Sorry, send one wrong file before.
Best regards,
Herman
-----Original Message-----
From: De Taeye, Herman
Sent: Thursday, March 08, 2001 10:55 PM
To: '[EMAIL PROTECTED]'; 'Openssl-Users (E-mail)
Subject: RE: Apache 1.3.17 - mod_ssl.2.8.0 - openssl.0.9.6 Reverse Proxy SSL
Hi,
I am still struggling with my trials for reverse proxy and hoping to get
help....
Meanwhile I have the manual SSL and TLS (Eric Rescorla) on hand, but still I
am not getting much further.
I am doing my tests now between 2 Linux systems. They are called proxy.ecb
(For the gateway or proxy server)
and app.ecb (for the application server on the intranet).
I have taken some dumps via ssldumps, in the hope to solve my problem.
And I am testing even with Apache 1.3.19 - mod_ssl-2.8.1 and openssl.0.9.5a
To prove that the SSL connection works between the proxy.ecb and the
app.ecb, I installed the proxy servers certificate and the Verisign CA
certificate in the Netscape browser from the server proxy.ecb. The
attachment dmp_netscape_proxy_to_app_with_certificate, shows the data and
certificates that pass the wire.
When I start it from the PC with MSIE 5.0, the connection that is not
authenticated to the proxy works, but when the proxy calls the app, it
terminates with a handshake error. See the file
dmp_pc_proxy_app_failure_dh.
Even after changing the SSLCipherSuite on the application server from
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
To
:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
or
:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
or
RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2
Changes only the chipersSuite used, but I get still the handshake error.
Adding the SSLProtocol and changing it for different setting does not help
neither.
See also an other example this time with Netscape 6 on the PC.
dmp_NS6_from_pc_with_failed+app+SSL+protocl_SSLv2_no_chi_no_exp_no_null .
Can someone explain me more precisely what the dumps mean?
Can you explain me the real reason why the handshake occurs?
Any suggestions on how to solve this problem?
HHHHEEEELLLPPPPPPPP,
Thanks in advanced.
Herman De Taeye
Unisys Belgium
-----Original Message-----
From: De Taeye, Herman
Sent: Thursday, March 01, 2001 8:17 PM
To: '[EMAIL PROTECTED]'
Subject: Apache 1.3.17 - mod_ssl.2.8.0 - openssl.0.9.6 Reverse Proxy SSL
Hi,
I have setup on two system the apach/openssl/mod_ssl products.
The first system named "gate.ecb" is configured as a reverse proxy.
A Verisign CA test certificate, a verisign signed server certificate and his
private key are installed.
The second system is our application server and is named "serv.ecb". It has
also a Verisign CA test certificate, a verisign signed application server
certificate and this private key.
A PC with browser is connected to the same network for my tests. The PC has
the verisign CA certificate, but no private key nor a certificate.
What we need is :
PC -- > SSL with no client identification -- > Gate --> SSL with
identification of the gate to --> Server.
In the gate "SSLVerifyClient" is not defined or set to none.
In the server SSLVerifyClient require is set.
When the PC tries to connect to the server SERV via reverse proxy on GATE,
it gets an error that the PC needs a client certificate.
On the ssl_engine_log of the server we see following data:
[01/Mar/2001 13:58:37 04468] [info] Connection to child 0 established
(server serv.ecb:443, client 192.168.1.34)
[01/Mar/2001 13:58:37 04468] [info] Seeding PRNG with 1160 bytes of entropy
[01/Mar/2001 13:58:37 04468] [trace] OpenSSL: Handshake: start
[01/Mar/2001 13:58:37 04468] [trace] OpenSSL: Loop: before/accept
initialization
[01/Mar/2001 13:58:37 04468] [debug] OpenSSL: read 11/11 bytes from
BIO#000698B8 [mem: 000851E0] (BIO dump follows)
[01/Mar/2001 13:58:37 04468] [trace] OpenSSL: Loop: SSLv3 read client hello
A
[01/Mar/2001 13:58:37 04468] [trace] OpenSSL: Loop: SSLv3 write server hello
A
[01/Mar/2001 13:58:37 04468] [debug] OpenSSL: write 1024/1024 bytes to
BIO#000698B8 [mem: 00070F38] (BIO dump follows)
[01/Mar/2001 13:58:37 04468] [trace] OpenSSL: Loop: SSLv3 write certificate
A
[01/Mar/2001 13:58:37 04468] [trace] OpenSSL: Loop: SSLv3 write key exchange
