peer did not return a certificate No CAs known to server for verification?

[Abhijit Bhate]

Hello All,

 

We have opened a java web service  our clients are facing issues while
accessing it. They are consistently getting SSL / TLS connection failure
message. All these clients are using VeriSign class 1 certificates. In
apache error logs we see below message:

 

[Fri Oct 12 17:42:04 2007] [error] mod_ssl: Certificate Verification:
Error (20): unable to get local issuer certificate 
[Fri Oct 12 17:42:04 2007] [error] mod_ssl: Re-negotiation handshake
failed: Not accepted by client!? 
[Fri Oct 12 17:42:04 2007] [error] mod_ssl: Certificate Verification:
Error (20): unable to get local issuer certificate 
[Fri Oct 12 17:42:04 2007] [error] mod_ssl: SSL error on writing data
(OpenSSL library error follows) 
[Fri Oct 12 17:42:04 2007] [error] OpenSSL: error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned

 

This is happening only with class 1 certificates, class 3 certificates
are working fine. Earlier we were using IBM HTTP Server  our clients
were able to connect to our web service. But since we have moved to
Apache HTTP Server, they are facing this issue.

 

Is there any known fix for this? kindly advice. You suggestions are real
value for us.

 

Note: All these clients are either PHP / .NET clients. Java clients are
able to use class 1 certificates successfully.

 

Thanks,

Abhijit Mohan Bhate

+91-98-50-886360

 

Re: Client certificate do not work / renegociate

[Mario Brandt]

Hi,
That is not a bug, it is a feature! With the TLS renegotiation there
is a theoretical man-in-the-middle-attack possible. To prevent that
the developers decided to deactivate the TLS renegotiation.

Solution: use SSLInsecureRenegotiation on


http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslinsecurerenegotiation


From the changelog:
Comprehensive fix of the TLS renegotiation prefix injection attack
when compiled against OpenSSL version 0.9.8m or later. Introduces the
'SSLInsecureRenegotiation' directive to reopen this vulnerability and
offer unsafe legacy renegotiation with clients which do not yet
support the new secure renegotiation protocol.



Mario
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Managermajord...@modssl.org

Client certificate do not work / renegociate

[Developer]

Hello,
In a host where client certificate is optional and in some directories
requirement. Server is SNI, and this configuration works fine before
SNI.

 VirtualHost *:443 
 SSLVerifyClient optional
 
Location /certrequirement
 SSLVerifyClient require
/Location
...

I use SNI client (firefox) with client certificate that works on optional 
locations but do not in certrequirement location.


 [info] Initial (No.1) HTTPS request received for child 5 (server 
 www.1pc.es:443)
 [debug] ssl_engine_kernel.c(487): [client 192.168.1.40] Changed client 
 verification type will force renegotiation, referer: http:
 [info] [client 192.168.1.40] Requesting connection re-negotiation, referer: 
 http://www.1pc.es/
 [debug] ssl_engine_kernel.c(724): [client 192.168.1.40] Performing full 
 renegotiation: complete handshake protocol, referer: http
 [debug] ssl_engine_kernel.c(1861): OpenSSL: Handshake: start
 [debug] ssl_engine_kernel.c(1869): OpenSSL: Loop: SSL renegotiate ciphers
 [debug] ssl_engine_kernel.c(1869): OpenSSL: Loop: SSLv3 write hello request A
 [debug] ssl_engine_kernel.c(1869): OpenSSL: Loop: SSLv3 flush data
 [debug] ssl_engine_kernel.c(1869): OpenSSL: Loop: SSLv3 write hello request C
 [info] [client 192.168.1.40] Awaiting re-negotiation handshake, referer: 
 http://www.1pc.es/
 [debug] ssl_engine_kernel.c(1861): OpenSSL: Handshake: start
 [debug] ssl_engine_kernel.c(1869): OpenSSL: Loop: before accept initialization
 [debug] ssl_engine_io.c(1873): OpenSSL: read 5/5 bytes from BIO#7f4325589ef0 
 [mem: 7f4325577083] (BIO dump follows)
 [debug] ssl_engine_kernel.c(1874): OpenSSL: Read: SSLv3 read client hello B
 [debug] ssl_engine_kernel.c(1893): OpenSSL: Exit: failed in SSLv3 read client 
 hello B
 [error] [client 192.168.1.40] Re-negotiation handshake failed: Not accepted 
 by client!?, referer: http://www.1pc.es/


 openssl-1.0.0-0.13.beta4.fc12.x86_64
 httpd-2.2.14-1.fc12.x86_64
 mod_ssl-2.2.14-1.fc12.x86_64


Anyone knows where is the problem?
Why do not work in required, and do the job in optional?


