peer did not return a certificate No CAs known to server for verification?
Hello All, We have opened a java web service our clients are facing issues while accessing it. They are consistently getting SSL / TLS connection failure message. All these clients are using VeriSign class 1 certificates. In apache error logs we see below message: [Fri Oct 12 17:42:04 2007] [error] mod_ssl: Certificate Verification: Error (20): unable to get local issuer certificate [Fri Oct 12 17:42:04 2007] [error] mod_ssl: Re-negotiation handshake failed: Not accepted by client!? [Fri Oct 12 17:42:04 2007] [error] mod_ssl: Certificate Verification: Error (20): unable to get local issuer certificate [Fri Oct 12 17:42:04 2007] [error] mod_ssl: SSL error on writing data (OpenSSL library error follows) [Fri Oct 12 17:42:04 2007] [error] OpenSSL: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned This is happening only with class 1 certificates, class 3 certificates are working fine. Earlier we were using IBM HTTP Server our clients were able to connect to our web service. But since we have moved to Apache HTTP Server, they are facing this issue. Is there any known fix for this? kindly advice. You suggestions are real value for us. Note: All these clients are either PHP / .NET clients. Java clients are able to use class 1 certificates successfully. Thanks, Abhijit Mohan Bhate +91-98-50-886360
Re: Client certificate do not work / renegociate
Hi, That is not a bug, it is a feature! With the TLS renegotiation there is a theoretical man-in-the-middle-attack possible. To prevent that the developers decided to deactivate the TLS renegotiation. Solution: use SSLInsecureRenegotiation on http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslinsecurerenegotiation From the changelog: Comprehensive fix of the TLS renegotiation prefix injection attack when compiled against OpenSSL version 0.9.8m or later. Introduces the 'SSLInsecureRenegotiation' directive to reopen this vulnerability and offer unsafe legacy renegotiation with clients which do not yet support the new secure renegotiation protocol. Mario __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Client certificate do not work / renegociate
Hello, In a host where client certificate is optional and in some directories requirement. Server is SNI, and this configuration works fine before SNI. VirtualHost *:443 SSLVerifyClient optional Location /certrequirement SSLVerifyClient require /Location ... I use SNI client (firefox) with client certificate that works on optional locations but do not in certrequirement location. [info] Initial (No.1) HTTPS request received for child 5 (server www.1pc.es:443) [debug] ssl_engine_kernel.c(487): [client 192.168.1.40] Changed client verification type will force renegotiation, referer: http: [info] [client 192.168.1.40] Requesting connection re-negotiation, referer: http://www.1pc.es/ [debug] ssl_engine_kernel.c(724): [client 192.168.1.40] Performing full renegotiation: complete handshake protocol, referer: http [debug] ssl_engine_kernel.c(1861): OpenSSL: Handshake: start [debug] ssl_engine_kernel.c(1869): OpenSSL: Loop: SSL renegotiate ciphers [debug] ssl_engine_kernel.c(1869): OpenSSL: Loop: SSLv3 write hello request A [debug] ssl_engine_kernel.c(1869): OpenSSL: Loop: SSLv3 flush data [debug] ssl_engine_kernel.c(1869): OpenSSL: Loop: SSLv3 write hello request C [info] [client 192.168.1.40] Awaiting re-negotiation handshake, referer: http://www.1pc.es/ [debug] ssl_engine_kernel.c(1861): OpenSSL: Handshake: start [debug] ssl_engine_kernel.c(1869): OpenSSL: Loop: before accept initialization [debug] ssl_engine_io.c(1873): OpenSSL: read 5/5 bytes from BIO#7f4325589ef0 [mem: 7f4325577083] (BIO dump follows) [debug] ssl_engine_kernel.c(1874): OpenSSL: Read: SSLv3 read client hello B [debug] ssl_engine_kernel.c(1893): OpenSSL: Exit: failed in SSLv3 read client hello B [error] [client 192.168.1.40] Re-negotiation handshake failed: Not accepted by client!?, referer: http://www.1pc.es/ openssl-1.0.0-0.13.beta4.fc12.x86_64 httpd-2.2.14-1.fc12.x86_64 mod_ssl-2.2.14-1.fc12.x86_64 Anyone knows where is the problem? Why do not work in required, and do the job in optional? -- http://www.1pc.es/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Re: Client Auth with S/MIME certificates - certificate purpose problem
I found a solution, it looks like a dirty hack and making a security hole, but it works for our custom purposes. So I don't recommend to use this way. Somehow it may be interested for somebody. It's needed to patch openssl. In 'openssl/ssl/ssl_cert.c' file, in 'ssl_verify_cert_chain' function replace X509_STORE_CTX_set_default(ctx, s-server ? ssl_client : ssl_server); by X509_STORE_CTX_set_default(ctx, any); Yaroslav __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Client Auth with S/MIME certificates - certificate purpose problem
Hi all! I have an https server with apache/2.2.12+mod_ssl/2.2.14 and OpenSSL/0.9.8g. I want to perform authentication based on client S/MIME certificates. Clients have certificates with only the following purposes: - S/MIME signing - S/MIME encryption But no SSL client or SSL server. So I'm getting the following error while authentication: ... [Wed Feb 10 11:36:59 2010] [error] [client 127.0.0.1] Certificate Verification: Error (26): unsupported certificate purpose [Wed Feb 10 11:36:59 2010] [debug] ssl_engine_kernel.c(1893): OpenSSL: Write: SSLv3 read client certificate B [Wed Feb 10 11:36:59 2010] [debug] ssl_engine_kernel.c(1912): OpenSSL: Exit: error in SSLv3 read client certificate B [Wed Feb 10 11:36:59 2010] [debug] ssl_engine_kernel.c(1912): OpenSSL: Exit: error in SSLv3 read client certificate B [Wed Feb 10 11:36:59 2010] [info] [client 127.0.0.1] SSL library error 1 in handshake (server 127.0.1.1:443) [Wed Feb 10 11:36:59 2010] [info] SSL Library Error: 336105650 error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned ... I tried to solve this by customizing 'ssl_engine_init.c' from mod_ssl. I added the following lines in ssl_init_ctx_verify function: /* * Configure CTX purpose */ if (SSL_CTX_set_purpose(ctx, X509_PURPOSE_ANY) { ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, Purpose successfully set); } else { ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, Purpose set failed); } /* * Configure Client Authentication details */ But it doesn't work. Seems like it's all ok with SSL_CTX_set_purpose function and there is Purpose successfully set line in apache log file but I'm still getting unsupported certificate purpose error. I haven't found any certificate purpose configuration code in mod_ssl source. I will be grateful for any help. Yaroslav __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
SSLVerifyClient optional redirect or be graceful upon revoked certificate
When using SSLVerifyClient optional is there a way (or are there plans for this) to redirect when mod_ssl detects a revoked certificate? What about setting $_SERVER[SSL_CLIENT_VERIFY] == FAIL just as it is when no certificate is installed? In other words, why should the action be any different for no-certificate and revoked-certificate? BTW, my application is a wrapper app to self manage private SSL certificates. The login pre-test is intended for all cases (without cert, with cert, and revoked cert) and detects by testing $_SERVER[SSL_CLIENT_VERIFY] == SUCCESS (This is in a dedicated directory Directory ... carefully designed to eliminate risk from MitM attacks). This works for the two cases no-cert valid-cert, but for revoke-cert we get an ugly hard-stop. For example from Firefox: SSL peer rejected your certificate as revoked. If this isn't appropriate for modssl-users, is rather an apache issue, then advice for an alternate forum is appreciated. Has it already been discussed/requested? (searched a lot but didn't find anything) I would like to build a mod_ssl with both the option to redirect on FAIL (separate options for no-cert and revoked-cert), and limit initiate-renegotiation only by server, not by client. Any help is greatly appreciated. Thanks. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
RE: SSLVerifyClient optional redirect or be graceful upon revoked certificate
I proposed this a while back but never got any responses. https://issues.apache.org/bugzilla/show_bug.cgi?id=46897 -Original Message- From: owner-modssl-us...@modssl.org [mailto:owner-modssl-us...@modssl.org] On Behalf Of Jaz Sent: Friday, January 22, 2010 9:11 AM To: modssl-users@modssl.org Subject: SSLVerifyClient optional redirect or be graceful upon revoked certificate When using SSLVerifyClient optional is there a way (or are there plans for this) to redirect when mod_ssl detects a revoked certificate? What about setting $_SERVER[SSL_CLIENT_VERIFY] == FAIL just as it is when no certificate is installed? In other words, why should the action be any different for no-certificate and revoked-certificate? BTW, my application is a wrapper app to self manage private SSL certificates. The login pre-test is intended for all cases (without cert, with cert, and revoked cert) and detects by testing $_SERVER[SSL_CLIENT_VERIFY] == SUCCESS (This is in a dedicated directory Directory ... carefully designed to eliminate risk from MitM attacks). This works for the two cases no-cert valid-cert, but for revoke-cert we get an ugly hard-stop. For example from Firefox: SSL peer rejected your certificate as revoked. If this isn't appropriate for modssl-users, is rather an apache issue, then advice for an alternate forum is appreciated. Has it already been discussed/requested? (searched a lot but didn't find anything) I would like to build a mod_ssl with both the option to redirect on FAIL (separate options for no-cert and revoked-cert), and limit initiate-renegotiation only by server, not by client. Any help is greatly appreciated. Thanks. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Issue setting up a Verisign certificate
I have generated a CSR, sent it to Verisign and they sent me back a cer file that I have renamed to public.crt. As per their support instructions I installed their Intermediate CA (https://knowledge.verisign.com/support/ssl-certificates-support/index?page=contentid=AR193) My virtualhost configuration is as follows: SSLEngine on SSLCertificateFile /etc/apache2/public.crt SSLCertificateKeyFile /etc/apache2/private.key SSLCACertificateFile /etc/apache2/interm.crt I am getting this error when trying to start Apache: [Mon Jul 27 16:05:07 2009] [error] Init: Unable to read server certificate from file /etc/apache2/secure.canadaeast.com.public.crt [Mon Jul 27 16:05:07 2009] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag [Mon Jul 27 16:05:07 2009] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error Any thoughts, because I am at a loss and am not interested in wait on how 35 minutes to speak to their support people. Thanks! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Re: Issue setting up a Verisign certificate
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Robin escribió: | My virtualhost configuration is as follows: | | SSLEngine on | SSLCertificateFile /etc/apache2/public.crt - ^ | SSLCertificateKeyFile /etc/apache2/private.key | SSLCACertificateFile /etc/apache2/interm.crt I think this does not belong here, but I might be wrong. | [Mon Jul 27 16:05:07 2009] [error] Init: Unable to read server | certificate from file /etc/apache2/secure.canadaeast.com.public.crt - ---^ It seems your Apache is looking for the cert in a different file than you think. Probably because there is a different virtual host configuration for the SSL one. - -- - --- G S Sistemas de Informacion, S.L. | Teléfono: 9 02 01 44 43 Victoriano Giralt| Land line: +34-952-207-241 Torre de San Telmo, 8| Mobile:+34-670-332-720 E-29018 Malaga (Spain) | http://www.gssi.es/ - --- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org iD8DBQFKbgIWWHlx3l8ZumwRAk81AJ9aINiS57WlUCvEpHLboAsERThPdACfTp2f DZnobVXEnFsucQbkMINLcXQ= =SRHR -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Re: Restricting access by arbitrary certificate extension
Zhumabekov - discussion of mod_ssl for httpd 2.x takes place on the deveopment list for Apache httpd, CC'ed. (I'm quoting the full mail inline for reference of dev@ readers) On Wed, May 06, 2009 at 10:49:46AM +0600, Zhumabekov Yerden wrote: mod_ssl can perform client authentication on certificate in Apache and client authorization on certain certificate extensions. We are setting up CA here and we want to restrict access to certain website by checking the presence of certain certificate extension using its OID. The syntax which mod_ssl is forcing us to use is the following: Location / SSLRequire “some string” in OID(“1.2.3.4…..”) /Location As you can see, we need to match this string exactly in extension’s value. We can encounter problem with this, because this extension may not be listed in openssl list of valid extensions (crypto/objects/objects.h). As I learned the mod_ssl and openssl code, mod_ssl would not be able to match the string because the object of this OID does not have valid NID in openssl. OpenSSL seems incapable of determining the type of arbitrary extension we want to use as restricting factor. Hence, mod_ssl can not even extract its value from certificate. Well, I poked around the problem for some time and found no other way than to patch mod_ssl by adding one new function in ssl_expr_eval.c which does almost the same thing as ssl_extlist_by_oid() and ssl_expr_eval_oid() but does not intend to extract the value of certificate extension. I also added some change to ssl_expr_eval_comp(), so if you supply the zero-length word in SSLRequire, it uses my new function instead of ssl_expr_eval_oid(). So, the new syntax is like this: Location / SSLRequire “” in OID(“1.2.3.4…..”) /Location If you are aware of more attractive and “right” way to make it, please acknowledge. My patch for apache-2.2.11 is attached. I'd rather see a different syntax used for the new semantics, such as: SSLRequire has_oid(1.2.3.4) though I'm not sure whether the SSLRequire parser can cope with that. Regards, Joe __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Restricting access by arbitrary certificate extension
mod_ssl can perform client authentication on certificate in Apache and client authorization on certain certificate extensions. We are setting up CA here and we want to restrict access to certain website by checking the presence of certain certificate extension using its OID. The syntax which mod_ssl is forcing us to use is the following: Location / SSLRequire “some string” in OID(“1.2.3.4…..”) /Location As you can see, we need to match this string exactly in extension’s value. We can encounter problem with this, because this extension may not be listed in openssl list of valid extensions (crypto/objects/objects.h). As I learned the mod_ssl and openssl code, mod_ssl would not be able to match the string because the object of this OID does not have valid NID in openssl. OpenSSL seems incapable of determining the type of arbitrary extension we want to use as restricting factor. Hence, mod_ssl can not even extract its value from certificate. Well, I poked around the problem for some time and found no other way than to patch mod_ssl by adding one new function in ssl_expr_eval.c which does almost the same thing as ssl_extlist_by_oid() and ssl_expr_eval_oid() but does not intend to extract the value of certificate extension. I also added some change to ssl_expr_eval_comp(), so if you supply the zero-length word in SSLRequire, it uses my new function instead of ssl_expr_eval_oid(). So, the new syntax is like this: Location / SSLRequire “” in OID(“1.2.3.4…..”) /Location If you are aware of more attractive and “right” way to make it, please acknowledge. My patch for apache-2.2.11 is attached. -- Zhumabekov Yerden apache_oid_presence.patch.gz Description: application/gzip
Multiple Requests for Client Certificate
hi, i'm in the setup of a ssl-enabled apache2 server with mod_ssl - works fine so far *but* when a client-browser opens multiple simulanous connections for one page to the server the Client-Certificate gets requested the same number of times from the user. The corresponding Browser-Configuration for firefox for example is named network.http.max-persistent-connections-per-server I am looking for a way to avoid these multiple questions for a client-cert but i have no influence on the Browser-Configurations. Is there a way to avoid those multi-questions? best regards -- Mit freundlichen Grüßen Wolfram Eifler Entwicklung Mail [EMAIL PROTECTED] e.siqia Informationstechnologien GmbH Saarbrücker Str. 36 10405 Berlin Tel. +49 30.284730-68 Fax +49 30.284730-99 Support via Tel: +49 (9001) 374742 (*1 Support via Tel: +49 (9001) esiqia (*2 http://www.esiqia.com Sitz: Berlin - Registergericht Berlin - AG Charlottenburg HRB 74684 - Geschäftsführer: Rainer Böhnke *1 = 1,85€/min (Festnetz Telekom,Versatel) *2 = 1,99€/min (Mobilfunk T-Com,Vodafone) Aus Rechts- und Sicherheitsgründen ist die in dieser eMail gegebene Information nicht rechtsverbindlich. Eine rechtsverbindliche Bestätigung reichen wir Ihnen gerne auf Anforderung in schriftlicher Form oder per qualifizierter elektronischer Signatur nach. Diese Nachricht ist vertraulich und ausschließlich für den Adressaten bestimmt. Jeder Gebrauch durch Dritte ist verboten. Die Nachricht ist vor Versand auf Viren geprüft. Falls Sie die Daten irrtümlich erhalten haben, nehmen Sie bitte Kontakt mit dem Absender auf und löschen Sie die Daten auf jeden Computer und Datenträger. For legal and security reasons this e-mail is not legally binding. However, we can on request provide you with legally binding written confirmation or with qualified electronical signed document at any time. This message is confidential and intended solely for the use by the adressee. The message is virus proofed before sending. Any use of this message by a third party is prohibited. If you received this message in error, please contact the sender and delete the data from any computer and data carrier. The sender is neither liable for the proper and complete transmission of the information in the message nor for any delay in its receipt. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Authenticating users based on S/MIME certificate
Gunnar Vestergaard wrote: My goal is to let visitors of my web site authenticate themselves to my web server using some certificate, possibly S/MIME certificates. As I understand the documentation for PHP, there is no means whereby PHP can read and interpret an SSL client certificate. Is that correct? It's possible to configure Apache 2 to add the client certificate to a request header. From one of my configuration files: RewriteCond ${ESC:%{SSL:SSL_CLIENT_CERT}} \ ^.*(-BEGIN%20(X509%20|TRUSTED%20|)CERTIFICATE-(%0[Dd])?%0[Aa].*%0[Aa]-END%20\2CERTIFICATE-(%0[Dd])?%0[Aa]).*$ RewriteRule ^.*$ - [E=CLIENT_CERT:%1] RequestHeader unset L-ClientCert RequestHeader set L-ClientCert %{CLIENT_CERT}e env=CLIENT_CERT The certificate is %-encoded to avoid problems with newline characters. Presumably PHP can use the string in the header to match the certificate against a list of known certificates. The certificate digest would be less unwieldy than the entire certificate, but mod_ssl would need some simple changes to make the digest available and I would be reluctant to use a hosting provider who allowed customers to use a modified mod_ssl. Dave Sparks __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Authenticating users based on S/MIME certificate
Hi, Have a look at mod_authz_ldap (ldap baseed white listing, http://authzldap.othello.ch/). Probably far more than you need but it does things along the same lines and has some nice notes how to do various bits and pieces. You can add env vars that you can use php have a look at SSLOptions +StdEnvVars and +ExportCertData. Regards Matt - Original Message From: Gunnar Vestergaard [EMAIL PROTECTED] To: modssl-users@modssl.org Sent: Sunday, September 21, 2008 12:10:16 AM Subject: Authenticating users based on S/MIME certificate Hi. I am an administrator of a user account at an Apache web server. Currently the server is running Apache 1.3.37. My hosting provider plans on switching to new hardware with possibly new software. So I don't know if my web server will be run on Apache 1.3.37 or Apache 2.0. My goal is to let visitors of my web site authenticate themselves to my web server using some certificate, possibly S/MIME certificates. Now, my current S/MIME certificate for personal e-mail is approved for the following purposes: Email Signer Certificate Email Recipient Certificate Is it possible to have such a certificate authenticate its user towards an SSL web server? In any case I want to have a limited crowd of users seeing a subdirectory of pages without bothering the user with a user name/password dialog. Just their personal certificate lets them see pages in a certain subdirectory. As I understand the documentation for PHP, there is no means whereby PHP can read and interpret an SSL client certificate. Is that correct? Gunnar __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Authenticating users based on S/MIME certificate
Hi. I am an administrator of a user account at an Apache web server. Currently the server is running Apache 1.3.37. My hosting provider plans on switching to new hardware with possibly new software. So I don't know if my web server will be run on Apache 1.3.37 or Apache 2.0. My goal is to let visitors of my web site authenticate themselves to my web server using some certificate, possibly S/MIME certificates. Now, my current S/MIME certificate for personal e-mail is approved for the following purposes: Email Signer Certificate Email Recipient Certificate Is it possible to have such a certificate authenticate its user towards an SSL web server? In any case I want to have a limited crowd of users seeing a subdirectory of pages without bothering the user with a user name/password dialog. Just their personal certificate lets them see pages in a certain subdirectory. As I understand the documentation for PHP, there is no means whereby PHP can read and interpret an SSL client certificate. Is that correct? Gunnar __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Customizing error message when using certificate based authentification
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi! I have set up certificate based authentication using SSLVerifyClient require in my httpd.conf. Everything works fine but if a client does not have a valid certificate Firefox gives an obscure error message: www.example.com has received an incorrect or unexpected message. Error Code: -12227 Is there a way to give the client a normal error page, like e.g. for 404 errors? Best regards! Christian - -- For more than 4 generations the IT Professionals were the guardians of quality and stability in software. Before the dark times. Before Microsoft... -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHfLeiCNjA0nfhW7wRAgUMAKDHF5oLVSLa7YkSoDt7bYmRvFOAtwCgzgwS 7C8W5RdIMDHAeA3PYIJOBPk= =XlfO -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Customizing error message when using certificate based authentification
Christian Nolte wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi! I have set up certificate based authentication using SSLVerifyClient require in my httpd.conf. Everything works fine but if a client does not have a valid certificate Firefox gives an obscure error message: www.example.com has received an incorrect or unexpected message. Error Code: -12227 Is there a way to give the client a normal error page, like e.g. for 404 errors? Best regards! Christian - -- For more than 4 generations the IT Professionals were the guardians of quality and stability in software. Before the dark times. Before Microsoft... -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHfLeiCNjA0nfhW7wRAgUMAKDHF5oLVSLa7YkSoDt7bYmRvFOAtwCgzgwS 7C8W5RdIMDHAeA3PYIJOBPk= =XlfO -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] II. Tricks 1. Redirect all HTTP requests to HTTPS a. Load mod_rewrite (see: http://httpd.apache.org/docs/1.3/mod/mod_rewrite.html ) b. Add the following rule to your non-HTTPS server configuration (httpd.conf): # Require HTTPS RewriteEngine on RewriteRule ^/(.*) https://${SERVER_NAME}/$1 [redirect=permanent] 2. Redirect all requests that fail to authenticate to an error page a. Load mod_rewrite (see: http://httpd.apache.org/docs/1.3/mod/mod_rewrite.html ) b. Add the following rule to your HTTPS server configuration (mod_ssl.conf): i. Apache 1.3.x: (NOTE: Internet Explorer does not work correctly with Apache 1.3.x and mod_ssl when SSLVerifyClient is set to anything except none) # Redirect client-verification-failures to a specific # page. RewriteEngine on RewriteCond %{SSL_CLIENT_VERIFY} !^SUCCESS$ RewriteRule . /error-pages/pki/pki-invalid.html [last] i. Apache 2.2.x: # Redirect client-verification-failures to a specific # page. RewriteEngine on RewriteCond %{SSL:SSL_CLIENT_VERIFY} !^SUCCESS$ RewriteRule . /error-pages/pki/pki-invalid.html [last] c. Change SSLVerifyClient to optional (NOTE: Internet Explorer does not work correctly with Apache 1.3.x and mod_ssl when SSLVerifyClient is set to anything except none) SSLVerifyClient optional -- Roy Keene (Contractor) Office of Network Management (Code 7030.8) Naval Research Laboratory Stennis Space Center, MS 39529 DSN 828-4827 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: just installed certificate and I'm getting the wrong site...
