
SSLVerifyClient require
SSLVerifyDepth 2
SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/apps/rtsrv1dev/share/html">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_access443_log \
"%h - - %t \"%r\" %{HTTPS}x %{SSL_PROTOCOL}x"
CustomLog logs/ssl_error443_log \
"%t %h %{HTTPS}x %{SSL_PROTOCOL}x %{SSL_CIPHER}x
%{SSL_CIPHER_USEKEYSIZE}x %{SSL_CLIENT_S_DN}x %{SSL_CLIENT_VERIFY}x
%{SSL_CLIENT_M_VERSION}x %{SSL_CLIENT_M_SERIAL}x %{SSL_CLIENT_S_DN_CN}x
%{SSL_CLIENT_S_DN_UID}x \"%r\" %b"
DocumentRoot /apps/rtsrv1dev/share/html
AddDefaultCharset UTF-8
PerlRequire "/apps/rtsrv1dev/bin/webmux.pl"
SetHandler default
</Location>
<Location />
SetHandler perl-script
PerlResponseHandler RT::Mason
SSLVerifyClient require
SSLRequire %{SSL_CLIENT_S_DN} in { \
"/O=our.org/OU=people/UID=jblaine/CN=Blaine Charles J.", \
"/O=our.org/OU=people/UID=mloveless/CN=Laveless Marc W.", \
"/O=our.org/OU=people/UID=mbs/CN=Simpson Mary B", \
"/O=our.org/OU=people/UID=bcietta/CN=Cietta Barbara A." \
}
</Location>
</VirtualHost>
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majord...@modssl.org