-- 
http://www.1pc.es/


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Managermajord...@modssl.org

Re: Client Auth with S/MIME certificates - certificate purpose problem

[Yaroslav]

I found a solution, it looks like a dirty hack and making a security 
hole, but it works for our custom purposes. So I don't recommend to use 
this way. Somehow it may be interested for somebody.

It's needed to patch openssl.
In 'openssl/ssl/ssl_cert.c' file, in 'ssl_verify_cert_chain' function
replace

X509_STORE_CTX_set_default(ctx,
  s-server ? ssl_client : ssl_server);

 by

X509_STORE_CTX_set_default(ctx, any);


Yaroslav
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Managermajord...@modssl.org

Client Auth with S/MIME certificates - certificate purpose problem

[Yaroslav]

Hi all!

I have an https server with apache/2.2.12+mod_ssl/2.2.14 and OpenSSL/0.9.8g.
I want to perform authentication based on client S/MIME certificates.
Clients have certificates with only the following purposes:
- S/MIME signing
- S/MIME encryption
But no SSL client or SSL server.

So I'm getting the following error while authentication:

...
[Wed Feb 10 11:36:59 2010] [error] [client 127.0.0.1] Certificate 
Verification: Error (26): unsupported certificate purpose
[Wed Feb 10 11:36:59 2010] [debug] ssl_engine_kernel.c(1893): OpenSSL: 
Write: SSLv3 read client certificate B
[Wed Feb 10 11:36:59 2010] [debug] ssl_engine_kernel.c(1912): OpenSSL: 
Exit: error in SSLv3 read client certificate B
[Wed Feb 10 11:36:59 2010] [debug] ssl_engine_kernel.c(1912): OpenSSL: 
Exit: error in SSLv3 read client certificate B
[Wed Feb 10 11:36:59 2010] [info] [client 127.0.0.1] SSL library error 1 
in handshake (server 127.0.1.1:443)
[Wed Feb 10 11:36:59 2010] [info] SSL Library Error: 336105650 
error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate 
returned

...

I tried to solve this by customizing 'ssl_engine_init.c' from mod_ssl.
I added the following lines in ssl_init_ctx_verify function:

/*
 *  Configure CTX purpose
 */
if (SSL_CTX_set_purpose(ctx, X509_PURPOSE_ANY) {
   ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
  Purpose successfully set);
} else {
   ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, Purpose set failed);
}

 /*
  * Configure Client Authentication details
  */

   But it doesn't work. Seems like it's all ok with SSL_CTX_set_purpose 
function and there is Purpose successfully set line in apache log file 
but I'm still getting unsupported certificate purpose error.
   I haven't found any certificate purpose configuration code in 
mod_ssl source.


I will be grateful for any help.


Yaroslav



__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Managermajord...@modssl.org

SSLVerifyClient optional redirect or be graceful upon revoked certificate

[Jaz]

When using SSLVerifyClient optional is there a way (or are there plans for 
this) to redirect when mod_ssl detects a revoked certificate? What about 
setting $_SERVER[SSL_CLIENT_VERIFY] == FAIL just as it is when no 
certificate is installed? In other words, why should the action be any 
different for no-certificate and revoked-certificate?

BTW, my application is a wrapper app to self manage private SSL certificates. 
The login pre-test is intended for all cases (without cert, with cert, and 
revoked cert) and detects by testing $_SERVER[SSL_CLIENT_VERIFY] == SUCCESS 
(This is in a dedicated directory Directory ... carefully designed to 
eliminate risk from MitM attacks). This works for the two cases no-cert  
valid-cert, but for revoke-cert we get an ugly hard-stop. For example from 
Firefox: SSL peer rejected your certificate as revoked.

If this isn't appropriate for modssl-users, is rather an apache issue, then 
advice for an alternate forum is appreciated. Has it already been 
discussed/requested? (searched a lot but didn't find anything)

I would like to build a mod_ssl with both the option to redirect on FAIL 
(separate options for no-cert and revoked-cert), and limit 
initiate-renegotiation only by server, not by client. Any help is greatly 
appreciated.

Thanks. 