Sorry for bumping my own post, but I'm really in need of help here. I'm at a loss. Maybe it's because folks are on holiday given the time of year, but if anyone thinks they can help, I'd very much appreciate it. :o) Thanks, Chris On Dec 27, 2007 3:30 PM, Chris Jordan [EMAIL PROTECTED] wrote: Hi folks, I'm a complete newbie to this stuff, and I need a little more help. I'm running apache 2.2.4 on a Fadora Core 6 (2.6.20-1.292.fc6). My first problem after I installed the certificate is that we apparently had an old self-signed certificate installed. So, once I figured out that the SSL directives were in the conf.d/ssl.conf and not in conf/httpd.conf, I was able to put my certificate information in that file and now our server is using our real certificate and not the self-signed one. Our server runs multiple domains using virtual hosting, and I've read through the archives enough to find out that I can't do named virtual host with SSL. That's fine. My problem now is that when I browse to: https://mysecuredomain.com, I'm getting sent to another one of our other domains (wrongdomain.com -- for the sake of discussion) except that the URL in the address bar still says: https://mysecuredomain.com. I'm confused. I've searched through the archives, but can't seem to find out how this is happening. Here's another strange bit. We've got an old version and a newer version of wrongdomain.com and when I browse to http://wrongdomain.com I get the new version. When I browse to https://wrongdomain.com I get the *old* version of the site -- just as I do when I browse to https://mysecuredomain.com... I hope I'm explaining this well enough. I really need help on how to get things working properly. The other thing that I'm curious about is whether we'll be able to secure any of our other domains hosted from this box in the future if we need to. From the reading I've done I'm thinking that's going to be a 'No', but what if we use the same certificate for all sites? That may be a dumb question, but again, I'm a genuine newbie here. My main concern is about the first part of this post... the side question about multiple domains is less important to me, but I'd still like to know. I sure hope someone can help me. Thanks heaps, Chris -- http://cjordan.us -- http://cjordan.us
Re: just installed certificate and I'm getting the wrong site...
Hi Chris, This sounds to me like more of an apache configuration problem. Perhaps if you posted some bits of your httpd.conf someone could spot the problem. Could you clarify on the old and new versions of wrongdomain.com? Are both still present on your server with the old one residing in another directory? It sounds to me like when you come through to your server from mysecuredomain.com, via https you come through to the first virtual directory / host whioch is wrondomain.com, because they're both on the same IP. What happens if you switch the order of your virtual hosts, do you come through to a different site? I'd be switching my conf files about to experiment and see what happens in order to figure out the problem. Glyn --- Chris Jordan [EMAIL PROTECTED] wrote: Sorry for bumping my own post, but I'm really in need of help here. I'm at a loss. Maybe it's because folks are on holiday given the time of year, but if anyone thinks they can help, I'd very much appreciate it. :o) Thanks, Chris On Dec 27, 2007 3:30 PM, Chris Jordan [EMAIL PROTECTED] wrote: Hi folks, I'm a complete newbie to this stuff, and I need a little more help. I'm running apache 2.2.4 on a Fadora Core 6 (2.6.20-1.292.fc6). My first problem after I installed the certificate is that we apparently had an old self-signed certificate installed. So, once I figured out that the SSL directives were in the conf.d/ssl.conf and not in conf/httpd.conf, I was able to put my certificate information in that file and now our server is using our real certificate and not the self-signed one. Our server runs multiple domains using virtual hosting, and I've read through the archives enough to find out that I can't do named virtual host with SSL. That's fine. My problem now is that when I browse to: https://mysecuredomain.com, I'm getting sent to another one of our other domains (wrongdomain.com -- for the sake of discussion) except that the URL in the address bar still says: https://mysecuredomain.com. I'm confused. I've searched through the archives, but can't seem to find out how this is happening. Here's another strange bit. We've got an old version and a newer version of wrongdomain.com and when I browse to http://wrongdomain.com I get the new version. When I browse to https://wrongdomain.com I get the *old* version of the site -- just as I do when I browse to https://mysecuredomain.com... I hope I'm explaining this well enough. I really need help on how to get things working properly. The other thing that I'm curious about is whether we'll be able to secure any of our other domains hosted from this box in the future if we need to. From the reading I've done I'm thinking that's going to be a 'No', but what if we use the same certificate for all sites? That may be a dumb question, but again, I'm a genuine newbie here. My main concern is about the first part of this post... the side question about multiple domains is less important to me, but I'd still like to know. I sure hope someone can help me. Thanks heaps, Chris -- http://cjordan.us -- http://cjordan.us __ Sent from Yahoo! Mail - a smarter inbox http://uk.mail.yahoo.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: just installed certificate and I'm getting the wrong site...
From your description it sounds like you have a virtual host defining the new version of wrongdomain.com plus you have a global definition of the old version of wrongdomain.com. Then it sounds like you have not specified the data location inside the virtual host where you define mysecuredomain.com, so that you are picking up the global definition. Cure in this scenario is to override the global configuration information inside the virtual host for mysecuredomain.com (or if you do not have a virtual host for mysecuredomain.com, create one). As for the problem of https://wrongdomain.com responding, recall that there can be only one port 443 per ip address, and Apache does not look at domain names in deciding to serve https, only the ip address. Cure: I think you can use rewrite rules to direct traffic addressed to https://wrongdomain.com to a safe directory (I have not tried this). Or see below. As for serving more than one secure web site from a single computer, yes you can do this, but recall the limit of one port 443 per ip address. You can either arrange for your computer to have multiple ip addresses (add multiple NIC cards or dink around with the ifconfig or other etc files depending on your flavor of Unixoid OS), and then run multiple instances of Apache listening on different ip addresses. Be sure that your separate instances of Apache define different locations for their housekeeping files. This will also solve your https://wrongdomain.com problem. Or, you can use a port other than 443 for https with a single ip address, but this is ugly if the user has to type in the URL. Not sure if a single instance of Apache can handle two different secure ports in different virtual hosts, but you certainly can use separate instances of Apache on the same box. Regards, orville www.weyrich.com --- Chris Jordan [EMAIL PROTECTED] wrote: Hi folks, I'm a complete newbie to this stuff, and I need a little more help. I'm running apache 2.2.4 on a Fadora Core 6 (2.6.20-1.292.fc6). My first problem after I installed the certificate is that we apparently had an old self-signed certificate installed. So, once I figured out that the SSL directives were in the conf.d/ssl.conf and not in conf/httpd.conf, I was able to put my certificate information in that file and now our server is using our real certificate and not the self-signed one. Our server runs multiple domains using virtual hosting, and I've read through the archives enough to find out that I can't do named virtual host with SSL. That's fine. My problem now is that when I browse to: https://mysecuredomain.com, I'm getting sent to another one of our other domains (wrongdomain.com -- for the sake of discussion) except that the URL in the address bar still says: https://mysecuredomain.com. I'm confused. I've searched through the archives, but can't seem to find out how this is happening. Here's another strange bit. We've got an old version and a newer version of wrongdomain.com and when I browse to http://wrongdomain.com I get the new version. When I browse to https://wrongdomain.com I get the *old* version of the site -- just as I do when I browse to https://mysecuredomain.com... I hope I'm explaining this well enough. I really need help on how to get things working properly. The other thing that I'm curious about is whether we'll be able to secure any of our other domains hosted from this box in the future if we need to. From the reading I've done I'm thinking that's going to be a 'No', but what if we use the same certificate for all sites? That may be a dumb question, but again, I'm a genuine newbie here. My main concern is about the first part of this post... the side question about multiple domains is less important to me, but I'd still like to know. I sure hope someone can help me. Thanks heaps, Chris -- http://cjordan.us Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
just installed certificate and I'm getting the wrong site...
Hi folks, I'm a complete newbie to this stuff, and I need a little more help. I'm running apache 2.2.4 on a Fadora Core 6 (2.6.20-1.292.fc6). My first problem after I installed the certificate is that we apparently had an old self-signed certificate installed. So, once I figured out that the SSL directives were in the conf.d/ssl.conf and not in conf/httpd.conf, I was able to put my certificate information in that file and now our server is using our real certificate and not the self-signed one. Our server runs multiple domains using virtual hosting, and I've read through the archives enough to find out that I can't do named virtual host with SSL. That's fine. My problem now is that when I browse to: https://mysecuredomain.com, I'm getting sent to another one of our other domains (wrongdomain.com -- for the sake of discussion) except that the URL in the address bar still says: https://mysecuredomain.com. I'm confused. I've searched through the archives, but can't seem to find out how this is happening. Here's another strange bit. We've got an old version and a newer version of wrongdomain.com and when I browse to http://wrongdomain.com I get the new version. When I browse to https://wrongdomain.com I get the *old* version of the site -- just as I do when I browse to https://mysecuredomain.com... I hope I'm explaining this well enough. I really need help on how to get things working properly. The other thing that I'm curious about is whether we'll be able to secure any of our other domains hosted from this box in the future if we need to. From the reading I've done I'm thinking that's going to be a 'No', but what if we use the same certificate for all sites? That may be a dumb question, but again, I'm a genuine newbie here. My main concern is about the first part of this post... the side question about multiple domains is less important to me, but I'd still like to know. I sure hope someone can help me. Thanks heaps, Chris -- http://cjordan.us
After replacing ssl certificate, apache fails to start but gives no error
I've updated my ssl public certificate and intermediate certificate according to the instructions at http://www.verisign.com/support/ssl-certificates-support/page_dev019509.html I also made sure the file permissions match. Now apache won't start, and doesn't indicate any error: [EMAIL PROTECTED] root]# apachectl startssl Apache/2.0.55 mod_ssl/2.0.55 (Pass Phrase Dialog) Some of your private key files are encrypted for security reasons. In order to read them you have to provide us with the pass phrases. Server webamc.annamaria.edu:443 (RSA) Enter pass phrase: [EMAIL PROTECTED] root]# netstat -anp | grep 443 [EMAIL PROTECTED] root]# Also, nothing shows up in /var/log/httpd/error_log, /var/log/httpd/access_log (of course), or /var/log/messages. If I put the old certificate back, it works: [EMAIL PROTECTED] root]# apachectl startssl Apache/2.0.55 mod_ssl/2.0.55 (Pass Phrase Dialog) Some of your private key files are encrypted for security reasons. In order to read them you have to provide us with the pass phrases. Server webamc.annamaria.edu:443 (RSA) Enter pass phrase: [EMAIL PROTECTED] root]# netstat -anp | grep 443 tcp0 0 0.0.0.0:443 0.0.0.0:* LISTEN 1197/httpd [EMAIL PROTECTED] root]# How can I troubleshoot this? I don't have any experience with modssl, I've inherited responsibility for this system. Our certificate expires in two days. :( Thanks, Rick Onanian Network Administrator Anna Maria College __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: After replacing ssl certificate, apache fails to start but gives no error
I wrote: I've updated my ssl public certificate and intermediate certificate according to the instructions [...] I also made sure the file permissions match. Now apache won't start, and doesn't indicate any error: Also, nothing shows up in /var/log/httpd/error_log, /var/log/httpd/access_log (of course), or /var/log/messages. Okay, I figured it out. I tried breaking things until I found the same symptom. I found that when I used the wrong private key, it had the same symptom. Sure enough, that was the problem. The CSR I used to get the certificate signed by Verisign was for a different key. I now have a significantly better understanding of how the whole process works. Why doesn't modssl provide any error message or log entry? Is it insecure to use an old key pair? What's the appropriate thing to do -- create a new key pair (and a new CSR) each time you renew your signed certificate, or just re-use the old key pair and get a new signed certificate? Thanks, Rick Onanian Network Administrator Anna Maria College __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Apache2, modssl and wildcard certificate
Apache/2.2.4 (Unix) mod_ssl/2.2.4 OpenSSL/0.9.8e DAV/2 PHP/5.2.3 Not sure if this belongs here or in another mailing list (apache). I like to know how I can setup subdomains with a wildcard certificate? 1) Originally I had a couple of websites with ssl (https), each site with its own ip-address and its own certificate. In an attempt to save on IP-addresses, I thought that subdomains and a wildcard certificate would allow me to use one ip-address (and therefore name-based virtual hosting). Is this the correct assumption? If it's correct, please read on. If this is not correct, what to do to get it working? 2) I've created a self-signed wildcard certificate. When I (re)start apache, the following warnings occur: [Wed Nov 14 07:34:33 2007] [warn] RSA server certificate CommonName (CN) `*.lbtd-techweb01' does NOT match server name!? [Wed Nov 14 07:34:33 2007] [warn] RSA server certificate CommonName (CN) `*.lbtd-techweb01' does NOT match server name!? [Wed Nov 14 07:34:33 2007] [warn] Init: SSL server IP/port conflict: cc.lbtd-techweb01:443 (/etc/httpd/extra/httpd-ssl.conf:52) vs. tac.lbtd-techweb01:443 (/etc/httpd/extra/httpd-ssl.conf:79) [Wed Nov 14 07:34:33 2007] [warn] Init: You should not use name-based virtual hosts in conjunction with SSL!! [Wed Nov 14 07:34:33 2007] [notice] Digest: generating secret for digest authentication ... [Wed Nov 14 07:34:33 2007] [notice] Digest: done [Wed Nov 14 07:34:34 2007] [warn] RSA server certificate CommonName (CN) `*.lbtd-techweb01' does NOT match server name!? [Wed Nov 14 07:34:34 2007] [warn] RSA server certificate CommonName (CN) `*.lbtd-techweb01' does NOT match server name!? [Wed Nov 14 07:34:34 2007] [warn] Init: SSL server IP/port conflict: cc.lbtd-techweb01:443 (/etc/httpd/extra/httpd-ssl.conf:52) vs. tac.lbtd-techweb01:443 (/etc/httpd/extra/httpd-ssl.conf:79) How do I get rid of the first 2 warnings (and the repeats later on for different subdomains)? Something I did wrong while creating the certificate? I do understand the cause of the third warning (and its repeats). This would imply that wildcard certificates and subdomains using name-based virtual hosting are not possible. Any way that I can work around this? This is (part of) my /etc/httpd/extra-httpd-ssl.conf NameVirtualHost *:443 Listen 443 AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl.crl SSLPassPhraseDialog builtin SSLSessionCacheshmcb:/var/run/httpd/ssl_scache(512000) SSLSessionCacheTimeout 300 SSLMutex file: /var/run/httpd/ssl_mutex #no space between colon and first / # command centre #VirtualHost _default_:443 VirtualHost *:443 DocumentRoot /home/cc/www/ils/web ServerName cc.lbtd-techweb01 #ServerAlias cc.lbtd-techweb01 ServerAdmin [EMAIL PROTECTED] ErrorLog /var/log/httpd/error_log TransferLog /var/log/httpd/access_log SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /etc/httpd/certificates/lbtd-techweb01.crt SSLCertificateKeyFile /etc/httpd/certificates/lbtd-techweb01.key BrowserMatch .*MSIE.* \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 Directory /home/cc/www/ils/web Order allow,deny Allow from all /Directory /VirtualHost Wim Sturkenboom _ Information contained in any e-mail or attachment from Multichoice Africa (Pty) Ltd (MCA) is confidential and may also be privileged or protected by other legal rules or law. You should not disseminate, distribute or copy this e-mail. Any views or opinions presented in this email are solely those of the author and do not necessarily represent those of MCA. Employees of MCA are expressly required not to make defamatory statements and not to infringe or authorise any infringement of copyright or any other legal right by email communications. Any such communication is contrary to MCAs policy and outside the scope of the employment of the individual concerned. MCA will not accept any liability in respect of such communication, and the employee responsible will be personally liable for any damages or other liability arising from such communication. _ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Unable to configure X.509 CRL storage for certificate revocation