A
[01/Mar/2001 13:58:37 04468] [trace] OpenSSL: Loop: SSLv3 write certificate
request A
[01/Mar/2001 13:58:37 04468] [debug] OpenSSL: write 854/854 bytes to
BIO#000698B8 [mem: 00070F38] (BIO dump follows)
[01/Mar/2001 13:58:37 04468] [trace] OpenSSL: Loop: SSLv3 flush data
[01/Mar/2001 13:58:38 04468] [debug] OpenSSL: read 5/5 bytes from
BIO#000698B8 [mem: 000851E0] (BIO dump follows)
[01/Mar/2001 13:58:38 04468] [debug] OpenSSL: read 2/2 bytes from
BIO#000698B8 [mem: 000851E5] (BIO dump follows)
[01/Mar/2001 13:58:38 04468] [trace] OpenSSL: Read: SSLv3 read client
certificate A
[01/Mar/2001 13:58:38 04468] [debug] OpenSSL: read 5/5 bytes from
BIO#000698B8 [mem: 000851E0] (BIO dump follows)
[01/Mar/2001 13:58:38 04468] [debug] OpenSSL: read 134/134 bytes from
BIO#000698B8 [mem: 000851E5] (BIO dump follows)
[01/Mar/2001 13:58:38 04468] [debug] OpenSSL: write 7/7 bytes to
BIO#000698B8 [mem: 00070F38] (BIO dump follows)
>>>>>HERE IT COMES >>>>>
[01/Mar/2001 13:58:38 04468] [trace] OpenSSL: Write: SSLv3 read client
certificate B <<<< THIS IS B
[01/Mar/2001 13:58:38 04468] [trace] OpenSSL: Exit: error in SSLv3 read
client certificate B
[01/Mar/2001 13:58:38 04468] [trace] OpenSSL: Exit: error in SSLv3 read
client certificate B
[01/Mar/2001 13:58:38 04468] [error] SSL handshake failed (server
serv.ecb:443, client 192.168.1.34) (OpenSSL library error follows)
[01/Mar/2001 13:58:38 04468] [error] OpenSSL: error:140890C7:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
[Hint: No CAs known to server for verification?]
It seems that the authentication of the certificate of GATE was not
successful, because the server requested a certificate from client A, but
received some from client B and this fails. This is not what we need. We
only need the GATE being authenticated. And when the GATE is trusted, all
requests from external clients that do not have a certificate should pass
via the gate to the server.
When we set on the server SSLVerifyClient to none, then the PC can obtain
the pages from the server without any problem.
Please can you help?
1. Is this supposed to work as in our scenario?
2. Is there anything wrong with our configuration?
3. Please can you explain?
Thanks for your assistance.
Herman De Taeye
Note: Following are fragments of the two httpd.conf files.
Gate: In the httpd.conf :
SSLCryptoDevice cswift
SSLPassPhraseDialog builtin
SSLSessionCache dbm:/usr/local/ap17e/logs/ssl_scache
SSLSessionCacheTimeout 300
SSLMutex file:/usr/local/ap17e/logs/ssl_mutex
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
<VirtualHost 192.168.1.34:443>
ServerName gate.ecb
Port 443
ProxyRequests off
ProxyPass /serv/ https://serv.ecb/
ProxyPassReverse /serv/ https://serv.ecb/
Nocache *
ErrorLog logs/ssl_proxy-error_log
CustomLog logs/ssl_proxy-access_log common
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /usr/local/ap17e/conf/ssl.crt/server.crt
SSLCertificateKeyFile /usr/local/ap17e/conf/ssl.key/server.key
SSLCACertificateFile /usr/local/ap17e/conf/ssl.crt/verisign-ca.crt
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog /usr/local/ap17e/logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
Serv: In the httpd.conf :
SSLCryptoDevice cswift
SSLPassPhraseDialog builtin
SSLSessionCache dbm:/usr/local/ap17e/logs/ssl_scache
SSLSessionCacheTimeout 300
SSLMutex file:/usr/local/ap17e/logs/ssl_mutex
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
<VirtualHost _default_:443>
DocumentRoot "/usr/local/ap17e/htdocs"
ServerName serv.ecb
ServerAdmin [EMAIL PROTECTED]
ErrorLog /usr/local/ap17e/logs/error_log
TransferLog /usr/local/ap17e/logs/access_log
SSLEngine on
SSLProtocol all +SSLv3
SSLCipherSuite ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /usr/local/ap17e/conf/ssl.crt/server.crt
SSLCertificateKeyFile /usr/local/ap17e/conf/ssl.key/server.key
SSLCACertificateFile /usr/local/ap17e/conf/ssl.crt/verisign-ca.crt
SSLVerifyClient require
SSLVerifyDepth 1
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/usr/local/ap17e/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog /usr/local/ap17e/logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
dmp+netscape+on+proxy_to_app_ok