__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Managermajord...@modssl.org

RE: SSLVerifyClient optional redirect or be graceful upon revoked certificate

[Peter]

I proposed this a while back but never got any responses.

https://issues.apache.org/bugzilla/show_bug.cgi?id=46897

-Original Message-
From: owner-modssl-us...@modssl.org [mailto:owner-modssl-us...@modssl.org]
On Behalf Of Jaz
Sent: Friday, January 22, 2010 9:11 AM
To: modssl-users@modssl.org
Subject: SSLVerifyClient optional redirect or be graceful upon revoked
certificate

When using SSLVerifyClient optional is there a way (or are there plans for
this) to redirect when mod_ssl detects a revoked certificate? What about
setting $_SERVER[SSL_CLIENT_VERIFY] == FAIL just as it is when no
certificate is installed? In other words, why should the action be any
different for no-certificate and revoked-certificate?

BTW, my application is a wrapper app to self manage private SSL
certificates. The login pre-test is intended for all cases (without cert,
with cert, and revoked cert) and detects by testing
$_SERVER[SSL_CLIENT_VERIFY] == SUCCESS (This is in a dedicated directory
Directory ... carefully designed to eliminate risk from MitM attacks).
This works for the two cases no-cert  valid-cert, but for revoke-cert we
get an ugly hard-stop. For example from Firefox: SSL peer rejected your
certificate as revoked.

If this isn't appropriate for modssl-users, is rather an apache issue, then
advice for an alternate forum is appreciated. Has it already been
discussed/requested? (searched a lot but didn't find anything)

I would like to build a mod_ssl with both the option to redirect on FAIL
(separate options for no-cert and revoked-cert), and limit
initiate-renegotiation only by server, not by client. Any help is greatly
appreciated.

Thanks. 




__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Managermajord...@modssl.org

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Managermajord...@modssl.org

Issue setting up a Verisign certificate

[Robin]

I have generated a CSR, sent it to Verisign and they sent me back a
cer file that I have renamed to public.crt.  As per their support
instructions I installed their Intermediate CA
(https://knowledge.verisign.com/support/ssl-certificates-support/index?page=contentid=AR193)

My virtualhost configuration is as follows:

  SSLEngine on
  SSLCertificateFile /etc/apache2/public.crt
  SSLCertificateKeyFile /etc/apache2/private.key
  SSLCACertificateFile /etc/apache2/interm.crt

I am getting this error when trying to start Apache:

[Mon Jul 27 16:05:07 2009] [error] Init: Unable to read server
certificate from file /etc/apache2/secure.canadaeast.com.public.crt
[Mon Jul 27 16:05:07 2009] [error] SSL Library Error: 218529960
error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Mon Jul 27 16:05:07 2009] [error] SSL Library Error: 218595386
error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1
error

Any thoughts, because I am at a loss and am not interested in wait on
how 35 minutes to speak to their support people.

Thanks!
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Managermajord...@modssl.org

Re: Issue setting up a Verisign certificate

[Victoriano Giralt]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Robin escribió:
| My virtualhost configuration is as follows:
|
|   SSLEngine on
|   SSLCertificateFile /etc/apache2/public.crt
- ^
|   SSLCertificateKeyFile /etc/apache2/private.key
|   SSLCACertificateFile /etc/apache2/interm.crt
I think this does not belong here, but I might be wrong.

| [Mon Jul 27 16:05:07 2009] [error] Init: Unable to read server
| certificate from file /etc/apache2/secure.canadaeast.com.public.crt
- ---^
It seems your Apache is looking for the cert in a different file than you
think.

Probably because there is a different virtual host configuration for the
SSL one.
- --
- ---
G  S Sistemas de Informacion, S.L.  | Teléfono:  9 02 01 44 43
Victoriano Giralt| Land line: +34-952-207-241
Torre de San Telmo, 8| Mobile:+34-670-332-720
E-29018 Malaga (Spain)   | http://www.gssi.es/
- ---

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org

iD8DBQFKbgIWWHlx3l8ZumwRAk81AJ9aINiS57WlUCvEpHLboAsERThPdACfTp2f
DZnobVXEnFsucQbkMINLcXQ=
=SRHR
-END PGP SIGNATURE-
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Managermajord...@modssl.org

Re: Restricting access by arbitrary certificate extension

[Joe Orton]

Zhumabekov - discussion of mod_ssl for httpd 2.x takes place on the 
deveopment list for Apache httpd, CC'ed.  (I'm quoting the full mail 
inline for reference of dev@ readers)