I'm moving a number of web pages from a RHEL3 server running Apache 2.0.46 to a RHEL5 system running 2.2.3. The unsecure pages are running just fine, but if I have ssl.conf in the conf.d directory, httpd won't start up. The only error message I can find anywhere is in ssl.error_log: [Sat Sep 01 19:03:26 2007] [error] Unable to configure X.509 CRL storage for certificate revocation Googling on that particular string is singularly unhelpful. Any nudge in the right direction gratefully appreciated... -- Tim Boyer Chief Technology Officer Denman Tire Corporation [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Multiple OU components in certificate subject DN and SSL_CLIENT_S_DN_OU
Hello Joe, Thank you very much for the exhaustive answer. Best regards, Arsen. On Tue, 7 Aug 2007, Joe Orton wrote: On Tue, Aug 07, 2007 at 02:25:54PM +0200, Arsen Hayrapetyan wrote: Hello, I am setting up client authentication with X.509 certificates. The client has the certificate subject DN of the following form: /C=XX/O=YYY/OU=ZZZ/OU=PPP/CN=TTT I need to catch both OUs in my perl CGI script. But when I am trying to get the values of OUs with the foolowing piece of code: $variable=$ENV{SSL_CLIENT_S_DN_OU}; print $variable \n; $variable=$ENV{SSL_CLIENT_S_DN_OU}; print $variable \n; both print statements print ZZZ (the first OU). How can I catch both OUs in my CGI script? Does mod_ssl see the first OU only? It has access to them all, but only exports the first. If you upgrade to 2.2.x, you could hack ssl_engine_kernel.c by adding: SSL_CLIENT_S_DN_OU_0, SSL_CLIENT_S_DN_OU_1, to the ssl_hook_Fixup_vars[] array. This will force the first and second OU field to be exported to CGI scripts in those named variables. Note that this won't work with 2.0.x, which doesn't support the _N suffix. My apache version is 2.0.55. However I don't know the version of mod_ssl. By the way, how can I determine what version of mod_ssl module do I have? mod_ssl is integrated into the httpd 2.x tree, so there is no separate versino. joe __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Multiple OU components in certificate subject DN and SSL_CLIENT_S_DN_OU
Hello, I am setting up client authentication with X.509 certificates. The client has the certificate subject DN of the following form: /C=XX/O=YYY/OU=ZZZ/OU=PPP/CN=TTT I need to catch both OUs in my perl CGI script. But when I am trying to get the values of OUs with the foolowing piece of code: $variable=$ENV{SSL_CLIENT_S_DN_OU}; print $variable \n; $variable=$ENV{SSL_CLIENT_S_DN_OU}; print $variable \n; both print statements print ZZZ (the first OU). How can I catch both OUs in my CGI script? Does mod_ssl see the first OU only? My apache version is 2.0.55. However I don't know the version of mod_ssl. By the way, how can I determine what version of mod_ssl module do I have? Thanks for the help in advance, Arsen. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Multiple OU components in certificate subject DN and SSL_CLIENT_S_DN_OU
On Tue, Aug 07, 2007 at 02:25:54PM +0200, Arsen Hayrapetyan wrote: Hello, I am setting up client authentication with X.509 certificates. The client has the certificate subject DN of the following form: /C=XX/O=YYY/OU=ZZZ/OU=PPP/CN=TTT I need to catch both OUs in my perl CGI script. But when I am trying to get the values of OUs with the foolowing piece of code: $variable=$ENV{SSL_CLIENT_S_DN_OU}; print $variable \n; $variable=$ENV{SSL_CLIENT_S_DN_OU}; print $variable \n; both print statements print ZZZ (the first OU). How can I catch both OUs in my CGI script? Does mod_ssl see the first OU only? It has access to them all, but only exports the first. If you upgrade to 2.2.x, you could hack ssl_engine_kernel.c by adding: SSL_CLIENT_S_DN_OU_0, SSL_CLIENT_S_DN_OU_1, to the ssl_hook_Fixup_vars[] array. This will force the first and second OU field to be exported to CGI scripts in those named variables. Note that this won't work with 2.0.x, which doesn't support the _N suffix. My apache version is 2.0.55. However I don't know the version of mod_ssl. By the way, how can I determine what version of mod_ssl module do I have? mod_ssl is integrated into the httpd 2.x tree, so there is no separate versino. joe __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
re: client certificate authentication and IE friendly errors
Hello, I'm having a problem with Internet Explorer's Show friendly HTTP error messages in response to a 403 generated by an SSLRequire directive, when trying client certificate authentication. I've come across some information about over-riding the browser config by setting the size of the message [greater than 512 bytes for a 403], which doesn't appear to work. Unfortunately I can't rely on users having unchecked this setting in the browser options. The config directives that I'm using are an SSLRequire %{SSL_CLIENT_VERIFY} eq SUCCESS in conjunction with an SSLVerifyClient Optional, both within the same Location directive. I've combined these because there is a likelihood that the resource will be accessed by clients without certificates, and I'm trying to trap this in as friendly a way as possible. Everything works fine in my testing [good cert, no cert, wrong cert], except when I try to hit the server with an expired client certificate in IE. Because of some testing constraints around where I get the certificates from I've been simulating expiry by adjusting the time on both the desktop and server - just the client cert is expired at the chosen time; not the issuing CA cert or web server's. With an expired client certificate, my ErrorDocument 403 is correctly displayed if the 'show friendly messages' is unchecked, but the browser shows a 'page cannot be displayed' error if the setting is enabled. I can't see anything in the logs to distinguish the two states. A reload on the browser correctly renders the error. Is this something that anyone else has come across? I've checked the archives, and although people have cited problems with friendly errors [http://marc.info/?l=apache-modsslm=101554001204754w=2] the circumstances seem different. Is there a saner way of handling the access attempts from browsers attempting to access the same resource both with and without client certs? Version info: - desktop: XP SP2, IE version 6.0.29... - server: Suse Linux 10.1; Apache 1.3.37; mod_ssl 2.8.28-1.3.33; openssl 0.9.8e I have the SetEnvIf HTTP_USER_AGENT .*MSIE.* ... enabled as per default config. SSLCACertificateFile has a single entry for the issuing CA. Thanks, Donal __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Web Interface Certificate Management
I was interested in working on a project, and wanted to get some other people's ideas and inputs. My idea is to make a nice interface for creating SSL certificates for Apache/mod_ssl instead of running OpenSSL from the command line. I think there are a lot of people that would appreciate such a little tool. Since the certificate will eventually be used to protect a web server, I think the tool should be web based. Here's what I'm thinking: When you first install Apache, you can browse to some predetermined URL that's served by your installation. Obviously, you don't want this to be from outside the network, so let's just say we'll do some verification that the request comes from an authorized person. When you go to this URL, you encounter a form that asks for the typical certificate information such as the Common Name, the location, etc. We can populate this form with as much configuration info as we like. When the user hits the Configure button, we'll call the necessary OpenSSL interfaces to create a certificate, and then update the configuration files to set everything up properly. We can even add an interface to ship off a CSR to a CA, and a nice interface to deal with the response. I'd like this to be very easy for people to use. Something that can be used by just dropping a file someplace without dealing with any installation issues. Has anyone ever heard of anything like this? Any good ideas on where to start for building such a tool? Is this something that could be built into mod_ssl, or should it be a sibling module? Should this be an Apache module at all? What kind of tools/architecture would you use? Any other ideas on how to make this better? Sander Smith __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Client Certificate size
Hi, Is there an upper bound on maximum client certificate size that Apache/Mod_ssl can handle. I am using SSL_VERSION_LIBRARY=OpenSSL/0.9.7b , Apache 1.3.27 Thanks, Vishal Visit our website at http://www.ubs.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. UBS Limited is a company registered in England Wales under company number 2035362, whose registered office is at 1 Finsbury Avenue, London, EC2M 2PP, United Kingdom. UBS AG (London Branch) is registered as a branch of a foreign company under number BR004507, whose registered office is at 1 Finsbury Avenue, London, EC2M 2PP, United Kingdom. UBS Clearing and Execution Services Limited is a company registered in England Wales under company number 03123037, whose registered office is at 1 Finsbury Avenue, London, EC2M 2PP, United Kingdom.
Re: apache segfaults on startup after specifying the certificate file and key
You will have better luck on the apache mailing lists ( http://httpd.apache.org) as mod_ssl on this website, as told on modssl.org, is only for apache 1.x. As of 2.x modssl is incorporated into the apache distribution and is also maintained by the apache http server project. On 12/29/06, Mark Robinson [EMAIL PROTECTED] wrote: Hi all, I am running freebsd 6.1 and apache 2.2.0_7 I am new to SSL and have configured a self-signed certificate according to http://slacksite.com/apache/certificate.html I placed the .crt and .pem files in /usr/local/etc/apache22 and set the .pem file readable only by root When I start up apache it gives a segmentation fault and stops. When set the logging option in httpd.conf to debug. The log file shows the following before the seg fault: [Sat Dec 30 00:48:27 2006] [info] Init: Seeding PRNG with 136 bytes of entropy [Sat Dec 30 00:48:27 2006] [info] Loading certificate private key of SSL-aware server [Sat Dec 30 00:48:27 2006] [debug] ssl_engine_pphrase.c(469): unencrypted RSA private key - pass phrase not required [Sat Dec 30 00:48:27 2006] [info] Init: Generating temporary RSA private keys (512/1024 bits) [Sat Dec 30 00:48:27 2006] [info] Init: Generating temporary DH parameters (512/1024 bits) [Sat Dec 30 00:48:27 2006] [info] Init: Initializing (virtual) servers for SSL [Sat Dec 30 00:48:27 2006] [info] Configuring server for SSL protocol [Sat Dec 30 00:48:27 2006] [debug] ssl_engine_init.c(405): Creating new SSL context (protocols: SSLv2, SSLv3, TLSv1) [Sat Dec 30 00:48:27 2006] [debug] ssl_engine_init.c(601): Configuring permitted SSL ciphers [ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH: +MEDIUM:+LOW:+SSLv2:+EXP:+eNULL] [Sat Dec 30 00:48:27 2006] [debug] ssl_engine_init.c(729): Configuring RSA server certificate [Sat Dec 30 00:48:27 2006] [warn] RSA server certificate CommonName (CN) `mail.reoins.com' does NOT match server name!? [Sat Dec 30 00:48:27 2006] [debug] ssl_engine_init.c(768): Configuring RSA server private key [Sat Dec 30 00:48:27 2006] [info] Server: Apache/2.2.0, Interface: mod_ssl/2.2.0, Library: OpenSSL/0.9.8a [Sat Dec 30 00:48:27 2006] [info] mod_unique_id: using ip addr 209.163.210.42 Thanks for any help or suggestions. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
apache segfaults on startup after specifying the certificate file and key
Hi all, I am running freebsd 6.1 and apache 2.2.0_7 I am new to SSL and have configured a self-signed certificate according to http://slacksite.com/apache/certificate.html I placed the .crt and .pem files in /usr/local/etc/apache22 and set the .pem file readable only by root When I start up apache it gives a segmentation fault and stops. When set the logging option in httpd.conf to debug. The log file shows the following before the seg fault: [Sat Dec 30 00:48:27 2006] [info] Init: Seeding PRNG with 136 bytes of entropy [Sat Dec 30 00:48:27 2006] [info] Loading certificate private key of SSL-aware server [Sat Dec 30 00:48:27 2006] [debug] ssl_engine_pphrase.c(469): unencrypted RSA private key - pass phrase not required [Sat Dec 30 00:48:27 2006] [info] Init: Generating temporary RSA private keys (512/1024 bits) [Sat Dec 30 00:48:27 2006] [info] Init: Generating temporary DH parameters (512/1024 bits) [Sat Dec 30 00:48:27 2006] [info] Init: Initializing (virtual) servers for SSL [Sat Dec 30 00:48:27 2006] [info] Configuring server for SSL protocol [Sat Dec 30 00:48:27 2006] [debug] ssl_engine_init.c(405): Creating new SSL context (protocols: SSLv2, SSLv3, TLSv1) [Sat Dec 30 00:48:27 2006] [debug] ssl_engine_init.c(601): Configuring permitted SSL ciphers [ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH: +MEDIUM:+LOW:+SSLv2:+EXP:+eNULL] [Sat Dec 30 00:48:27 2006] [debug] ssl_engine_init.c(729): Configuring RSA server certificate [Sat Dec 30 00:48:27 2006] [warn] RSA server certificate CommonName (CN) `mail.reoins.com' does NOT match server name!? [Sat Dec 30 00:48:27 2006] [debug] ssl_engine_init.c(768): Configuring RSA server private key [Sat Dec 30 00:48:27 2006] [info] Server: Apache/2.2.0, Interface: mod_ssl/2.2.0, Library: OpenSSL/0.9.8a [Sat Dec 30 00:48:27 2006] [info] mod_unique_id: using ip addr 209.163.210.42 Thanks for any help or suggestions. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Client certificate
Title: Client certificate Hi , I am trying to implement client authentication based on client certificates. I want to throw up an error message to the user/browser in case client certificate is invalid. What I got was that The page cannot be displayed error if an invalid(expired one) client certificate is sent and I see the following in the logs. == [Tue Nov 14 16:52:53 2006] [info] [client 14.64.53.89] client stopped connection before rflush completed [Tue Nov 14 16:52:57 2006] [error] mod_ssl: Certificate Verification: Error (10): certificate has expired [Tue Nov 14 16:52:57 2006] [error] mod_ssl: Re-negotiation handshake failed: Not accepted by client!? [Tue Nov 14 16:52:57 2006] [error] mod_ssl: Certificate Verification: Error (10): certificate has expired [Tue Nov 14 16:52:57 2006] [error] mod_ssl: SSL error on writing data (OpenSSL library error follows) [Tue Nov 14 16:52:57 2006] [error] OpenSSL: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certif icate returned [Tue Nov 14 16:52:57 2006] [info] [client 14.64.53.89] client stopped connection before rflush completed Ideally , I would like to be able to find that the client certificate has expired using the SSL_Client.. variables and be able to give user some error message. Is it possible? Thanks, Vishal Visit our website at http://www.ubs.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments.
Certificate issue.
Hello, Was wondering if anyone has seen this error and can help me correcting it? It is for a test box self signed certificate is all I need. Thanks Lonie HTTP Status 500 - type Exception report message description The server encountered an internal error () that prevented it from fulfilling this request. exception javax.servlet.ServletException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:319) edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:225) root cause javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150) com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1476) com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174) com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:168) com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:847) com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:106) com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495) com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433) com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:815) com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1025) com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1038) sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:402) sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:170) sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:913) sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234) edu.yale.its.tp.cas.util.SecureURL.retrieve(SecureURL.java:70) edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(ServiceTicketValidator.java:278) edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:283) edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:225) note The full stack trace of the root cause is available in the Apache Tomcat/5.0.27 logs. Apache Tomcat/5.0.27
Re: Certificate and CRL Path Validation Error
On Thu, Aug 31, 2006 at 09:17:10AM -0400, Patrick Patterson wrote: On Thursday 31 August 2006 09:14, Patrick Patterson wrote: (I'll probably take this over to modssl-devel, but since you asked, I thought that I would bring it up here.) Hmm - I thought there WAS a developers mailing list, but apparently I was mistaken - so I guess I have to ask is this the right place to have discussions about the best way to add in the capability for mod_ssl to do full 3280 path validation? New mod_ssl development generally happens in the httpd 2.x tree, so dev@httpd.apache.org is where it is discussed. I don't think Ralf is adding new features to mod_ssl 2.8 any more. Regards, joe __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Certificate and CRL Path Validation Error
All, I am working in an environment utilizing a PKI consisting of several Root and Intermediate Certificate Authorities. In order to reduce the overhead when requiring client authentication using digital certificates, I am using the following two directives: SSLCACertificatePath – Used for Root and Intermediate CAs SSLCARevocationPath – Used to Process Certificate Revocation Lists I’ve yet to encounter a version of Apache and Mod_SSL performing proper path validation. If a user presents a certificate that is revoked, but not included in the directory containing all the PEM/Base64 encoded CRL files and associated symbolic links, Apache allows access. If a user presents a certificate issued from an Intermediate Certificate Authority that is not included in the directory containing all the Root and Intermediate CA certificates in PEM/Base64 encoded format and associated symbolic links, he/she is allowed access. I would prefer the system to validate the entire chain and not allow access in the event a local CRL file or Intermediate CA certificate is not available. By default, IIS performs this path validation correctly. If IIS does not have a current CRL file issued by each and every CA in the certificate path, the client is denied access. If IIS does not have a certificate from each and every CA in the certificate path, the client is denied access. I am trying to automate the process of updating the CA certificate directory and associated CRL directories by scheduling a job to run on a nightly basis. If Apache has a local CRL and CA certificate from each and every CA in the path used to issue the client certificates, then all checks are performed and the client is properly validated. I would prefer the system default to “Closed” instead of “Open” in the event an Intermediate CA certificate is unavailable or no CRL file is available. Again, the system must have at least one CA certificate trusted and available locally, but no CRL files. Note: I have issued a client certificate from a client certificate issued by on of the Intermediate CAs and Apache does deny access because the key usage of the client certificate does not allow it to be used as a Root CA and issue additional client certificates. I used OpenSSL in order to issue client certificates from a client certificate. This type of path validation seems to work on all the versions of Apache and Mod_SSL I’ve tested. Thanks __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Certificate and CRL Path Validation Error
Hi There: The limitations of mod_ssl for path validation are further than what you have described, in that it also cannot perform policy mapping up the entire certificate chain, and also has no concept of how to deal with AIA or SIA fields. I'm not sure where the developers are in terms of full RFC 3280 Path Validation compliance, but as we also have a need for more full path validation, especially a model that will work in a Cross-Certification type environment. It is our intent to be starting to work on this this fall, unless we hear from the community that there is already work underway to add in full 3280 validation to mod_ssl. (I'll probably take this over to modssl-devel, but since you asked, I thought that I would bring it up here.) Cheers. On Thursday 31 August 2006 08:53, [EMAIL PROTECTED] wrote: All, I am working in an environment utilizing a PKI consisting of several Root and Intermediate Certificate Authorities. In order to reduce the overhead when requiring client authentication using digital certificates, I am using the following two directives: SSLCACertificatePath – Used for Root and Intermediate CAs SSLCARevocationPath – Used to Process Certificate Revocation Lists I’ve yet to encounter a version of Apache and Mod_SSL performing proper path validation. If a user presents a certificate that is revoked, but not included in the directory containing all the PEM/Base64 encoded CRL files and associated symbolic links, Apache allows access. If a user presents a certificate issued from an Intermediate Certificate Authority that is not included in the directory containing all the Root and Intermediate CA certificates in PEM/Base64 encoded format and associated symbolic links, he/she is allowed access. I would prefer the system to validate the entire chain and not allow access in the event a local CRL file or Intermediate CA certificate is not available. By default, IIS performs this path validation correctly. If IIS does not have a current CRL file issued by each and every CA in the certificate path, the client is denied access. If IIS does not have a certificate from each and every CA in the certificate path, the client is denied access. I am trying to automate the process of updating the CA certificate directory and associated CRL directories by scheduling a job to run on a nightly basis. If Apache has a local CRL and CA certificate from each and every CA in the path used to issue the client certificates, then all checks are performed and the client is properly validated. I would prefer the system default to “Closed” instead of “Open” in the event an Intermediate CA certificate is unavailable or no CRL file is available. Again, the system must have at least one CA certificate trusted and available locally, but no CRL files. Note: I have issued a client certificate from a client certificate issued by on of the Intermediate CAs and Apache does deny access because the key usage of the client certificate does not allow it to be used as a Root CA and issue additional client certificates. I used OpenSSL in order to issue client certificates from a client certificate. This type of path validation seems to work on all the versions of Apache and Mod_SSL I’ve tested. Thanks __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] -- Patrick Patterson President and CEO Carillon Information Security Inc. http://www.carillon.ca __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Certificate and CRL Path Validation Error
On Thursday 31 August 2006 09:14, Patrick Patterson wrote: (I'll probably take this over to modssl-devel, but since you asked, I thought that I would bring it up here.) Hmm - I thought there WAS a developers mailing list, but apparently I was mistaken - so I guess I have to ask is this the right place to have discussions about the best way to add in the capability for mod_ssl to do full 3280 path validation? Thanks. -- Patrick Patterson President and CEO Carillon Information Security Inc. http://www.carillon.ca __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
error handling if certificate based auth has failed
Hi, is there a way to display an error page in case certificate based authentication has failed? I have read the mod_ssl reference page and searched the mailing list archive, but have not found any hints. It would be great to see an error page instead of an empty window or a cryptic browser error when a non-authorized user has tried to access a location with SSLVerifyClient require. Thanks for you help. André __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Mod_proxy and client certificate auth
On Tue, Jun 06, 2006 at 03:36:37PM -0400, Paul D. Robertson wrote: I'm trying to get mod_proxy to work as an SSL proxy using a client certificate on the proxy to connect to a backend IIS server that's set up to use any client certificate signed by my OpenSSL-based CA. If I use a browser with the same certificate bundled up as a PKCS12 bundle, through the proxy, it all works, but what I really need is for Apache/mod_ssl to use a locally stored version of the cert/key to connect, then let the IIS server do its normal basic auth. That's one single client cert/key for all externally connecting users (yes, I understand the ramifaction- it's not for user authentication,) not a per-user proxy cert. There's no way to do this with mod_ssl without modifying the source. With httpd 2.2.x (and also I believe mod_ssl-2.8-for-1.3) what you can do is to pass through the client's SSL certificate (in PEM format) as a request header to the backend, then extract that on the backend server and then verify that against a CA cert independently; see http://httpd.apache.org/docs/2.2/mod/mod_headers.html#header and the %{...}s stuff. That is the traditional approach used when passing through client certs to Tomcat etc, and doesn't require an SSL connection between proxy and backend. Doing this with an IIS backend might be a challenge. Just in case, I've also added export OPENSSL_ALLOW_PROXY_CERTS=1 to bin/envvars. That affects handling of rfc3820 proxy certificates (which you not using unless you are doing some serious PKI voodoo ;). joe __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Mod_proxy and client certificate auth
On Wed, 7 Jun 2006, BJ Swope wrote: From everything I've heard and read, mod-proxy will not proxy HTTPS on the back like what you are asking. You can have HTTPS on the front end but not on the back. It will have to be HTTP to the back. If you get this working I would LOVE to hear how you got it done I'm getting end-to-end SSL, just the undesired (this time) effect of having the client cert passed all the way through the chain, which I'd expect folks to want as normal behavior. Paul - Paul D. Robertson My statements in this message are personal opinions [EMAIL PROTECTED] which may have no basis whatsoever in fact. http://fora.compuwar.net Infosec discussion boards __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Mod_proxy and client certificate auth
Guess I've been hearing wrong for 3 years now ;) Time to go digging...On 6/8/06, Paul D. Robertson [EMAIL PROTECTED] wrote: On Wed, 7 Jun 2006, BJ Swope wrote: From everything I've heard and read, mod-proxy will not proxy HTTPS on the back like what you are asking.You can have HTTPS on the front end but not on the back.It will have to be HTTP to the back. If you get this working I would LOVE to hear how you got it doneI'm getting end-to-end SSL, just the undesired (this time) effect ofhaving the client cert passed all the way through the chain, which I'd expect folks to want as normal behavior.Paul-Paul D. RobertsonMy statements in this message are personal opinions [EMAIL PROTECTED] which may have no basis whatsoever in fact.http://fora.compuwar.netInfosec discussion boards __Apache Interface to OpenSSL (mod_ssl) www.modssl.orgUser Support Mailing Listmodssl-users@modssl.orgAutomated List Manager[EMAIL PROTECTED]-- We are all slave to our own paradigm. -- Joshua Williams
Re: Mod_proxy and client certificate auth
>From everything I've heard and read, mod-proxy will not proxy HTTPS on the back like what you are asking. You can have HTTPS on the front end but not on the back. It will have to be HTTP to the back. If you get this working I would LOVE to hear how you got it done On 6/6/06, Paul D. Robertson [EMAIL PROTECTED] wrote: Hi,I'm trying to get mod_proxy to work as an SSL proxy using a clientcertificate on the proxy to connect to a backend IIS server that's set upto use any client certificate signed by my OpenSSL-based CA. If I use a browser with the same certificate bundled up as a PKCS12bundle, through the proxy, it all works, but what I really need is forApache/mod_ssl to use a locally stored version of the cert/key to connect, then let the IIS server do its normal basic auth.That's one singleclient cert/key for all externally connecting users (yes, I understandthe ramifaction- it's not for user authentication,) not a per-user proxy cert.Here's what I have in my Apache ssl.conf file:RequestHeader set Front-End-Https OnCacheDisable *SSLProxyEngine OnProxyPass /app https://iisserver/app ProxyPassReverse /app https://iisserver/appSSLProxyMachineCertificatePath conf/certSSLEngine onconf/cert contains user.pem, a .pem cert file with an RSA private key catenated to it.I also have a hash link to the user.pem cert file.Just in case, I've also added export OPENSSL_ALLOW_PROXY_CERTS=1 tobin/envvars.Can anyone tell me what I'm doing wrong? Thanks,Paul-Paul D. RobertsonMy statements in this message are personal opinions [EMAIL PROTECTED] which may have no basis whatsoever in fact.__Apache Interface to OpenSSL (mod_ssl) www.modssl.orgUser Support Mailing Listmodssl-users@modssl.orgAutomated List Manager[EMAIL PROTECTED]-- We are all slave to our own paradigm. -- Joshua Williams
Mod_proxy and client certificate auth
Hi, I'm trying to get mod_proxy to work as an SSL proxy using a client certificate on the proxy to connect to a backend IIS server that's set up to use any client certificate signed by my OpenSSL-based CA. If I use a browser with the same certificate bundled up as a PKCS12 bundle, through the proxy, it all works, but what I really need is for Apache/mod_ssl to use a locally stored version of the cert/key to connect, then let the IIS server do its normal basic auth. That's one single client cert/key for all externally connecting users (yes, I understand the ramifaction- it's not for user authentication,) not a per-user proxy cert. Here's what I have in my Apache ssl.conf file: RequestHeader set Front-End-Https On CacheDisable * SSLProxyEngine On ProxyPass /app https://iisserver/app ProxyPassReverse /app https://iisserver/app SSLProxyMachineCertificatePath conf/cert SSLEngine on conf/cert contains user.pem, a .pem cert file with an RSA private key catenated to it. I also have a hash link to the user.pem cert file. Just in case, I've also added export OPENSSL_ALLOW_PROXY_CERTS=1 to bin/envvars. Can anyone tell me what I'm doing wrong? Thanks, Paul - Paul D. Robertson My statements in this message are personal opinions [EMAIL PROTECTED] which may have no basis whatsoever in fact. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Apache sends wrong certificate
Hi Cliff, Cliff Woolley wrote: You're doing IP-based virtual hosting, not named-based virtual hosting. (You only have one virtual host per IP/port combination.) Thus you don't need NameVirtualHost. If you scroll down in the page you gave, you'll see an example of IP-based virtual hosting, and note that it does *not* include any NameVirtualHost directives. Hope this helps, Thanks for the explanation. I *think* I understand the difference now. :) The next time we add a new IP-address I'll check if Apache ignores invalid DNS PTR records if I remove the NameVirtualHost. This might take a while though before this happens. I'll report my findings back to this list for documentation purposes. Met groet, Frank. -- Frank van Beek WAXTRAPP BV van Diemenstraat 366 1013CR Amsterdam The Netherlands Phone: +31 (0)20 672 2308 Fax:+31 (0)20 672 2488 http://www.waxtrapp.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Apache sends wrong certificate
Hi Ron, R. DuFresne wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm sure this has been answered, but in case it has not; You can not virtualize https to more then one hostsite, you have to have real IP addresses for https. Thanks for your reply. I understand your confusion. In my post I masked out the first two numbers of the IP-addresses. But we do have 4 VirtualHosts on 4 different IP-addresses. As it turned out (see a previous post), our problem was caused by a misconfigured reverse DNS. Frank. WAXTRAPP BV van Diemenstraat 366 1013CR Amsterdam The Netherlands Phone: +31 (0)20 672 2308 Fax:+31 (0)20 672 2488 http://www.waxtrapp.com Thanks, Ron DuFresne On Wed, 24 May 2006, Frank van Beek wrote: Hi all, This morning we migrated 4 of our websites to a new server. Each of these websites uses a certificate for https connections. We've got only one Apache instance running with 4 virtual hosts on 4 different IP-addresses. This worked fine on the old server. But since the move this morning Apache sends the certificate for the first VirtualHost to all 4 IP-addresses. Two of these sites need an additional SSLCertificateChainFile, and this file is send *correctly* depending on the IP-address. So Apache does see 4 different VirtualHosts, but somehow ignores the individual SSLCertificateFiles. Here is the relevant part of httpd.conf for these 4 hosts: - Listen xxx.xxx.198.62:443 NameVirtualHost xxx.xxx.198.62:443 VirtualHost xxx.xxx.198.62:443 SSLEngine On SSLCertificateChainFile chain1 SSLCertificateFile crt1 SSLCertificateKeyFilekey1 /VirtualHost Listen xxx.xxx.198.61:443 NameVirtualHost xxx.xxx.198.61:443 VirtualHost xxx.xxx.198.61:443 SSLEngine On SSLCertificateChainFile chain2 SSLCertificateFile crt2 SSLCertificateKeyFilekey2 /VirtualHost Listen xxx.xxx.198.63:443 NameVirtualHost xxx.xxx.198.63:443 VirtualHost xxx.xxx.198.63:443 SSLEngine On SSLCertificateFile crt3 SSLCertificateKeyFilekey3 /VirtualHost Listen xxx.xxx.198.64:443 NameVirtualHost xxx.xxx.198.64:443 VirtualHost xxx.xxx.198.64:443 SSLEngine On SSLCertificateFile crt4 SSLCertificateKeyFilekey4 /VirtualHost - The old server is still up and running. I've upgraded Apache on that system to the same version (2.0.58) and copied httpd.conf to that machine. The above configuration somehow works correctly there. I've been trying to debug this using openssl s_client -state -connect and I do see some relevant differences, but I've been unable to interpret them. I know this report lacks a lot of possibly relevant details. But I didn't want to send the whole httpd.conf and all of the terminal output to this list. Is there an obvious mistake in my configuration? Or have I stumbled on a bug in Apache 2.0.58? Met groet, Frank. - -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629 ...We waste time looking for the perfect lover instead of creating the perfect love. -Tom Robbins Still Life With Woodpecker -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEe4tVst+vzJSwZikRAq+sAJ4mHff+nYpHLXBgfoQdFIYVBMRhYgCgw29G ZcxkcdgHNKCofvRN3Hc5miA= =BwdU -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Apache sends wrong certificate
On 5/30/06, Frank van Beek [EMAIL PROTECTED] wrote: I understand your confusion. In my post I masked out the first twonumbers of the IP-addresses.But we do have 4 VirtualHosts on 4 different IP-addresses. As it turnedout (see a previous post), our problem was caused by a misconfigured reverse DNS. I'm glad you figured it out, but it's still a little bit unclear to me why the DNS should have had any effect. The NameVirtualHost directives in the config snippet you posted are extraneous and should be removed. I wonder if you'd gotten rid of those if the problem would have gone away regardless of DNS. Hmm... --Cliff
Re: Apache sends wrong certificate
Hey Cliff, Cliff Woolley wrote: On 5/30/06, *Frank van Beek* wrote: I understand your confusion. In my post I masked out the first two numbers of the IP-addresses. But we do have 4 VirtualHosts on 4 different IP-addresses. As it turned out (see a previous post), our problem was caused by a misconfigured reverse DNS. I'm glad you figured it out, but it's still a little bit unclear to me why the DNS should have had any effect. The NameVirtualHost directives in the config snippet you posted are extraneous and should be removed. I wonder if you'd gotten rid of those if the problem would have gone away regardless of DNS. I checked a couple of pages on VirtualHosts in the Apache documentation. As far as I can see in the examples in most of them there a NameVirtualHost for every VirtualHost, even when it's running on a different port. See the examples here: http://httpd.apache.org/docs/2.0/vhosts/examples.html I don't know enough about Apache configuration to know when you need both, so could you please explain me why in our configuration the NameVirtualHost directives are extraneous? Met groet, Frank. -- Frank van Beek WAXTRAPP BV van Diemenstraat 366 1013CR Amsterdam The Netherlands Phone: +31 (0)20 672 2308 Fax:+31 (0)20 672 2488 http://www.waxtrapp.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Apache sends wrong certificate
On 5/30/06, Frank van Beek [EMAIL PROTECTED] wrote: I checked a couple of pages on VirtualHosts in the Apache documentation.As far as I can see in the examples in most of them there aNameVirtualHost for every VirtualHost, even when it's running on adifferent port. See the examples here: http://httpd.apache.org/docs/2.0/vhosts/examples.htmlAll of the examples on that page that use NameVirtualHost are actually *doing* name-based virtual hosting, which is where you have multiple virtual hosts with the same IP/port combination (thus the only thing that distinguishes them is their name, as given in the Host: HTTP header). You're doing IP-based virtual hosting, not named-based virtual hosting. (You only have one virtual host per IP/port combination.) Thus you don't need NameVirtualHost. If you scroll down in the page you gave, you'll see an example of IP-based virtual hosting, and note that it does *not* include any NameVirtualHost directives. Hope this helps,--Cliff
Re: Apache sends wrong certificate
Hi all, Frank van Beek wrote: Hi all, This morning we migrated 4 of our websites to a new server. Each of these websites uses a certificate for https connections. We've got only one Apache instance running with 4 virtual hosts on 4 different IP-addresses. Today we discovered the cause of our problems. Our new hosting provider had invalid reverse DNS records: - % dig -x xxx.xxx.198.61 -- snip -- ;; ANSWER SECTION: 61.198.xxx.xxx.in-addr.arpa. 900 IN PTR . -- snip -- - After they changed their DNS, all we had to do was restart Apache to make it function correctly. With many thanks to ssh on Mac OS X which reported: Nasty PTR record is set up for xxx.xxx.198.61, ignoring. That's what gave us a clue that it might be reverse DNS related. Frank. -- Frank van Beek WAXTRAPP BV van Diemenstraat 366 1013CR Amsterdam The Netherlands Phone: +31 (0)20 672 2308 Fax:+31 (0)20 672 2488 http://www.waxtrapp.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Apache sends wrong certificate
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm sure this has been answered, but in case it has not; You can not virtualize https to more then one hostsite, you have to have real IP addresses for https. Thanks, Ron DuFresne On Wed, 24 May 2006, Frank van Beek wrote: Hi all, This morning we migrated 4 of our websites to a new server. Each of these websites uses a certificate for https connections. We've got only one Apache instance running with 4 virtual hosts on 4 different IP-addresses. This worked fine on the old server. But since the move this morning Apache sends the certificate for the first VirtualHost to all 4 IP-addresses. Two of these sites need an additional SSLCertificateChainFile, and this file is send *correctly* depending on the IP-address. So Apache does see 4 different VirtualHosts, but somehow ignores the individual SSLCertificateFiles. Here is the relevant part of httpd.conf for these 4 hosts: - Listen xxx.xxx.198.62:443 NameVirtualHost xxx.xxx.198.62:443 VirtualHost xxx.xxx.198.62:443 SSLEngine On SSLCertificateChainFile chain1 SSLCertificateFile crt1 SSLCertificateKeyFilekey1 /VirtualHost Listen xxx.xxx.198.61:443 NameVirtualHost xxx.xxx.198.61:443 VirtualHost xxx.xxx.198.61:443 SSLEngine On SSLCertificateChainFile chain2 SSLCertificateFile crt2 SSLCertificateKeyFilekey2 /VirtualHost Listen xxx.xxx.198.63:443 NameVirtualHost xxx.xxx.198.63:443 VirtualHost xxx.xxx.198.63:443 SSLEngine On SSLCertificateFile crt3 SSLCertificateKeyFilekey3 /VirtualHost Listen xxx.xxx.198.64:443 NameVirtualHost xxx.xxx.198.64:443 VirtualHost xxx.xxx.198.64:443 SSLEngine On SSLCertificateFile crt4 SSLCertificateKeyFilekey4 /VirtualHost - The old server is still up and running. I've upgraded Apache on that system to the same version (2.0.58) and copied httpd.conf to that machine. The above configuration somehow works correctly there. I've been trying to debug this using openssl s_client -state -connect and I do see some relevant differences, but I've been unable to interpret them. I know this report lacks a lot of possibly relevant details. But I didn't want to send the whole httpd.conf and all of the terminal output to this list. Is there an obvious mistake in my configuration? Or have I stumbled on a bug in Apache 2.0.58? Met groet, Frank. - -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629 ...We waste time looking for the perfect lover instead of creating the perfect love. -Tom Robbins Still Life With Woodpecker -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEe4tVst+vzJSwZikRAq+sAJ4mHff+nYpHLXBgfoQdFIYVBMRhYgCgw29G ZcxkcdgHNKCofvRN3Hc5miA= =BwdU -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Apache sends wrong certificate
Hi all, This morning we migrated 4 of our websites to a new server. Each of these websites uses a certificate for https connections. We've got only one Apache instance running with 4 virtual hosts on 4 different IP-addresses. This worked fine on the old server. But since the move this morning Apache sends the certificate for the first VirtualHost to all 4 IP-addresses. Two of these sites need an additional SSLCertificateChainFile, and this file is send *correctly* depending on the IP-address. So Apache does see 4 different VirtualHosts, but somehow ignores the individual SSLCertificateFiles. Here is the relevant part of httpd.conf for these 4 hosts: - Listen xxx.xxx.198.62:443 NameVirtualHost xxx.xxx.198.62:443 VirtualHost xxx.xxx.198.62:443 SSLEngine On SSLCertificateChainFile chain1 SSLCertificateFile crt1 SSLCertificateKeyFilekey1 /VirtualHost Listen xxx.xxx.198.61:443 NameVirtualHost xxx.xxx.198.61:443 VirtualHost xxx.xxx.198.61:443 SSLEngine On SSLCertificateChainFile chain2 SSLCertificateFile crt2 SSLCertificateKeyFilekey2 /VirtualHost Listen xxx.xxx.198.63:443 NameVirtualHost xxx.xxx.198.63:443 VirtualHost xxx.xxx.198.63:443 SSLEngine On SSLCertificateFile crt3 SSLCertificateKeyFilekey3 /VirtualHost Listen xxx.xxx.198.64:443 NameVirtualHost xxx.xxx.198.64:443 VirtualHost xxx.xxx.198.64:443 SSLEngine On SSLCertificateFile crt4 SSLCertificateKeyFilekey4 /VirtualHost - The old server is still up and running. I've upgraded Apache on that system to the same version (2.0.58) and copied httpd.conf to that machine. The above configuration somehow works correctly there. I've been trying to debug this using openssl s_client -state -connect and I do see some relevant differences, but I've been unable to interpret them. I know this report lacks a lot of possibly relevant details. But I didn't want to send the whole httpd.conf and all of the terminal output to this list. Is there an obvious mistake in my configuration? Or have I stumbled on a bug in Apache 2.0.58? Met groet, Frank. -- Frank van Beek WAXTRAPP BV van Diemenstraat 366 1013CR Amsterdam The Netherlands Phone: +31 (0)20 672 2308 Fax:+31 (0)20 672 2488 http://www.waxtrapp.com [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
make certificate hangs
Moin, I've setup modssl with apache. I've followed the example from modssl.org. Then i try make certificate type=custom and it hangs at this point: Getting CA Private Key Verify: matching certificate key modulus Verify: matching certificate signature ../conf/ssl.crt/server.crt: OK After that I made make certificate type=test and it hangs to: Getting CA Private Key Verify: matching certificate key modulus Verify: matching certificate signature ../conf/ssl.crt/server.crt: /C=XY/ST=Snake Desert/L=Snake Town/O=Snake Oil, Ltd/OU=Certificate Authority/CN=Snake Oil CA/[EMAIL PROTECTED] error 10 at 1 depth lookup:certificate has expired OK How can I debug this issue? Matthias __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: make certificate hangs
make certificate is largely deprecated at this point, as far as I'm concerned... it doesn't even ship with Apache 2.0 + mod_ssl. The expiration could be considered a bug in Apache 1.3's mod_ssl, but IMO the best thing for you to do is to follow the steps in the mod_ssl documentation for creating your own self-signed certificate using openssl by hand. The documentation isn't perfect, but that route is still probably the best option right now that I know of. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Grr.. where is my CA's Certificate file?