On Wed, May 06, 2009 at 10:49:46AM +0600, Zhumabekov Yerden wrote:
mod_ssl can perform client authentication on certificate in  
 Apache and client authorization on certain certificate extensions. We  
 are setting up CA here and we want to restrict access to certain website  
 by checking the presence of certain certificate extension using its OID.  
 The syntax which mod_ssl is forcing us to use is the following:

Location /
SSLRequire “some string” in OID(“1.2.3.4…..”)
/Location

 As you can see, we need to match this string exactly in extension’s  
 value. We can encounter problem with this, because this extension may  
 not be listed in openssl list of valid extensions  
 (crypto/objects/objects.h). As I learned the mod_ssl and openssl code,  
 mod_ssl would not be able to match the string because the object of this  
 OID does not have valid NID in openssl. OpenSSL seems incapable of  
 determining the type of arbitrary extension we want to use as  
 restricting factor. Hence, mod_ssl can not even extract its value from  
 certificate.
Well, I poked around the problem for some time and found no  
 other way than to patch mod_ssl by adding one new function in  
 ssl_expr_eval.c which does almost the same thing as ssl_extlist_by_oid()  
 and ssl_expr_eval_oid() but does not intend to extract the value of  
 certificate extension. I also added some change to ssl_expr_eval_comp(),  
 so if you supply the zero-length word in SSLRequire, it uses my new  
 function instead of ssl_expr_eval_oid(). So, the new syntax is like this:

Location /
SSLRequire “” in OID(“1.2.3.4…..”)
/Location

If you are aware of more attractive and “right” way to make  
 it, please acknowledge. My patch for apache-2.2.11 is attached.

I'd rather see a different syntax used for the new semantics, such as:

   SSLRequire has_oid(1.2.3.4)

though I'm not sure whether the SSLRequire parser can cope with that.

Regards, Joe
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Managermajord...@modssl.org

Restricting access by arbitrary certificate extension

[Zhumabekov Yerden]

   mod_ssl can perform client authentication on certificate in 
Apache and client authorization on certain certificate extensions. We 
are setting up CA here and we want to restrict access to certain website 
by checking the presence of certain certificate extension using its OID. 
The syntax which mod_ssl is forcing us to use is the following:


   Location /
   SSLRequire “some string” in OID(“1.2.3.4…..”)
   /Location

As you can see, we need to match this string exactly in extension’s 
value. We can encounter problem with this, because this extension may 
not be listed in openssl list of valid extensions 
(crypto/objects/objects.h). As I learned the mod_ssl and openssl code, 
mod_ssl would not be able to match the string because the object of this 
OID does not have valid NID in openssl. OpenSSL seems incapable of 
determining the type of arbitrary extension we want to use as 
restricting factor. Hence, mod_ssl can not even extract its value from 
certificate.
   Well, I poked around the problem for some time and found no 
other way than to patch mod_ssl by adding one new function in 
ssl_expr_eval.c which does almost the same thing as ssl_extlist_by_oid() 
and ssl_expr_eval_oid() but does not intend to extract the value of 
certificate extension. I also added some change to ssl_expr_eval_comp(), 
so if you supply the zero-length word in SSLRequire, it uses my new 
function instead of ssl_expr_eval_oid(). So, the new syntax is like this:


   Location /
   SSLRequire “” in OID(“1.2.3.4…..”)
   /Location

   If you are aware of more attractive and “right” way to make 
it, please acknowledge. My patch for apache-2.2.11 is attached.


--
Zhumabekov Yerden


apache_oid_presence.patch.gz
Description: application/gzip

Multiple Requests for Client Certificate

[wolfram eifler]

hi,

i'm in the setup of a ssl-enabled apache2 server with mod_ssl - works
fine so far *but* when a client-browser opens multiple simulanous
connections for one page to the server the Client-Certificate gets
requested the same number of times from the user.

The corresponding Browser-Configuration for firefox for example is named
network.http.max-persistent-connections-per-server

I am looking for a way to avoid these multiple questions for a
client-cert but i have no influence on the Browser-Configurations.