Hello, I am trying to setup apache to use a PKI (I think that is what it is called)... So each client will have to already have a public key to have access to my 'secure' apache server. I might hand out 5 of these public keys, and I want only those users to have access to this server. My issue is this.. I cannot find my CA's certificate file (so I can tell ssl.conf about it via SSLCACertificateFile). I have run CA.pl -newca and then it creates these files: -- [EMAIL PROTECTED] demoCA]# ls cacert.pem careq.pem certs crl index.txt index.txt.attr index.txt.old newcerts private serial [EMAIL PROTECTED] demoCA]# ls -R .: cacert.pem careq.pem certs crl index.txt index.txt.attr index.txt.old newcerts private serial ./certs: ./crl: ./newcerts: EC895C0D3F2DC916.pem ./private: cakey.pem [EMAIL PROTECTED] demoCA]# -- but now where is the file I tell ssl.conf about via SSLCACertificateFile. Sorry to bother you'll, but I have been trying to find this out nearly all day.. without sucess :( thanks for any input! Lee __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
RE: export client certificate CN?
Add the following line to you httpd configuration: JkEnvVar SSL_CLIENT_S_DN none JkEnvVar SSL_CLIENT_CERT none This will make the client cert and distinguished name available through Apache enviroment variables. Then in Java (within a JSP/servlet): String DN = (String) request.getAttribute(SSL_CLIENT_S_DN); // can also get the whole cert: SSL_CLIENT_CERT And parse out the common name. Nadeem From: [EMAIL PROTECTED] on behalf of August West Sent: Mon 8/22/2005 12:17 PM To: modssl-users@modssl.org Subject: export client certificate CN? I am currently using mod_ssl to verify client certs. are issued by trusted CAs (e.g. SSLVerifyClient require), but then using username/password for application identification/authorization, passing this to Oracle via Tomcat using JAVA. However, I'd like to be able to use client certs. for I/A by exporting the CN (or perhaps serial number) when verifying. I have tried to add SSLOptions +ExportCertData, but I am not sure where this data is being exported too! This seemed like the appropriate SSL Option to be able to parse the cert data, but please correct me if I am wrong. Does anyone have any implementation suggestions exporting the CN from client certs, particularly for retrieving this information with JAVA? TIA! __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] winmail.dat
export client certificate CN?
I am currently using mod_ssl to verify client certs. are issued by trusted CAs (e.g. SSLVerifyClient require), but then using username/password for application identification/authorization, passing this to Oracle via Tomcat using JAVA. However, I'd like to be able to use client certs. for I/A by exporting the CN (or perhaps serial number) when verifying. I have tried to add SSLOptions +ExportCertData, but I am not sure where this data is being exported too! This seemed like the appropriate SSL Option to be able to parse the cert data, but please correct me if I am wrong. Does anyone have any implementation suggestions exporting the CN from client certs, particularly for retrieving this information with JAVA? TIA! __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: export client certificate CN?
I am trying to use mod_auth_ldap with apache2, and I am having trouble figuring out how to generate a trusted Certificate Authority certificate. I tried using the Netscape certificate database file as the apache docs suggest, but I'm still getting a complaint from LDAP that LDAP: ssl connections not supported. Can I use openssl to make a DER_FILE or a BASE64_FILE? Has anyone here had experience getting this to work? Thanks for your time. Best, Andrew I am totally lost on this. I appreciate any help [EMAIL PROTECTED] 8/22/2005 9:17 AM I am currently using mod_ssl to verify client certs. are issued by trusted CAs (e.g. SSLVerifyClient require), but then using username/password for application identification/authorization, passing this to Oracle via Tomcat using JAVA. However, I'd like to be able to use client certs. for I/A by exporting the CN (or perhaps serial number) when verifying. I have tried to add SSLOptions +ExportCertData, but I am not sure where this data is being exported too! This seemed like the appropriate SSL Option to be able to parse the cert data, but please correct me if I am wrong. Does anyone have any implementation suggestions exporting the CN from client certs, particularly for retrieving this information with JAVA? TIA! __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] Andrew Musselman [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
RE: export client certificate CN?
I am trying to use mod_auth_ldap with apache2, and I am having trouble figuring out how to generate a trusted Certificate Authority certificate. I tried using the Netscape certificate database file as the apache docs suggest, but I'm still getting a complaint from LDAP that LDAP: ssl connections not supported. Not sure but this sounds like you haven't enabled SSL, not that it cant negotiate the session. Can I use openssl to make a DER_FILE or a BASE64_FILE? Has anyone here had experience getting this to work? Here's how I've generated server cert requests (PKCS #10 which works fine with Netscape): openssl req -config openssl.cnf -new -out hostname.csr openssl rsa -in privkey.pem -out hostname.key Then you'll need to tell point apache to the right certs: SSLCertificateFile /server.crt SSLCertificateKeyFile /server.key SLCACertificateFile /CA.crt If you want to generate the certs yourself rather then submit the CSRs to a CA: openssl x509 -in hostname.csr -out hostname.crt -req -signkey hostname.key -days 365 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
access restriction based on RFC3280/4.2 'Certificate Extensions'
Hi, is it somehow possible to restrict access to a httpd2/mod_ssl based on the presence of an extended attribute with a specific OID in the client's certificate? i was unsuccessfull looking that up in the docs or ml-archive. than you for any hint, / pit __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: access restriction based on RFC3280/4.2 'Certificate Extensions'
On Mon, Aug 08, 2005 at 02:26:37PM +0200, Pitrich, Karl wrote: Hi, is it somehow possible to restrict access to a httpd2/mod_ssl based on the presence of an extended attribute with a specific OID in the client's certificate? There is some support for that in the very latest httpd dev tree - see http://mail-archives.apache.org/mod_mbox/httpd-cvs/200507.mbox/[EMAIL PROTECTED] vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: certificate weirdness
Hello Vlad, You are trying to use NameVirtualHost for ssl which will not work. Basically which cert does it use? The ssl connection needs to be setup before the site name (hence virtual host and cert) can be established by apache. You'll need two IPs, or use different ports (yuck). Regards Matt --- Vlad Ciubotariu [EMAIL PROTECTED] wrote: I'm doing something wrong in my config file. For some reason, when pointed to https://calendar.mydomain.ca the browser tells me the security certificate belongs to mail.mydomain.ca even though the two domains have been configured with different certificates. Could anyone shed some light, please? Thanks in advance. ## ## SSL Support ## ## When we also provide SSL we have to listen to the ## standard HTTP port (see above) and to the HTTPS port ## IfDefine SSL Listen 80 Listen 443 /IfDefine ... NameVirtualHost *:80 NameVirtualHost *:443 # # VirtualHost example: # Almost any Apache directive may go into a VirtualHost container. VirtualHost * ServerAdmin [EMAIL PROTECTED] DocumentRoot /var/www/virthosts/mail ServerName mail.mydomain.org Redirect / https://mail.mydomain.org/ /VirtualHost VirtualHost * ServerAdmin [EMAIL PROTECTED] DocumentRoot /var/www/virthosts/calendar ServerName calendar.mydomain.org Redirect / https://calendar.mydomain.org/ /VirtualHost ## ## SSL Global Context ## ## All SSL configuration in this context applies both to ## the main server and all SSL-enabled virtual hosts. ## # # Some MIME-types for downloading Certificates and CRLs # IfDefine SSL AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl.crl /IfDefine IfModule mod_ssl.c # Pass Phrase Dialog: # Configure the pass phrase gathering process. # The filtering dialog program (`builtin' is a internal # terminal dialog) has to provide the pass phrase on stdout. SSLPassPhraseDialog builtin # Inter-Process Session Cache: # Configure the SSL Session Cache: First either `none' # or `dbm:/path/to/file' for the mechanism to use and # second the expiring timeout (in seconds). SSLSessionCache dbm:logs/ssl_scache SSLSessionCacheTimeout 300 # Semaphore: # Configure the path to the mutual exclusion semaphore the # SSL engine uses internally for inter-process synchronization. SSLMutex sem # Pseudo Random Number Generator (PRNG): # Configure one or more sources to seed the PRNG of the # SSL library. The seed data should be of good random quality. SSLRandomSeed startup builtin SSLRandomSeed connect builtin #SSLRandomSeed startup file:/dev/random 512 #SSLRandomSeed startup file:/dev/urandom 512 #SSLRandomSeed connect file:/dev/random 512 #SSLRandomSeed connect file:/dev/urandom 512 SSLRandomSeed startup file:/dev/arandom 512 # Logging: # The home of the dedicated SSL protocol logfile. Errors are # additionally duplicated in the general error log file. Put # this somewhere where it cannot be used for symlink attacks on # a real server (i.e. somewhere where only root can write). # Log levels are (ascending order: higher ones include lower ones): # none, error, warn, info, trace, debug. SSLLog logs/ssl_engine_log SSLLogLevel info /IfModule IfDefine SSL ## ## SSL Virtual Host Context ## VirtualHost *:443 ServerAdmin [EMAIL PROTECTED] DocumentRoot /var/www/virthosts/mail ServerName mail.mydomain.org SSLEngine on SSLCertificateFile/etc/ssl/webmail.crt SSLCertificateKeyFile /etc/ssl/private/webmail.key Location / SSLRequireSsl /Location /VirtualHost VirtualHost *:443 ServerAdmin [EMAIL PROTECTED] DocumentRoot /var/www/virthosts/calendar ServerName calendar.mydomain.org SSLEngine on SSLCertificateFile/etc/ssl/calendar.crt SSLCertificateKeyFile /etc/ssl/private/calendar.key Location / SSLRequireSsl /Location Directory /var/www/virthosts/calendar Order allow,deny Allow from all /Directory Location /cgi-bin/ SetHandler perl-script PerlHandler Apache::Registry #PerlHandler Apache::PerlRun Options ExecCGI PerlSendHeader On /Location /VirtualHost # VirtualHost _default_:443 # General setup for the virtual host #DocumentRoot /var/www/htdocs #ServerName new.host.name #ServerAdmin [EMAIL PROTECTED] #ErrorLog logs/error_log #TransferLog logs/access_log # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. #SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP # Server Certificate: # Point
Re: certificate weirdness
I've finally got it to work. I possibly see why it didn't work from the first place. Mod_ssl handles encryption before httpd even sees the url. Thus I can't set certifaces in directory or name-based virtual containers. Thanks! On Wed, Jul 27, 2005 at 06:49:12AM -0700, Matt Stevenson wrote: Hello Vlad, You are trying to use NameVirtualHost for ssl which will not work. Basically which cert does it use? The ssl connection needs to be setup before the site name (hence virtual host and cert) can be established by apache. You'll need two IPs, or use different ports (yuck). Regards Matt --- Vlad Ciubotariu [EMAIL PROTECTED] wrote: I'm doing something wrong in my config file. For some reason, when pointed to https://calendar.mydomain.ca the browser tells me the security certificate belongs to mail.mydomain.ca even though the two domains have been configured with different certificates. Could anyone shed some light, please? Thanks in advance. ## ## SSL Support ## ## When we also provide SSL we have to listen to the ## standard HTTP port (see above) and to the HTTPS port ## IfDefine SSL Listen 80 Listen 443 /IfDefine ... NameVirtualHost *:80 NameVirtualHost *:443 # # VirtualHost example: # Almost any Apache directive may go into a VirtualHost container. VirtualHost * ServerAdmin [EMAIL PROTECTED] DocumentRoot /var/www/virthosts/mail ServerName mail.mydomain.org Redirect / https://mail.mydomain.org/ /VirtualHost VirtualHost * ServerAdmin [EMAIL PROTECTED] DocumentRoot /var/www/virthosts/calendar ServerName calendar.mydomain.org Redirect / https://calendar.mydomain.org/ /VirtualHost ## ## SSL Global Context ## ## All SSL configuration in this context applies both to ## the main server and all SSL-enabled virtual hosts. ## # # Some MIME-types for downloading Certificates and CRLs # IfDefine SSL AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl.crl /IfDefine IfModule mod_ssl.c # Pass Phrase Dialog: # Configure the pass phrase gathering process. # The filtering dialog program (`builtin' is a internal # terminal dialog) has to provide the pass phrase on stdout. SSLPassPhraseDialog builtin # Inter-Process Session Cache: # Configure the SSL Session Cache: First either `none' # or `dbm:/path/to/file' for the mechanism to use and # second the expiring timeout (in seconds). SSLSessionCache dbm:logs/ssl_scache SSLSessionCacheTimeout 300 # Semaphore: # Configure the path to the mutual exclusion semaphore the # SSL engine uses internally for inter-process synchronization. SSLMutex sem # Pseudo Random Number Generator (PRNG): # Configure one or more sources to seed the PRNG of the # SSL library. The seed data should be of good random quality. SSLRandomSeed startup builtin SSLRandomSeed connect builtin #SSLRandomSeed startup file:/dev/random 512 #SSLRandomSeed startup file:/dev/urandom 512 #SSLRandomSeed connect file:/dev/random 512 #SSLRandomSeed connect file:/dev/urandom 512 SSLRandomSeed startup file:/dev/arandom 512 # Logging: # The home of the dedicated SSL protocol logfile. Errors are # additionally duplicated in the general error log file. Put # this somewhere where it cannot be used for symlink attacks on # a real server (i.e. somewhere where only root can write). # Log levels are (ascending order: higher ones include lower ones): # none, error, warn, info, trace, debug. SSLLog logs/ssl_engine_log SSLLogLevel info /IfModule IfDefine SSL ## ## SSL Virtual Host Context ## VirtualHost *:443 ServerAdmin [EMAIL PROTECTED] DocumentRoot /var/www/virthosts/mail ServerName mail.mydomain.org SSLEngine on SSLCertificateFile/etc/ssl/webmail.crt SSLCertificateKeyFile /etc/ssl/private/webmail.key Location / SSLRequireSsl /Location /VirtualHost VirtualHost *:443 ServerAdmin [EMAIL PROTECTED] DocumentRoot /var/www/virthosts/calendar ServerName calendar.mydomain.org SSLEngine on SSLCertificateFile/etc/ssl/calendar.crt SSLCertificateKeyFile /etc/ssl/private/calendar.key Location / SSLRequireSsl /Location Directory /var/www/virthosts/calendar Order allow,deny Allow from all /Directory Location /cgi-bin/ SetHandler perl-script PerlHandler Apache::Registry #PerlHandler Apache::PerlRun Options ExecCGI PerlSendHeader On /Location /VirtualHost # VirtualHost _default_:443 # General setup for the virtual host
certificate weirdness
I'm doing something wrong in my config file. For some reason, when pointed to https://calendar.mydomain.ca the browser tells me the security certificate belongs to mail.mydomain.ca even though the two domains have been configured with different certificates. Could anyone shed some light, please? Thanks in advance. ## ## SSL Support ## ## When we also provide SSL we have to listen to the ## standard HTTP port (see above) and to the HTTPS port ## IfDefine SSL Listen 80 Listen 443 /IfDefine ... NameVirtualHost *:80 NameVirtualHost *:443 # # VirtualHost example: # Almost any Apache directive may go into a VirtualHost container. VirtualHost * ServerAdmin [EMAIL PROTECTED] DocumentRoot /var/www/virthosts/mail ServerName mail.mydomain.org Redirect / https://mail.mydomain.org/ /VirtualHost VirtualHost * ServerAdmin [EMAIL PROTECTED] DocumentRoot /var/www/virthosts/calendar ServerName calendar.mydomain.org Redirect / https://calendar.mydomain.org/ /VirtualHost ## ## SSL Global Context ## ## All SSL configuration in this context applies both to ## the main server and all SSL-enabled virtual hosts. ## # # Some MIME-types for downloading Certificates and CRLs # IfDefine SSL AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl.crl /IfDefine IfModule mod_ssl.c # Pass Phrase Dialog: # Configure the pass phrase gathering process. # The filtering dialog program (`builtin' is a internal # terminal dialog) has to provide the pass phrase on stdout. SSLPassPhraseDialog builtin # Inter-Process Session Cache: # Configure the SSL Session Cache: First either `none' # or `dbm:/path/to/file' for the mechanism to use and # second the expiring timeout (in seconds). SSLSessionCache dbm:logs/ssl_scache SSLSessionCacheTimeout 300 # Semaphore: # Configure the path to the mutual exclusion semaphore the # SSL engine uses internally for inter-process synchronization. SSLMutex sem # Pseudo Random Number Generator (PRNG): # Configure one or more sources to seed the PRNG of the # SSL library. The seed data should be of good random quality. SSLRandomSeed startup builtin SSLRandomSeed connect builtin #SSLRandomSeed startup file:/dev/random 512 #SSLRandomSeed startup file:/dev/urandom 512 #SSLRandomSeed connect file:/dev/random 512 #SSLRandomSeed connect file:/dev/urandom 512 SSLRandomSeed startup file:/dev/arandom 512 # Logging: # The home of the dedicated SSL protocol logfile. Errors are # additionally duplicated in the general error log file. Put # this somewhere where it cannot be used for symlink attacks on # a real server (i.e. somewhere where only root can write). # Log levels are (ascending order: higher ones include lower ones): # none, error, warn, info, trace, debug. SSLLog logs/ssl_engine_log SSLLogLevel info /IfModule IfDefine SSL ## ## SSL Virtual Host Context ## VirtualHost *:443 ServerAdmin [EMAIL PROTECTED] DocumentRoot /var/www/virthosts/mail ServerName mail.mydomain.org SSLEngine on SSLCertificateFile/etc/ssl/webmail.crt SSLCertificateKeyFile /etc/ssl/private/webmail.key Location / SSLRequireSsl /Location /VirtualHost VirtualHost *:443 ServerAdmin [EMAIL PROTECTED] DocumentRoot /var/www/virthosts/calendar ServerName calendar.mydomain.org SSLEngine on SSLCertificateFile/etc/ssl/calendar.crt SSLCertificateKeyFile /etc/ssl/private/calendar.key Location / SSLRequireSsl /Location Directory /var/www/virthosts/calendar Order allow,deny Allow from all /Directory Location /cgi-bin/ SetHandler perl-script PerlHandler Apache::Registry #PerlHandler Apache::PerlRun Options ExecCGI PerlSendHeader On /Location /VirtualHost # VirtualHost _default_:443 # General setup for the virtual host #DocumentRoot /var/www/htdocs #ServerName new.host.name #ServerAdmin [EMAIL PROTECTED] #ErrorLog logs/error_log #TransferLog logs/access_log # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. #SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP # Server Certificate: # Point SSLCertificateFile at a PEM encoded certificate. If # the certificate is encrypted, then you will be prompted for a # pass phrase. Note that a kill -HUP will prompt again. A test # certificate can be generated with `make certificate' under # built time. SSLCertificateFile/etc/ssl/server.crt # Server Private Key: # If the key is not combined with the certificate, use this # directive to point at the key file. SSLCertificateKeyFile /etc/ssl/private/server.key # Certificate Authority (CA): # Set the CA
Client certificate expiry handling
Hi, I know this has been raised before but please read on. Currently AFAIK client certificate expiry checking is done by openssl and the connection is terminated before apache comes into play, hence no error page can be sent. This is a problem as IE doesn't tell the user the client certificate is expired. Hence the user experiences a horrible disconnect page (not nice for issue tracking either as its pretty generic). Both Netscape and IIS can send back an error to the browser under this condition. The company I work for would also like apache to be able to do this. There is a good possiblity that the changes would be funded. I'm looking for someone who has experience with apache/mod_ssl/openssl to give an idea on the feasibility and a time estimate to do the work. Suggestions on who could do this are also welcome. Regards Matt __ Yahoo! Mail Mobile Take Yahoo! Mail with you! Check email on your mobile phone. http://mobile.yahoo.com/learn/mail __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: certificate and authentication re-prompting
Could be your browsers settings. If you're running Firefox go to the menu Tools Options. Select Advanced and scroll down to the Certificates area. Set Client Certificate Selection to Select Automatically. This is often the cause of such behaviour. Hope this helps. Bestregards /Daniel - Original Message - From: C T To: modssl-users@modssl.org Sent: Wednesday, June 22, 2005 2:34 AM Subject: certificate and authentication re-prompting I need some advice/help. I am running...well my web host service is running... Apache/2.0.46 (Red Hat) Server openssl-0.9.7a-33.12 mod_ssl-2.0.46-44.ent Also, I was originally set up through some kind of "virtual hosting", but I paid extra for SSL, and I have a httpsdocs folder. (if you can't tell I'm new to this) I also use .htaccess with .htpasswd for user authentication. Everything seems to be working fine, but my problem is... I can enter my domain with the https://. OK I get prompted to accept the certificate, and I get prompted for the username/password. OK The problem surfaces when I begin to browse around in the https area. Sooner or later I will get re-prompted to accept the certificate and enter my username/password, again. I don't know why it does this, and my web hosting service can't seem to explain it either. I've reproduced the error on more than 4 computers. I can't find anything that would cause my browser session to expire, in mid-session. Can anyone help me or give me a direction to go in? Be Kind, I'm a new to apache and mod_ssl. Thanks, Craig [EMAIL PROTECTED]
certificate and authentication re-prompting
I need some advice/help. I am running...well my web host service is running... Apache/2.0.46 (Red Hat) Server openssl-0.9.7a-33.12 mod_ssl-2.0.46-44.ent Also, I was originally set up through some kind of "virtual hosting", but I paid extra for SSL, and I have a httpsdocs folder. (if you can't tell I'm new to this) I also use .htaccess with .htpasswd for user authentication. Everything seems to be working fine, but my problem is... I can enter my domain with the https://. OK I get prompted to accept the certificate, and I get prompted for the username/password. OK The problem surfaces when I begin to browse around in the https area. Sooner or later I will get re-prompted to accept the certificate and enter my username/password, again. I don't know why it does this, and my web hosting service can't seem to explain it either. I've reproduced the error on more than 4 computers. I can't find anything that would cause my browser session to expire, in mid-session. Can anyone help me or give me a direction to go in? Be Kind, I'm a new to apache and mod_ssl. Thanks, Craig [EMAIL PROTECTED]
client certificate problems
In short I'm working on duplicating a web site locally for testing and I am unable to get Client certificates to work here in my lab. The main/public site is using apache 1.3.33 on OS X and is properly configured for client certs, but I can't get this test configuration to work. I am using Apache 2.0.52 so that could be a factor. (if necessary, I will try to reconfigure with 1.3.33) The client browser is IE 6.x and what is odd is when I navigate to the main/public site I am prompted to select a certificate, but when I navigate to the test site IE 6.x just times out. For that reason I am suspicious of the apache configuration but I can't be certain. I tried with FireFox (1.0) and it also timed out. Firefox is configured to ask every time for client cert. selection and like IE, I am not prompted. (I'm also suspicious as to why I can't select the client certificate from the IE dialog for the test site - only the certificate for the public site is listed.) The virtual host configuration is listed below (ssl.conf was unchanged for 2.0.52) and the error in the ssl.log is also listed below. If anyone could offer any trouble shooting tips that would be greatly appreciated. Thanks for your time and assistance. John //- Additional information: Version: Apache/2.0.52 OS: Mac OS X 10.3.7 //- // here is the log of the error: [info] Initial (No.1) HTTPS request received for child 5 (server www.apollo.home:443) [debug] ssl_engine_kernel.c(422): Changed client verification type will force renegotiation [info] Requesting connection re-negotiation [debug] ssl_engine_kernel.c(650): Performing full renegotiation: complete handshake protocol [info] Awaiting re-negotiation handshake [debug] ssl_engine_kernel.c(1756): OpenSSL: Handshake: start [debug] ssl_engine_kernel.c(1764): OpenSSL: Loop: before accept initialization [debug] ssl_engine_io.c(1517): OpenSSL: I/O error, 5 bytes expected to read on BIO#1280be0 [mem: 7f7000] [debug] ssl_engine_kernel.c(1793): OpenSSL: Exit: error in SSLv2 read client hello B [error] Re-negotiation handshake failed: Not accepted by client!? //- // here is the virtual host info: VirtualHost www.apollo.home:443 DocumentRoot /some_directory/ssl_site ServerAdmin [EMAIL PROTECTED] ServerName www.apollo.home LogLevel warn # LogLevel debug SetEnvIf User-Agent .*MSIE.* \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 # Per-Server Logging: CustomLog logs/apollo/443.access.log %t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \%r\ %b ErrorLog logs/apollo/443.error.log DirectoryIndex index.html IfModule mod_ssl.c # # ssl stuff # SSLEngine On SSLProtocol all -SSLv3 SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL # # LogLevel debug ErrorLog logs/apollo/ssl.log SSLOptions +StdEnvVars +ExportCertData # # # path to certificates and private key # SSLCertificateFile /some_directory/openssl/servers/www.apollo.home.cert.pem SSLCertificateKeyFile /some_directory/openssl/servers/www.apollo.home.key.unencrypted SSLCACertificateFile /some_directory/openssl/private/CA-1.cert.pem /IfModule Location /secure_dir SSLVerifyClient require SSLVerifyDepth 3 /Location /VirtualHost __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
More certificate problems
I am having problems signing the certificate I can successfully generate the RSA private key using the command openssl genrsa -des3 -out server.key 1024 I can a CSR file using openssl req -new -key server.key -out server.csr I can even generate the RSA frivate key for the CA openssl genrsa -des3 -out ca.key 1024 I have even created the self sign certificate using openssl req -new -x509 -days 365 -key ca.key -out ca.crt When I try and run the shell script sign.sh I get as far as Sign the certificate? [y/n] to which I answer 'y' The reply i get back from the script is 'failed to update database' 'TT_DB error number 2' 'unable to load certificate' '16129:error:0906D06C:PEM routines:PEM_read_bio: no start line:pem_lib.c:632 Expecting TRUSTED CERTIFICATE' I obviously find that the server.crt is empty. I would appreciate some help with this problem Thanks Richard Skeggs The sign.sh shell script I am using is shown below #!/bin/sh ## ## sign.sh -- Sign a SSL Certificate Request (CSR) ## Copyright (c) 1998-1999 Ralf S. Engelschall, All Rights Reserved. ## # argument line handling CSR=$1 if [ $# -ne 1 ]; then echo Usage: sign.sign whatever.csr; exit 1 fi if [ ! -f $CSR ]; then echo CSR not found: $CSR; exit 1 fi case $CSR in *.csr ) CERT=`echo $CSR | sed -e 's/\.csr/.crt/'` ;; * ) CERT=$CSR.crt ;; esac # make sure environment exists if [ ! -d ca.db.certs ]; then mkdir ca.db.certs fi if [ ! -f ca.db.serial ]; then echo '01' ca.db.serial fi if [ ! -f ca.db.index ]; then cp /dev/null ca.db.index fi # create an own SSLeay config cat ca.config EOT [ ca ] default_ca = CA_own [ CA_own ] dir= /etc/ssl certs = /etc/ssl/certs new_certs_dir = /etc/ssl/ca.db.certs database = /etc/ssl/ca.db.index serial = /etc/ssl/ca.db.serial RANDFILE = /etc/ssl/ca.db.rand certificate= /etc/ssl/certs/ca.crt private_key= /etc/ssl/private/ca.key default_days = 365 default_crl_days = 30 default_md = md5 preserve = no policy = policy_anything [ policy_anything ] countryName= optional stateOrProvinceName= optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional EOT # sign the certificate echo CA signing: $CSR - $CERT: openssl ca -config ca.config -out $CERT -infiles $CSR echo CA verifying: $CERT - CA cert openssl verify -CAfile /etc/ssl/certs/ca.crt $CERT # cleanup after SSLeay rm -f ca.config rm -f ca.db.serial.old rm -f ca.db.index.old # die gracefully exit 0 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Certificate Problems
Title: Certificate Problems I am trying to set up ssl on my server and I have been through what I believe are the correct settings. I can run the command line script 'openssl s_client -connect eghapp:443 -state -debug' I don't appear to get an error message. However when trying to start apache using the startssl switch the following error turns up in the ssl_error_log [Tue Jun 15 15:11:04 2004] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Tue Jun 15 15:11:04 2004] [warn] RSA server certificate CommonName (CN) `localhost.localdomain' does NOT match server name!? [Tue Jun 15 15:11:07 2004] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Tue Jun 15 15:11:07 2004] [warn] RSA server certificate CommonName (CN) `localhost.localdomain' does NOT match server name!? [Tue Jun 15 15:26:34 2004] [error] [client 10.14.1.150] Invalid method in request I have also been able to successfully run the command 'curl https://eghapp'. However when I try to run 'https://eghapp' through the browser I get an error saying that the DNS server cannot be found. On checking the nothing gets written to any of the ssl log files. Does anyone know how I can resolve this? Thanks Richard Skeggs Software Engineer Mobius Management Systems Cavendish House 5 The Avenue Egham Surrey TW20 9AB Tel: +44 (0) 1784 484700 Mobile: + 44 (0) 7971 608315 email: [EMAIL PROTECTED]
RE: Certificate Problems
Plain text please... If you got an error in the ssl error-log then apache must be running. The invalid method error is exactly that - the HTTP method wasn't GET, POST etc... What request were you making when you got the error? Cross-check the access log for details... It looks like your certificate common name is localhost.localdomain and this doesn't match the ServerName argument which is what the warning is about. The DNS error means that he browser cannot resolve eghapp to an IP address while curl, apparently, can. No idea why - depends on OS, browser version, config etc. (eg, if the browser goes via a proxy, the proxy will not see a local /etc/hosts definition of eghapp). Tip: if you post back, cut'n'paste exact error messages - do not paraphrase as this loses important information. Also, give OS, apache 1.3 or 2 etc. Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. Diese E-mail ist eine private und persönliche Kommunikation. Sie hat keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Gruppe. This e-mail is of a private and personal nature. It is not related to the exchange or business activities of the SWX Group. Le présent e-mail est un message privé et personnel, sans rapport avec l'activité boursière du Groupe SWX. -Original Message- From: Richard Skeggs [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 16. Juni 2004 11:07 To: '[EMAIL PROTECTED]' Subject: Certificate Problems I am trying to set up ssl on my server and I have been through what I believe are the correct settings. I can run the command line script 'openssl s_client -connect eghapp:443 -state -debug' I don't appear to get an error message. However when trying to start apache using the startssl switch the following error turns up in the ssl_error_log [Tue Jun 15 15:11:04 2004] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Tue Jun 15 15:11:04 2004] [warn] RSA server certificate CommonName (CN) `localhost.localdomain' does NOT match server name!? [Tue Jun 15 15:11:07 2004] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Tue Jun 15 15:11:07 2004] [warn] RSA server certificate CommonName (CN) `localhost.localdomain' does NOT match server name!? [Tue Jun 15 15:26:34 2004] [error] [client 10.14.1.150] Invalid method in request I have also been able to successfully run the command 'curl https://eghapp'. However when I try to run 'https://eghapp' through the browser I get an error saying that the DNS server cannot be found. On checking the nothing gets written to any of the ssl log files. Does anyone know how I can resolve this? Thanks Richard Skeggs Software Engineer Mobius Management Systems Cavendish House 5 The Avenue Egham Surrey TW20 9AB Tel: +44 (0) 1784 484700 Mobile: + 44 (0) 7971 608315 email: [EMAIL PROTECTED] This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
FW: Certificate Problems
Thanks for the response, to explain abit more the error I see in the log file only get written when I start apache using apachactl startssl the message written to ssl_error_log is: [Wed Jun 16 10:59:48 2004] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Wed Jun 16 10:59:48 2004] [warn] RSA server certificate CommonName (CN) `localhost.localdomain' does NOT match server name!? [Wed Jun 16 10:59:50 2004] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Wed Jun 16 10:59:50 2004] [warn] RSA server certificate CommonName (CN) `localhost.localdomain' does NOT match server name!? As for the the request I was making it was to simply get the home page of eghapp Using the url http://eghapp:8000 through my browser I get to view the home page of eghapp However https://eghapp:8000 I get the following log message from error_log: [Wed Jun 16 11:08:05 2004] [error] [client 10.14.2.8] Invalid method in request!L!! From access_log: 10.14.2.8 - - [16/Jun/2004:11:07:38 +0100] L 501 1007 Nothing gets written to the ssl message files. The browser returns Cannot find server or DNS Error Internet Explorer I am trying to install ssl on the eghapp server which is a RedHat9 linux box. An extract from the hosts file on eghapp is: 127.0.0.1 localhost loghost 10.14.1.150 eghapp An extract from the httpd.conf file is shown below Listen 8000 NameVirtualHost 10.14.1.150 VirtualHost 10.14.1.150 ProxyPass /esav http://eghsnap1:8081/esav ProxyPassReverse /esav http://eghsnap1:8081/esav ProxyPass /ddrint http://eghsnap2:8081/ddrint ProxyPassReverse /ddrint http://eghsnap2:8081/ddrint ProxyPass /vnc http://eghsnap1:80/vnc ProxyPassReverse /vnc http://eghsnap1:80/vnc ServerAdmin [EMAIL PROTECTED] DocumentRoot /var/www/html ServerName eghapp ErrorLog logs/error_log CustomLog logs/access_log common #/VirtualHost SSLProtocol -all +SSLv2 SSLCipherSuite SSLv2:+HIGH:+MEDIUM:+LOW:+EXP SSLCertificateFile /etc/httpd/server.csr SSLCertificateKeyFile /etc/httpd/server.key /VirtualHost For your information I am running Apache 2.0.4.0 IE 6.0.2 Richard -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Boyle Owen Sent: 16 June 2004 10:20 To: [EMAIL PROTECTED] Subject: RE: Certificate Problems Plain text please... If you got an error in the ssl error-log then apache must be running. The invalid method error is exactly that - the HTTP method wasn't GET, POST etc... What request were you making when you got the error? Cross-check the access log for details... It looks like your certificate common name is localhost.localdomain and this doesn't match the ServerName argument which is what the warning is about. The DNS error means that he browser cannot resolve eghapp to an IP address while curl, apparently, can. No idea why - depends on OS, browser version, config etc. (eg, if the browser goes via a proxy, the proxy will not see a local /etc/hosts definition of eghapp). Tip: if you post back, cut'n'paste exact error messages - do not paraphrase as this loses important information. Also, give OS, apache 1.3 or 2 etc. Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. Diese E-mail ist eine private und persönliche Kommunikation. Sie hat keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Gruppe. This e-mail is of a private and personal nature. It is not related to the exchange or business activities of the SWX Group. Le présent e-mail est un message privé et personnel, sans rapport avec l'activité boursière du Groupe SWX. -Original Message- From: Richard Skeggs [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 16. Juni 2004 11:07 To: '[EMAIL PROTECTED]' Subject: Certificate Problems I am trying to set up ssl on my server and I have been through what I believe are the correct settings. I can run the command line script 'openssl s_client -connect eghapp:443 -state -debug' I don't appear to get an error message. However when trying to start apache using the startssl switch the following error turns up in the ssl_error_log [Tue Jun 15 15:11:04 2004] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Tue Jun 15 15:11:04 2004] [warn] RSA server certificate CommonName (CN) `localhost.localdomain' does NOT match server name!? [Tue Jun 15 15:11:07 2004] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Tue Jun 15 15:11:07 2004] [warn] RSA server certificate CommonName (CN) `localhost.localdomain' does NOT match server name!? [Tue Jun 15 15:26:34 2004] [error] [client 10.14.1.150] Invalid method in request I have also been able to successfully run the command 'curl https://eghapp'. However when I try to run 'https://eghapp' through the browser I get an error saying that the DNS server cannot be found. On checking the nothing gets written to any
[Fwd: FW: Certificate Problems]