Is there a way to avoid those multi-questions?

best regards

--
Mit freundlichen Grüßen

Wolfram Eifler
Entwicklung

Mail  [EMAIL PROTECTED]

e.siqia Informationstechnologien GmbH
Saarbrücker Str. 36
10405 Berlin
Tel. +49 30.284730-68
Fax  +49 30.284730-99
Support via Tel: +49 (9001) 374742 (*1
Support via Tel: +49 (9001) esiqia (*2

http://www.esiqia.com

Sitz: Berlin - Registergericht Berlin - AG Charlottenburg HRB 74684 - 
Geschäftsführer: Rainer Böhnke


*1 = 1,85€/min (Festnetz Telekom,Versatel)
*2 = 1,99€/min (Mobilfunk T-Com,Vodafone)

Aus Rechts- und Sicherheitsgründen ist die in dieser eMail gegebene 
Information nicht rechtsverbindlich. Eine rechtsverbindliche Bestätigung 
reichen wir Ihnen gerne auf Anforderung in schriftlicher Form oder per 
qualifizierter elektronischer Signatur nach. Diese Nachricht ist 
vertraulich und ausschließlich für den Adressaten bestimmt. Jeder 
Gebrauch durch Dritte ist verboten. Die Nachricht ist vor Versand auf 
Viren geprüft. Falls Sie die Daten irrtümlich erhalten haben, nehmen Sie 
bitte Kontakt mit dem Absender auf und löschen Sie die Daten auf jeden 
Computer und Datenträger.


For legal and security reasons this e-mail is not legally binding. 
However, we can on request provide you with legally binding written 
confirmation or with qualified electronical signed document at any time. 
This message is confidential and intended solely for the use by the 
adressee. The message is virus proofed before sending. Any use of this 
message by a third party is prohibited. If you received this message in 
error, please contact the sender and delete the data from any computer 
and data carrier. The sender is neither liable for the proper and 
complete transmission of the information in the message nor for any 
delay in its receipt.


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: Authenticating users based on S/MIME certificate

[Dave Sparks]

Gunnar Vestergaard wrote:

 My goal is to let visitors of my web site authenticate themselves to
 my web server using some certificate, possibly S/MIME certificates.

 As I understand the documentation for PHP, there is no means whereby
 PHP can read and interpret an SSL client certificate. Is that correct?

It's possible to configure Apache 2 to add the client certificate to a 
request header.  From one of my configuration files:


  RewriteCond ${ESC:%{SSL:SSL_CLIENT_CERT}} \
^.*(-BEGIN%20(X509%20|TRUSTED%20|)CERTIFICATE-(%0[Dd])?%0[Aa].*%0[Aa]-END%20\2CERTIFICATE-(%0[Dd])?%0[Aa]).*$
  RewriteRule ^.*$ - [E=CLIENT_CERT:%1]

  RequestHeader unset L-ClientCert

  RequestHeader set L-ClientCert %{CLIENT_CERT}e env=CLIENT_CERT

The certificate is %-encoded to avoid problems with newline characters. 
 Presumably PHP can use the string in the header to match the 
certificate against a list of known certificates.


The certificate digest would be less unwieldy than the entire 
certificate, but mod_ssl would need some simple changes to make the 
digest available and I would be reluctant to use a hosting provider who 
allowed customers to use a modified mod_ssl.



Dave Sparks

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: Authenticating users based on S/MIME certificate

[Matt Stevenson]

Hi,

Have a look at mod_authz_ldap (ldap baseed white listing,
http://authzldap.othello.ch/). Probably far more than you need but it
does things along the same lines and has some nice notes how to do
various bits and pieces.

You can add env vars that you can use php have a look at  SSLOptions 
+StdEnvVars  and +ExportCertData.

Regards
Matt



- Original Message 
From: Gunnar Vestergaard [EMAIL PROTECTED]
To: modssl-users@modssl.org
Sent: Sunday, September 21, 2008 12:10:16 AM
Subject: Authenticating users based on S/MIME certificate

Hi. I am an administrator of a user account at an Apache web server. 
Currently the server is running Apache 1.3.37. My hosting provider plans 
on switching to new hardware with possibly new software. So I don't know 
if my web server will be run on Apache 1.3.37 or Apache 2.0.

My goal is to let visitors of my web site authenticate themselves to my 
web server using some certificate, possibly S/MIME certificates.

Now, my current S/MIME certificate for personal e-mail is approved for 
the following purposes:
Email Signer Certificate
Email Recipient Certificate

Is it possible to have such a certificate authenticate its user towards 
an SSL web server? In any case I want to have a limited crowd of users 
seeing a subdirectory of pages without bothering the user with a user 
name/password dialog. Just their personal certificate lets them see 
pages in a certain subdirectory.

As I understand the documentation for PHP, there is no means whereby PHP 
can read and interpret an SSL client certificate. Is that correct?

Gunnar
__
Apache Interface to OpenSSL (mod_ssl)  www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]



  
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Authenticating users based on S/MIME certificate

[Gunnar Vestergaard]

Hi. I am an administrator of a user account at an Apache web server. 
Currently the server is running Apache 1.3.37. My hosting provider plans 
on switching to new hardware with possibly new software. So I don't know 
if my web server will be run on Apache 1.3.37 or Apache 2.0.


My goal is to let visitors of my web site authenticate themselves to my 
web server using some certificate, possibly S/MIME certificates.


Now, my current S/MIME certificate for personal e-mail is approved for 
the following purposes:

Email Signer Certificate
Email Recipient Certificate

Is it possible to have such a certificate authenticate its user towards 
an SSL web server? In any case I want to have a limited crowd of users 
seeing a subdirectory of pages without bothering the user with a user 
name/password dialog. Just their personal certificate lets them see 
pages in a certain subdirectory.


As I understand the documentation for PHP, there is no means whereby PHP 
can read and interpret an SSL client certificate. Is that correct?


Gunnar
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Customizing error message when using certificate based authentification

[Christian Nolte]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi!

I have set up certificate based authentication using

SSLVerifyClient require

in my httpd.conf. Everything works fine but if a client does not have a
valid certificate Firefox gives an obscure error message:

www.example.com has received an incorrect or unexpected message. Error
Code: -12227

Is there a way to give the client a normal error page, like e.g. for 404
errors?

Best regards!
Christian

- --
For more than 4 generations the IT Professionals were the guardians
of quality and stability in software. Before the dark times.
Before Microsoft...

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHfLeiCNjA0nfhW7wRAgUMAKDHF5oLVSLa7YkSoDt7bYmRvFOAtwCgzgwS
7C8W5RdIMDHAeA3PYIJOBPk=
=XlfO
-END PGP SIGNATURE-
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: Customizing error message when using certificate based authentification

[Roy Keene (Contractor)]

Christian Nolte wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi!

I have set up certificate based authentication using

SSLVerifyClient require

in my httpd.conf. Everything works fine but if a client does not have a
valid certificate Firefox gives an obscure error message:

www.example.com has received an incorrect or unexpected message. Error
Code: -12227

Is there a way to give the client a normal error page, like e.g. for 404
errors?

Best regards!
Christian

- --
For more than 4 generations the IT Professionals were the guardians
of quality and stability in software. Before the dark times.
Before Microsoft...

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHfLeiCNjA0nfhW7wRAgUMAKDHF5oLVSLa7YkSoDt7bYmRvFOAtwCgzgwS
7C8W5RdIMDHAeA3PYIJOBPk=
=XlfO
-END PGP SIGNATURE-
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]



II. Tricks
   1. Redirect all HTTP requests to HTTPS
a. Load mod_rewrite  (see:
   http://httpd.apache.org/docs/1.3/mod/mod_rewrite.html )
b. Add the following rule to your non-HTTPS server configuration
   (httpd.conf):
# Require HTTPS
RewriteEngine on
RewriteRule ^/(.*) https://${SERVER_NAME}/$1 
[redirect=permanent]

   2. Redirect all requests that fail to authenticate to an error page
a. Load mod_rewrite  (see:
   http://httpd.apache.org/docs/1.3/mod/mod_rewrite.html )
b. Add the following rule to your HTTPS server configuration
   (mod_ssl.conf):
i. Apache 1.3.x: (NOTE:  Internet Explorer does not work
   correctly with Apache 1.3.x and mod_ssl when SSLVerifyClient
   is set to anything except none)
# Redirect client-verification-failures to a specific
# page.
RewriteEngine on
RewriteCond %{SSL_CLIENT_VERIFY} !^SUCCESS$
RewriteRule . /error-pages/pki/pki-invalid.html [last]
i. Apache 2.2.x:
# Redirect client-verification-failures to a specific
# page.
RewriteEngine on
RewriteCond %{SSL:SSL_CLIENT_VERIFY} !^SUCCESS$
RewriteRule . /error-pages/pki/pki-invalid.html [last]
c. Change SSLVerifyClient to optional (NOTE:  Internet Explorer
   does not work correctly with Apache 1.3.x and mod_ssl when
   SSLVerifyClient is set to anything except none)
SSLVerifyClient optional

--
Roy Keene (Contractor)
Office of Network Management (Code 7030.8)
Naval Research Laboratory
Stennis Space Center, MS 39529
DSN 828-4827

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: just installed certificate and I'm getting the wrong site...