Thanks for the response, to explain abit more the error I see in the log file only get written when I start apache using apachactl startssl the message written to ssl_error_log is: [Wed Jun 16 10:59:48 2004] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Wed Jun 16 10:59:48 2004] [warn] RSA server certificate CommonName (CN) `localhost.localdomain' does NOT match server name!? [Wed Jun 16 10:59:50 2004] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Wed Jun 16 10:59:50 2004] [warn] RSA server certificate CommonName (CN) `localhost.localdomain' does NOT match server name!? As for the the request I was making it was to simply get the home page of eghapp Using the url http://eghapp:8000 through my browser I get to view the home page of eghapp However https://eghapp:8000 I get the following log message from error_log: [Wed Jun 16 11:08:05 2004] [error] [client 10.14.2.8] Invalid method in request!L!! From access_log: 10.14.2.8 - - [16/Jun/2004:11:07:38 +0100] L 501 1007 Nothing gets written to the ssl message files. The browser returns Cannot find server or DNS Error Internet Explorer I am trying to install ssl on the eghapp server which is a RedHat9 linux box. An extract from the hosts file on eghapp is: 127.0.0.1 localhost loghost 10.14.1.150 eghapp An extract from the httpd.conf file is shown below Listen 8000 NameVirtualHost 10.14.1.150 VirtualHost 10.14.1.150 ProxyPass /esav http://eghsnap1:8081/esav ProxyPassReverse /esav http://eghsnap1:8081/esav ProxyPass /ddrint http://eghsnap2:8081/ddrint ProxyPassReverse /ddrint http://eghsnap2:8081/ddrint ProxyPass /vnc http://eghsnap1:80/vnc ProxyPassReverse /vnc http://eghsnap1:80/vnc ServerAdmin [EMAIL PROTECTED] DocumentRoot /var/www/html ServerName eghapp ErrorLog logs/error_log CustomLog logs/access_log common #/VirtualHost SSLProtocol -all +SSLv2 SSLCipherSuite SSLv2:+HIGH:+MEDIUM:+LOW:+EXP SSLCertificateFile /etc/httpd/server.csr SSLCertificateKeyFile /etc/httpd/server.key /VirtualHost For your information I am running Apache 2.0.4.0 IE 6.0.2 Richard -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Boyle Owen Sent: 16 June 2004 10:20 To: [EMAIL PROTECTED] Subject: RE: Certificate Problems Plain text please... If you got an error in the ssl error-log then apache must be running. The invalid method error is exactly that - the HTTP method wasn't GET, POST etc... What request were you making when you got the error? Cross-check the access log for details... It looks like your certificate common name is localhost.localdomain and this doesn't match the ServerName argument which is what the warning is about. The DNS error means that he browser cannot resolve eghapp to an IP address while curl, apparently, can. No idea why - depends on OS, browser version, config etc. (eg, if the browser goes via a proxy, the proxy will not see a local /etc/hosts definition of eghapp). Tip: if you post back, cut'n'paste exact error messages - do not paraphrase as this loses important information. Also, give OS, apache 1.3 or 2 etc. Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. Diese E-mail ist eine private und persönliche Kommunikation. Sie hat keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Gruppe. This e-mail is of a private and personal nature. It is not related to the exchange or business activities of the SWX Group. Le présent e-mail est un message privé et personnel, sans rapport avec l'activité boursière du Groupe SWX. -Original Message- From: Richard Skeggs [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 16. Juni 2004 11:07 To: '[EMAIL PROTECTED]' Subject: Certificate Problems I am trying to set up ssl on my server and I have been through what I believe are the correct settings. I can run the command line script 'openssl s_client -connect eghapp:443 -state -debug' I don't appear to get an error message. However when trying to start apache using the startssl switch the following error turns up in the ssl_error_log [Tue Jun 15 15:11:04 2004] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Tue Jun 15 15:11:04 2004] [warn] RSA server certificate CommonName (CN) `localhost.localdomain' does NOT match server name!? [Tue Jun 15 15:11:07 2004] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Tue Jun 15 15:11:07 2004] [warn] RSA server certificate CommonName (CN) `localhost.localdomain' does NOT match server name!? [Tue Jun 15 15:26:34 2004] [error] [client 10.14.1.150] Invalid method in request I have also been able to successfully run the command 'curl https://eghapp'. However when I try to run 'https://eghapp' through the browser I get an error saying that the DNS server cannot be found. On checking the nothing gets written to any
Cannot find peer certificate chain
Dear all I'm using the following components: * apache 1.3.29 * mod_ssl 2.8.16-1.3.29 * openssl 0.9.7d * mm 1.3.0 * Solaris 8 I've configured: SSLSessionCache shmcb:/opt/slt/ses/apache/run/ssl_scache(512000) The problem only occures if we use client certs. If we do multiple requests on the same ssl session then I get an error the *first time* the request is handled by the *same* apache child that has stored the SSL session ID in the cache. All other childs can acces the cache without problems. trace output in ssl_engine_log (debug level does not provide better info): [21/Apr/2004 09:48:18 01201] [trace] OpenSSL: Handshake: start [21/Apr/2004 09:48:18 01201] [trace] OpenSSL: Loop: before/accept initialization [21/Apr/2004 09:48:18 01201] [trace] OpenSSL: Loop: SSLv3 read client hello A [21/Apr/2004 09:48:18 01201] [trace] OpenSSL: Loop: SSLv3 write server hello A [21/Apr/2004 09:48:18 01201] [trace] OpenSSL: Loop: SSLv3 write change cipher spec A [21/Apr/2004 09:48:18 01201] [trace] OpenSSL: Loop: SSLv3 write finished A [21/Apr/2004 09:48:18 01201] [trace] OpenSSL: Loop: SSLv3 flush data [21/Apr/2004 09:48:18 01201] [trace] OpenSSL: Loop: SSLv3 read finished A [21/Apr/2004 09:48:18 01201] [trace] OpenSSL: Handshake: done [21/Apr/2004 09:48:18 01201] [info] Connection: Client IP: 192.168.167.99, Protocol: TLSv1, Cipher: RC4-MD5 (128/128 bits) [21/Apr/2004 09:48:18 01201] [info] Initial (No.1) HTTPS request received for child 0 (server airlock_baumi.ergon.ch:4442) [21/Apr/2004 09:48:18 01201] [trace] Changed client verification type will force quick renegotiation [21/Apr/2004 09:48:18 01201] [info] Requesting connection re-negotiation [21/Apr/2004 09:48:18 01201] [trace] Performing quick renegotiation: just re-verifying the peer [21/Apr/2004 09:48:18 01201] [error] Cannot find peer certificate chain [21/Apr/2004 09:48:18 01201] [trace] OpenSSL: Write: SSL negotiation finished successfully [21/Apr/2004 09:48:18 01201] [info] Connection to child 0 closed with standard shutdown (server airlock_baumi.ergon.ch:4442, client 192.168.167.99) I wonder about the Cannot find peer certificate chain and then the SSL negotiation finished successfully. hmmm. If we use dbm instead of shmcb then this problem does not occure. I had a look at the source code. ssl_engine_kernel.c, line 963: ssl_log(r-server, SSL_LOG_TRACE, Performing quick renegotiation: just re-verifying the peer); certstack = SSL_get_peer_cert_chain(ssl); cert = SSL_get_peer_certificate(ssl); if (certstack == NULL cert != NULL) { /* client certificate is in the SSL session cache, but there is no chain, since ssl3_get_client_certificate() sk_X509_shift()'ed the peer certificate out of the chain. So we put it back here for the purpose of quick renegotiation. */ certstack = sk_new_null(); sk_X509_push(certstack, cert); } if (certstack == NULL || sk_X509_num(certstack) == 0) { ssl_log(r-server, SSL_LOG_ERROR, Cannot find peer certificate chain); return FORBIDDEN; } If I omit the check on certstack == NULL with the following change: if (cert != NULL) { /* client certificate is in the SSL session cache, but there is no chain, since ssl3_get_client_certificate() sk_X509_shift()'ed the peer certificate out of the chain. So we put it back here for the purpose of quick renegotiation. */ certstack = sk_new_null(); sk_X509_push(certstack, cert); } then the error does not occure. Since there was no change in ssl_engine_kernel.c in version 2.8.17-1.3.31 I do not expect that this behaviour has changed. Of course I will do the tests again with updated apache and mod_ssl. My question is now: Does anybody know about a problem in this area? What are the side-effects of my code change? You can see the details also here: http://cvs.ossp.org/tktview?tn=46 thanks for any ideas and replies Erwin Huber __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Client certificate verification Error handling in apache2 with mod_ssl
Hello, Does mod_ssl support any type of error handling for the client certificate authentification? I'd really like to have another page load than a server not found one when a client presents an invalid certificate. If not, is it possible to bypass some verifications such as the cert date, so my servlet engine can check that itself and display an appropriated error page instead of the server not found one? So Apache would just take the certificate, not check anything, export it, and I'll handle all cert related errors somewhere else. Thanks, Michael Lamot
RE: Expired CA Certificate
We recently had a problem with our Verisign Intermediate CA Certificate. This link (https://www.verisign.com/support/site/caReplacement.html) points to how they said to fix the problem. Your case may be similar. Florian Yanez Manager of Technical Systems Helzberg Diamond Shops, Inc. [EMAIL PROTECTED] 816-627-1253 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Rory Chisholm Sent: Tuesday, February 10, 2004 7:14 AM To: [EMAIL PROTECTED] Subject: Expired CA Certificate This isn't totally modssl related but maybe someone knows the answer. I'm using OpenSCEP with openssl. My CA Certificate has just expired. Now since our VPN sees very little use (only one important user) I'd like to re-issue the x509 CA certificate with the same key but different attributes (a later expiry date). Can this be done without re-generating every certificate ever issued from scratch ? The real question here is do x509 certificates that have been signed by a CA certificate store a hash of the CA certificate based solely on the CA's key or based on the full CA certificate including it's attributes ? Has anyone had any experience doing this ? Thanks for any help, Rory Chisholm __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
How to import self signed certificate as trusted certificate ?
Hi all. I've created a self-signed certificate for testing purposes. I would like to import that into my IE5 and Ntescape7.1 browsers as trusted certificate so that the browser will accept the applet requests implicitly. Can someone point me in the right direction please i.e. read-ups, howto documentation, etc? Also this: my applet can access and display jpeg images butjava console throws the typical "Access Denied" error when I try to access a local notepad.txt file. HTML's, applets, jpegs and text files are all in the same directory on the server, I find it astounding that the applet cannot access its own text files, co-located in exactly the same directory without being a "signed applet", which brings me back to the purpose of this email... Does anyone find this a bit over the top? TIA :-)
Re: Replacing an SSL certificate
I rebooted the unit eventually, which I guess had the same effect. However I will remember that in future. Many thanks. Huw Jenkins From: Cliff Woolley [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Thu, 18 Dec 2003 14:16:44 -0500 (EST) To: [EMAIL PROTECTED] Subject: Re: Replacing an SSL certificate On Thu, 18 Dec 2003, Huw Jenkins wrote: I've just replaced an SSL certificate (on a Mac OS 10.2 machine) and restarted apache however it's still not recognising the new certificates (still seeing the old one). I've not been asked for the passphrase either. What's the command for getting apache to re read the SSL certificates? What kind of restart did you do? Try stopping and starting again rather than doing a plain restart or a graceful restart. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Replacing an SSL certificate
On Thu, 18 Dec 2003, Huw Jenkins wrote: I've just replaced an SSL certificate (on a Mac OS 10.2 machine) and restarted apache however it's still not recognising the new certificates (still seeing the old one). I've not been asked for the passphrase either. What's the command for getting apache to re read the SSL certificates? What kind of restart did you do? Try stopping and starting again rather than doing a plain restart or a graceful restart. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Non SSL requires a certificate acceptance
Hi, That's all my mistake. I've gorgotten that an index.html in non-ssl contains a javascript that accesses to an ssl-url for counting access log. I gave up ssl communication. All I do is changing a logging tool into non-ssl 'cause luckily a logging tool is running also on server. So, IE or Opera isn't the matter. Neither mod_ssl nor apache configuration. Sorry I easily posted into ML. Thanks, Takeshi [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Non SSL requires a certificate acceptance
Takeshi, Can you share with us how you stopped the warning message - presumably in IE? Peter' At 19:35 28/10/03 +0900, you wrote: Everything is settled. A reason is that a tiny Javascript in domainC index.html goes to a SSl host every time accessed. Thanks, Takeshi [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Non SSL requires a certificate acceptance
Hi, I'm running some name-based vhosts and one of them is a self-signed ssl vhost under: apache-1.3.27-13 openssl-0.9.6k-2 mod_ssl-2.8.14-13. My apache configure is like this: Port 80 IfDefine SSL Listen 80 Listen 443 /IfDefine ServerName domainA DocumentRoot /dummy/doc/root NameVirtualHost * VirtualHost * ServerName domainA DocumentRoot /domainA/doc/root /VirtualHost VirtualHost * ServerName domainB DocumentRoot /domainB/doc/root /VirtualHost VirtualHost * ServerName domainC DocumentRoot /domainC/doc/root /VirtualHost VirtualHost _default_:443 ServerName domainA DocumentRoot /ssl-domainA/doc/root SSLEngine on /VirtualHost The trouble is: When I connect a non-SSL domainC(http://domainC/) , I get a pop-up warning which says certificate is self generated, and I can't see any secret icon on the brouser when I accept or not. And more confusing, any another non-SSL domains(A and B) don't! A both-domain(domainA) goes good non-ssl and ssl. I walked around some archives and googles but could not find any answers. Anybody met this problem? I would really appreciate any help or suggestion. Thanks, Takeshi [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Certificate verification problem (required client certificate)
Hello, I'm having a strange problem with Apache 2.0.45 / openssl 0.9.6 (and possibly tomcat 4.1.27). The web-server should run all applications only over SSL and with client certificate verification enabled. So I set up all the necessary configuration, including server and client certificates (our company has it's own internal CA), and moved three different applications from the non-SSL to the SSL virtual-host. Everything works fine, the applications can access the environment variables, where the user-ID coming from the certificate is stored, in order to authenticate the users and provide user-specific content. However the 4th application doesn't work. One of the working applications is PHP, another also working application is JSP based, so using Tomcat. The fourth application is not JSP, but a Servlet/Applet combination. What happens when accessing the page is that the index.html downloads to the client, but then the applet should be retrieved by the browser (IE), but the JAVA Plug-In just says applet not found, and in the web-server error file (put in INFO) I see the following errors.: [Tue Aug 05 18:56:52 2003] [info] Connection to child 4 established (server esds v07.bbn.hp.com:443, client 15.191.1.8) [Tue Aug 05 18:56:52 2003] [info] Seeding PRNG with 136 bytes of entropy [Tue Aug 05 18:56:52 2003] [info] SSL library error 1 in handshake (server esdsv 07.bbn.hp.com:443, client 15.191.1.8) [Tue Aug 05 18:56:52 2003] [info] SSL Library Error: 336105671 error:140890C7:SS L routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate No CAs known to server for verification? [Tue Aug 05 18:56:52 2003] [info] Connection to child 4 closed with abortive shu tdown(server esdsv07.bbn.hp.com:443, client 15.191.1.8) [Tue Aug 05 18:56:52 2003] [info] Connection to child 69 established (server esd sv07.bbn.hp.com:443, client 15.136.126.30) [Tue Aug 05 18:56:52 2003] [info] Seeding PRNG with 136 bytes of entropy [Tue Aug 05 18:56:53 2003] [info] SSL library error 1 in handshake (server esdsv 07.bbn.hp.com:443, client 15.136.126.30) [Tue Aug 05 18:56:53 2003] [info] SSL Library Error: 336105671 error:140890C7:SS L routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate No CAs known to server for verification? [Tue Aug 05 18:56:53 2003] [info] Connection to child 69 closed with abortive sh utdown(server esdsv07.bbn.hp.com:443, client 15.136.126.30) I know, normally this peer did not return a certificate indicates that either my browser does not have a certificate (which it has) or that the certificate can not be verified by the server due to a missing CA certificate (which it has). If one of these or both problems were there, the other three applications would not work as well, but they do! Now I was wondering if it could be an issue somewhere inbetween mod_ssl, mod_jk, Tomcat?? In principal the connector between Apache and Tomcat works, otherwise the JSP application would not work as well. That can be easily verified by inserting a bug in this configuration and voila, the JSP app stops working. Any ideas? thanks in advance Herbert PS: if I switch on debug level, I get even more info, which does not help me, but it first says something about client certificate A (success) and then something about a certificate B? what is this about? [Tue Aug 05 19:14:46 2003] [info] Loading certificate private key of SSL-aware server [Tue Aug 05 19:14:46 2003] [info] Init: Requesting pass phrase from dialog filte r program (/opt/hpws/apache/conf/passPhrase.dialog) [Tue Aug 05 19:14:46 2003] [debug] ssl_engine_pphrase.c(499): encrypted RSA priv ate key - pass phrase requested [Tue Aug 05 19:14:48 2003] [info] Configuring server for SSL protocol [Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(436): Creating new SSL cont ext (protocols: SSLv2, SSLv3, TLSv1) [Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(553): Configuring client au thentication [Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(1096): CA certificate: /O=my.com/OU=IT Infrastructure/C=US/O=MY Company/CN=MY Primary Class 2 Certification Authority [Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(611): Configuring permitted SSL ciphers [!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL] [Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(739): Configuring RSA serve r certificate [Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(778): Configuring RSA serve r private key [Tue Aug 05 19:14:49 2003] [info] Loading certificate private key of SSL-aware server [Tue Aug 05 19:14:49 2003] [info] esdsv07.my.com:443 reusing existing RSA pr ivate key on restart [Tue Aug 05 19:14:51 2003] [info] Configuring server for SSL protocol [Tue Aug 05 19:14:51 2003] [debug] ssl_engine_init.c(436): Creating new SSL cont ext (protocols: SSLv2, SSLv3, TLSv1) [Tue Aug 05 19:14:51 2003] [debug] ssl_engine_init.c(553): Configuring client au thentication [Tue Aug 05 19:14:51 2003] [debug] ssl_engine_init.c(1096
How to installing a trusted certificate in Netscape
Hi all. This may be a trivial question... I have signed my own ceritificate. How do I install that as a trusted certificate so that Netscape6 doesn't throw the warning screen that I have been presented with a certificate form an untrusted site. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Certificate verification problem (required client certificate)