[Chris Jordan]

Sorry for bumping my own post, but I'm really in need of help here. I'm at a
loss. Maybe it's because folks are on holiday given the time of year, but if
anyone thinks they can help, I'd very much appreciate it. :o)

Thanks,
Chris

On Dec 27, 2007 3:30 PM, Chris Jordan [EMAIL PROTECTED] wrote:

 Hi folks,

 I'm a complete newbie to this stuff, and I need a little more help.

 I'm running apache 2.2.4 on a Fadora Core 6 (2.6.20-1.292.fc6). My first
 problem after I installed the certificate is that we apparently had an old
 self-signed certificate installed. So, once I figured out that the SSL
 directives were in the conf.d/ssl.conf and not in conf/httpd.conf, I was
 able to put my certificate information in that file and now our server is
 using our real certificate and not the self-signed one.

 Our server runs multiple domains using virtual hosting, and I've read
 through the archives enough to find out that I can't do named virtual host
 with SSL. That's fine. My problem now is that when I browse to:
 https://mysecuredomain.com, I'm getting sent to another one of our other
 domains  (wrongdomain.com -- for the sake of discussion) except that the
 URL in the address bar still says: https://mysecuredomain.com.

 I'm confused. I've searched through the archives, but can't seem to find
 out how this is happening.

 Here's another strange bit. We've got an old version and a newer version
 of  wrongdomain.com and when I  browse to http://wrongdomain.com I get
 the new version. When I browse to https://wrongdomain.com I get the *old*
 version of the site -- just as I do when I browse to
 https://mysecuredomain.com...

 I hope I'm explaining this well enough. I really need help on how to get
 things working properly.

 The other thing that I'm curious about is whether we'll be able to secure
 any of our other domains hosted from this box in the future if we need to.
 From the reading I've done I'm thinking that's going to be a 'No', but what
 if we use the same certificate for all sites? That may be a dumb question,
 but again, I'm a genuine newbie here.

 My main concern is about the first part of this post... the side question
 about multiple domains is less important to me, but I'd still like to know.
 I sure hope someone can help me.

 Thanks heaps,
 Chris


 --
 http://cjordan.us




-- 
http://cjordan.us

Re: just installed certificate and I'm getting the wrong site...

[Glyn Astill]

Hi Chris,

This sounds to me like more of an apache configuration problem.
Perhaps if you posted some bits of your httpd.conf someone could spot
the problem.

Could you clarify on the old and new versions of wrongdomain.com? Are
both still present on your server with the old one residing in
another directory?

It sounds to me like when you come through to your server from
mysecuredomain.com, via https you come through to the first virtual
directory / host whioch is wrondomain.com, because they're both on
the same IP. What happens if you switch the order of your virtual
hosts, do you come through to a different site?

I'd be switching my conf files about to experiment and see what
happens in order to figure out the problem.

Glyn 


--- Chris Jordan [EMAIL PROTECTED] wrote:

 Sorry for bumping my own post, but I'm really in need of help here.
 I'm at a
 loss. Maybe it's because folks are on holiday given the time of
 year, but if
 anyone thinks they can help, I'd very much appreciate it. :o)
 
 Thanks,
 Chris
 
 On Dec 27, 2007 3:30 PM, Chris Jordan [EMAIL PROTECTED]
 wrote:
 
  Hi folks,
 
  I'm a complete newbie to this stuff, and I need a little more
 help.
 
  I'm running apache 2.2.4 on a Fadora Core 6 (2.6.20-1.292.fc6).
 My first
  problem after I installed the certificate is that we apparently
 had an old
  self-signed certificate installed. So, once I figured out that
 the SSL
  directives were in the conf.d/ssl.conf and not in
 conf/httpd.conf, I was
  able to put my certificate information in that file and now our
 server is
  using our real certificate and not the self-signed one.
 
  Our server runs multiple domains using virtual hosting, and I've
 read
  through the archives enough to find out that I can't do named
 virtual host
  with SSL. That's fine. My problem now is that when I browse to:
  https://mysecuredomain.com, I'm getting sent to another one of
 our other
  domains  (wrongdomain.com -- for the sake of discussion) except
 that the
  URL in the address bar still says: https://mysecuredomain.com.
 
  I'm confused. I've searched through the archives, but can't seem
 to find
  out how this is happening.
 