Hello, I have seen the similar questions posted on the openssl mailing list before, but I have not seen much discussion. One thing that you may want to try to upgrade the version of the openssl itself, but I have no clue that applies to your problem. Why don't you post this question on the openssl mailing list?, hopoing to get that somebody solves the question since then. -Kiyoshi Kiyoshi Watanabe Hello, I posted this question already some days ago, but did not yet receive any hint. Does really no-one have any idea what could be the problem? --- I'm having a strange problem with Apache 2.0.45, mod_ssl with openssl 0.9.6i (and possibly a factor also tomcat 4.1.27 server, client IE6 with Java 1.4 plugin from Sun). The web-server should run all applications only over SSL and with client certificate verification enabled. So I set up all the necessary configuration, including server and client certificates (our company has it's own internal CA), and moved three different applications from the non-SSL to the SSL virtual-host. Everything works fine, the applications can access the environment variables, where the user-ID coming from the certificate is stored, in order to authenticate the users and provide user-specific content. One of the working applications is PHP based, another one is JSP based, so via Tomcat. (only explaining this so that it is clear the whole server combination including the SSL setup seems to be right in principal). However the 4th application doesn't work. The fourth application is not JSP, but a Servlet/Applet combination. What happens when accessing the page is that the index.html downloads to the client, but then the applet should be retrieved by the browser (IE/Java plug-in), but the JAVA Plug-In just says applet not found, and in the web-server error file (put in INFO) I see the following: [Tue Aug 05 18:56:52 2003] [info] Connection to child 4 established (server esdsv07.my.com:443, client 115.191.1.8) [Tue Aug 05 18:56:52 2003] [info] Seeding PRNG with 136 bytes of entropy [Tue Aug 05 18:56:52 2003] [info] SSL library error 1 in handshake (server esdsv07.my.com:443, client 115.191.1.8) [Tue Aug 05 18:56:52 2003] [info] SSL Library Error: 336105671 error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate No CAs known to server for verification? [Tue Aug 05 18:56:52 2003] [info] Connection to child 4 closed with abortive shutdown(server esdsv07.my.com:443, client 115.191.1.8) [Tue Aug 05 18:56:52 2003] [info] Connection to child 69 established (server esdsv07.my.com:443, client 115.136.126.30) [Tue Aug 05 18:56:52 2003] [info] Seeding PRNG with 136 bytes of entropy [Tue Aug 05 18:56:53 2003] [info] SSL library error 1 in handshake (server esdsv07.my.com:443, client 115.136.126.30) [Tue Aug 05 18:56:53 2003] [info] SSL Library Error: 336105671 error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate No CAs known to server for verification? [Tue Aug 05 18:56:53 2003] [info] Connection to child 69 closed with abortive shutdown(server esdsv07.my.com:443, client 115.136.126.30) I know, normally this peer did not return a certificate indicates that either my browser does not have a certificate (which it has) or that the certificate can not be verified by the server due to a missing CA certificate (which it has). If one of these or both problems were there, the other three applications would not work as well, right? But they do! Any ideas? If I switch on debug level, I get even more info (which does not tell me a lot more). First there is a verification/handshake on client certificate A (successful) and then there is something about a certificate B? what is this about? What is certificate A and B? Thanks in advance Herbert Debugging info: [Tue Aug 05 19:14:46 2003] [info] Loading certificate private key of SSL-aware server [Tue Aug 05 19:14:46 2003] [info] Init: Requesting pass phrase from dialog filter program (/opt/hpws/apache/conf/passPhrase.dialog) [Tue Aug 05 19:14:46 2003] [debug] ssl_engine_pphrase.c(499): encrypted RSA private key - pass phrase requested [Tue Aug 05 19:14:48 2003] [info] Configuring server for SSL protocol [Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(436): Creating new SSL context (protocols: SSLv2, SSLv3, TLSv1) [Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(553): Configuring client authentication [Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(1096): CA certificate: /O=my.com/OU=IT Infrastructure/C=US/O=MY Company/CN=MY Primary Class 2 Certification Authority [Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(611): Configuring permitted SSL ciphers [!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL] [Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(739): Configuring RSA server certificate [Tue Aug 05 19:14:48
RE: Certificate verification problem (required client certificate)
Hello, I posted this question already some days ago, but did not yet receive any hint. Does really no-one have any idea what could be the problem? --- I'm having a strange problem with Apache 2.0.45, mod_ssl with openssl 0.9.6i (and possibly a factor also tomcat 4.1.27 server, client IE6 with Java 1.4 plugin from Sun). The web-server should run all applications only over SSL and with client certificate verification enabled. So I set up all the necessary configuration, including server and client certificates (our company has it's own internal CA), and moved three different applications from the non-SSL to the SSL virtual-host. Everything works fine, the applications can access the environment variables, where the user-ID coming from the certificate is stored, in order to authenticate the users and provide user-specific content. One of the working applications is PHP based, another one is JSP based, so via Tomcat. (only explaining this so that it is clear the whole server combination including the SSL setup seems to be right in principal). However the 4th application doesn't work. The fourth application is not JSP, but a Servlet/Applet combination. What happens when accessing the page is that the index.html downloads to the client, but then the applet should be retrieved by the browser (IE/Java plug-in), but the JAVA Plug-In just says applet not found, and in the web-server error file (put in INFO) I see the following: [Tue Aug 05 18:56:52 2003] [info] Connection to child 4 established (server esdsv07.my.com:443, client 115.191.1.8) [Tue Aug 05 18:56:52 2003] [info] Seeding PRNG with 136 bytes of entropy [Tue Aug 05 18:56:52 2003] [info] SSL library error 1 in handshake (server esdsv07.my.com:443, client 115.191.1.8) [Tue Aug 05 18:56:52 2003] [info] SSL Library Error: 336105671 error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate No CAs known to server for verification? [Tue Aug 05 18:56:52 2003] [info] Connection to child 4 closed with abortive shutdown(server esdsv07.my.com:443, client 115.191.1.8) [Tue Aug 05 18:56:52 2003] [info] Connection to child 69 established (server esdsv07.my.com:443, client 115.136.126.30) [Tue Aug 05 18:56:52 2003] [info] Seeding PRNG with 136 bytes of entropy [Tue Aug 05 18:56:53 2003] [info] SSL library error 1 in handshake (server esdsv07.my.com:443, client 115.136.126.30) [Tue Aug 05 18:56:53 2003] [info] SSL Library Error: 336105671 error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate No CAs known to server for verification? [Tue Aug 05 18:56:53 2003] [info] Connection to child 69 closed with abortive shutdown(server esdsv07.my.com:443, client 115.136.126.30) I know, normally this peer did not return a certificate indicates that either my browser does not have a certificate (which it has) or that the certificate can not be verified by the server due to a missing CA certificate (which it has). If one of these or both problems were there, the other three applications would not work as well, right? But they do! Any ideas? If I switch on debug level, I get even more info (which does not tell me a lot more). First there is a verification/handshake on client certificate A (successful) and then there is something about a certificate B? what is this about? What is certificate A and B? Thanks in advance Herbert Debugging info: [Tue Aug 05 19:14:46 2003] [info] Loading certificate private key of SSL-aware server [Tue Aug 05 19:14:46 2003] [info] Init: Requesting pass phrase from dialog filter program (/opt/hpws/apache/conf/passPhrase.dialog) [Tue Aug 05 19:14:46 2003] [debug] ssl_engine_pphrase.c(499): encrypted RSA private key - pass phrase requested [Tue Aug 05 19:14:48 2003] [info] Configuring server for SSL protocol [Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(436): Creating new SSL context (protocols: SSLv2, SSLv3, TLSv1) [Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(553): Configuring client authentication [Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(1096): CA certificate: /O=my.com/OU=IT Infrastructure/C=US/O=MY Company/CN=MY Primary Class 2 Certification Authority [Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(611): Configuring permitted SSL ciphers [!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL] [Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(739): Configuring RSA server certificate [Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(778): Configuring RSA server private key [Tue Aug 05 19:14:49 2003] [info] Loading certificate private key of SSL-aware server [Tue Aug 05 19:14:49 2003] [info] esdsv07.my.com:443 reusing existing RSA private key on restart [Tue Aug 05 19:14:51 2003] [info] Configuring server for SSL protocol [Tue Aug 05 19:14:51 2003] [debug] ssl_engine_init.c(436): Creating new SSL context (protocols: SSLv2, SSLv3, TLSv1) [Tue Aug 05 19:14:51 2003] [debug] ssl_engine_init.c(553
rewrite data form client certificate
HiI am trying to get the SSL_CLIENT_S_DN_CN from a client certificateto use it in a RewriteRule. But I always get empty quary string. The configis as following:SSLOptions +StdEnvVarsRewriteEngine OnRewriteLog logs/rewrite.logRewriteLogLevel 9RewriteCond %{ENV:SSL_CLIENT_S_DN_CN} ^Simpson*RewriteRule ^/$ /dir/index.html[L]Can I get environment variable like SSL_CLIENT_XXX within Rewrite Module? Orare there any other possibilities to get access to them?thanks for your helpmario
self signed certificate
Hi, I have problems creating a self signed certificate. I'm using OpenSSL 0.9.7a on SunOS 5.7 sparc SUNW,Ultra-2 I went through the description of FAQ-page: http://www.corserv.com/freebsd/apache-ssl-howto.html OpenSSL quits with the error when I want to sign the server.csr: $ openssl ca -config ca.config -out server.crt -infiles server.csr ... Sign the certificate? [y/n]:y failed to update database TXT_DB error number 2 I searched on google and found the same question on the modssl-users mailing list (Dez 2002) , which is still unanswered: http://www.mail-archive.com/[EMAIL PROTECTED]/msg15877.html Any Ideas? Jan __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: self signed certificate
-Original Message- From: Jan Staschulat [mailto:[EMAIL PROTECTED] Sent: Thursday, March 13, 2003 2:12 PM To: [EMAIL PROTECTED] Subject: self signed certificate Hi, I have problems creating a self signed certificate. I'm using OpenSSL 0.9.7a on SunOS 5.7 sparc SUNW,Ultra-2 I went through the description of FAQ-page: http://www.corserv.com/freebsd/apache-ssl-howto.html OpenSSL quits with the error when I want to sign the server.csr: $ openssl ca -config ca.config -out server.crt -infiles server.csr ... Sign the certificate? [y/n]:y failed to update database TXT_DB error number 2 I searched on google and found the same question on the modssl-users mailing list (Dez 2002) , which is still unanswered: http://www.mail-archive.com/[EMAIL PROTECTED]/msg15877.html Hello, don't mess with openssl. Please refer to http://www.modssl.org/docs/2.8/ssl_faq.html#ToC29. There is a script sign.sh in the contrib dir of modssl source package. Best regards Alex Kuehne -- Network Manager, SAG, Berlin, Germany __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: self signed certificate
Jan Staschulat said: Hi, I have problems creating a self signed certificate. I'm using OpenSSL 0.9.7a on SunOS 5.7 sparc SUNW,Ultra-2 I went through the description of FAQ-page: http://www.corserv.com/freebsd/apache-ssl-howto.html OpenSSL quits with the error when I want to sign the server.csr: $ openssl ca -config ca.config -out server.crt -infiles server.csr ... Sign the certificate? [y/n]:y failed to update database TXT_DB error number 2 I searched on google and found the same question on the modssl-users mailing list (Dez 2002) , which is still unanswered: http://www.mail-archive.com/[EMAIL PROTECTED]/msg15877.html Any Ideas? My guess is you don't have the database file. On unix system do touch f, where f is the value of the database in ca.config. I also remember having to initialise the serial file: echo 00 serial HTH Jan __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- Aaron Stromas | Tik-tik-tik!!!... ja, Pantani is weg... [EMAIL PROTECTED]| BRTN commentator +1 (301) 493 4933 | L'Alpe d'Huez http://www.izoard.com | 1995 Tour de France __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
mod_ssl/openssl error with test certificate?
modssl-users, OK, I just built an apache + mod_ssl + mod_perl configuration. I built the test certificate and installed it (make certificate make install). But when I 'apachectl startssl' I get the following message: [error] Init: Unable to read server certificate from file /opt/sisapache/conf/ssl.crt/server.crt (OpenSSL library error follows) [error] OpenSSL: error:0D09F007:asn1 encoding routines:d2i_X509:expecting an asn1 sequence I checked permissions and thought that might be the problem, however, the problem persists even if I 'chmod 444 /opt/sisapache/conf/ssl.crt/server.crt'. Any thoughts? Thanks, Otto --- Otto L. Miller Network Architect [EMAIL PROTECTED] Titan Systems 3877 Fairfax Ridge Road Fairfax, VA 22030-7448 Phone: 703-383-8022 Fax:703-383-4055 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl/openssl error with test certificate?
* Otto L. Miller ([EMAIL PROTECTED]) wrote: [snip] I checked permissions and thought that might be the problem, however, the problem persists even if I 'chmod 444 /opt/sisapache/conf/ssl.crt/server.crt'. Any thoughts? Could you post a copy of the server.crt file? Cheers, Geoff -- Geoff Thorpe [EMAIL PROTECTED] http://www.geoffthorpe.net/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re[2]: mod_ssl/openssl error with test certificate?
Geoff, Opps! Checked out the file and it is a dummy ascii file :-(. I replaced it with a 'real' file from the source tree and then it whined about the private key. It too was a dummy ascii file. I replaced it with a 'real' key file and voila... it all works! It never occurred to me that 'make install' *does not* install the certificate files files. Thanks to all who spent time on this! Thanks, Otto --- Otto L. Miller Network Architect [EMAIL PROTECTED] Titan Systems 3877 Fairfax Ridge Road Fairfax, VA 22030-7448 Phone: 703-383-8022 Fax:703-383-4055 Wednesday, March 5, 2003, 1:21:59 PM, you wrote: * Otto L. Miller ([EMAIL PROTECTED]) wrote: [snip] I checked permissions and thought that might be the problem, however, the problem persists even if I 'chmod 444 /opt/sisapache/conf/ssl.crt/server.crt'. Any thoughts? Could you post a copy of the server.crt file? Cheers, Geoff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
SSLProxy - Howto delegate Client Certificate to backend server
Hi all, I have the following scenario: Apache webserver 2.0.44 with mod_ssl requires client authentication during SSL handshake for a particular URL. All further requests coming in over the established SSL connection are delegated to a backend server. The connection between the webserver and the backend server is also configured to be a SSL connection with client authentication, so the webserver has to provide a client certificate to the backend server. I'd like to pass the client certificate provided by the end user to the backend server. Is there a chance to do this with mod_ssl? Any help and comments appreciated. Best regards Ulrich Deutscher Sparkassen Verlag GmbH Am Wallgraben 115 70565 Stuttgart Telefon: 0711/782-0 Webseite: http://www.dsv-gruppe.de Dieses E-Mail einschließlich evtl. angehängter Dateien enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind und Sie dieses E-Mail irrtümlich erhalten haben, dürfen Sie weder den Inhalt dieses E-Mails nutzen noch dürfen Sie die evtl. angehängten Dateien öffnen und auch nichts kopieren oder weitergeben/verbreiten. Bitte verständigen Sie den Absender und löschen Sie dieses E-Mail und evtl. angehängte Dateien umgehend. Vielen Dank! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSLProxy - Howto delegate Client Certificate to backend server
On Fri, Feb 21, 2003 at 07:39:07AM +0100, [EMAIL PROTECTED] wrote: I'd like to pass the client certificate provided by the end user to the backend server. Is there a chance to do this with mod_ssl? Currently there isn't a solution with mod_ssl. There is however a couple of ways to do this if you don't mind hacking the code. I made a POC module for Apache 1.3 http://www.toftum.org/www2/apache/ which is just a very simple example of how this can be done. There has also been sent a patch to the [EMAIL PROTECTED] list recently - they have not been included, but see http://marc.theaimsgroup.com/?t=10449923556r=1w=2 vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
certificate authentication alternate authentication REMOTE_USER variable
Hi all, SERVER: Apache 1.3.27 + mod_ssl/2.8.12 My problem: I want to authenticate clients of my domain based on certificates and obtain my users' usenames. I try using the two methods mentioned in http://www.modssl.org/docs/2.8/ssl_howto.html#ToC9 but they don't seem to be completely equivalent. Specifically, when I try without SSLRequire and Load an authentication module such as mod_auth_ldap or mod_auth_mysql (in order to offer an alternate authentication schema - Satisfy any), in the browser, a dialog window appears asking for Username/Password just after the window for chosing the certificate. This window (asking for username/password) does not appear 1. when I use SSLRequire directive and load other modules (but REMOTE_USER variable is empty) and 2. when I use AuthUserFile directive and don't load the modules (but I can't offer alternate authentication) Apache configuration #LoadModule ldap_auth_module libexec/mod_auth_ldap.so SSLCACertificatePath /etc/apache/conf/ssl.crt SSLCACertificateFile /etc/apache/conf/ssl.crt/ca-bundle.crt SSLVerifyClient 0 Directory "/apache/secure/area"> AllowOverride None Options None Order deny,allow Deny from all Allow from localnetwork SSLVerifyClient require SSLVerifyDepth 2 SSLOptions +FakeBasicAuth +StdEnvVars SSLRequireSSL #SSLRequire %{SSL_CLIENT_S_DN_O} eq "My Organization" and \ # %{SSL_CLIENT_S_DN_OU} eq "My Departement" AuthName "Certificate Authentication" AuthType Basic AuthUserFile /path/to/httpd.passwd require valid-user #Satisfy any #AuthType Basic #AuthName "LDAP Authentication" #LDAP_Server MyLdapServer #LDAP_Port 389 #Base_DN "o=MyOrganization,c=GR" #UID_Attr uid #require valid-user /Directory> thanks in advance -sophia smime.p7s Description: S/MIME Cryptographic Signature
add a certificate to a Certificate Revocation List
How to add a client certificate to an already created and empty Certificate Revocation List? thanks Sergio __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: add a certificate to a Certificate Revocation List
On Wed, Feb 19, 2003 at 11:57:20AM +0100, Zampognaro Sergio wrote: How to add a client certificate to an already created and empty Certificate Revocation List? openssl ca -revoke filename see man ca and man crl in the openssl docs. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: add a certificate to a Certificate Revocation List
On Wed, Feb 19, 2003 at 12:10:14PM +0100, Mads Toftum wrote: openssl ca -revoke filename see man ca and man crl in the openssl docs. I forgot to add this link - http://www.apacheweek.com/features/crl vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]