  Here's another strange bit. We've got an old version and a newer
 version
  of  wrongdomain.com and when I  browse to
 http://wrongdomain.com I get
  the new version. When I browse to https://wrongdomain.com I get
 the *old*
  version of the site -- just as I do when I browse to
  https://mysecuredomain.com...
 
  I hope I'm explaining this well enough. I really need help on how
 to get
  things working properly.
 
  The other thing that I'm curious about is whether we'll be able
 to secure
  any of our other domains hosted from this box in the future if we
 need to.
  From the reading I've done I'm thinking that's going to be a
 'No', but what
  if we use the same certificate for all sites? That may be a dumb
 question,
  but again, I'm a genuine newbie here.
 
  My main concern is about the first part of this post... the side
 question
  about multiple domains is less important to me, but I'd still
 like to know.
  I sure hope someone can help me.
 
  Thanks heaps,
  Chris
 
 
  --
  http://cjordan.us
 
 
 
 
 -- 
 http://cjordan.us
 



  __
Sent from Yahoo! Mail - a smarter inbox http://uk.mail.yahoo.com


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: just installed certificate and I'm getting the wrong site...

[Orville Weyrich - KD7HJV]

From your description it sounds like you have a
virtual host defining the new version of
wrongdomain.com plus you have a global definition of
the old version of wrongdomain.com.

Then it sounds like you have not specified the data
location inside the virtual host where you define
mysecuredomain.com, so that you are picking up the
global definition.

Cure in this scenario is to override the global
configuration information inside the virtual host for
mysecuredomain.com (or if you do not have a virtual
host for mysecuredomain.com, create one).

As for the problem of https://wrongdomain.com
responding, recall that there can be only one port 443
per ip address, and Apache does not look at domain
names in deciding to serve https, only the ip address.

Cure: I think you can use rewrite rules to direct
traffic addressed to https://wrongdomain.com to a
safe directory (I have not tried this).  Or see
below.

As for serving more than one secure web site from a
single computer, yes you can do this, but recall the
limit of one port 443 per ip address.  

You can either arrange for your computer to have
multiple ip addresses (add multiple NIC cards or dink
around with the ifconfig or other etc files depending
on your flavor of Unixoid OS), and then run multiple
instances of Apache listening on different ip
addresses.  Be sure that your separate instances of
Apache define different locations for their
housekeeping files. This will also solve your
https://wrongdomain.com problem.

Or, you can use a port other than 443 for https with a
single ip address, but this is ugly if the user has to
type in the URL.  Not sure if a single instance of
Apache can handle two different secure ports in
different virtual hosts, but you certainly can use
separate instances of Apache on the same box.

Regards,

orville

www.weyrich.com

--- Chris Jordan [EMAIL PROTECTED] wrote:

 Hi folks,
 
 I'm a complete newbie to this stuff, and I need a
 little more help.
 
 I'm running apache 2.2.4 on a Fadora Core 6
 (2.6.20-1.292.fc6). My first
 problem after I installed the certificate is that we
 apparently had an old
 self-signed certificate installed. So, once I
 figured out that the SSL
 directives were in the conf.d/ssl.conf and not in
 conf/httpd.conf, I was
 able to put my certificate information in that file
 and now our server is
 using our real certificate and not the self-signed
 one.
 
 Our server runs multiple domains using virtual
 hosting, and I've read
 through the archives enough to find out that I can't
 do named virtual host
 with SSL. That's fine. My problem now is that when I
 browse to:
 https://mysecuredomain.com, I'm getting sent to
 another one of our other
 domains  (wrongdomain.com -- for the sake of
 discussion) except that the URL
 in the address bar still says:
 https://mysecuredomain.com.
 
 I'm confused. I've searched through the archives,
 but can't seem to find out
 how this is happening.
 
 Here's another strange bit. We've got an old version
 and a newer version of
 wrongdomain.com and when I  browse to
 http://wrongdomain.com I get the new
 version. When I browse to https://wrongdomain.com I
 get the *old* version of
 the site -- just as I do when I browse to
 https://mysecuredomain.com...
 
 I hope I'm explaining this well enough. I really
 need help on how to get
 things working properly.
 
 The other thing that I'm curious about is whether
 we'll be able to secure
 any of our other domains hosted from this box in the
 future if we need to.
 From the reading I've done I'm thinking that's going
 to be a 'No', but what
 if we use the same certificate for all sites? That
 may be a dumb question,
 but again, I'm a genuine newbie here.
 
 My main concern is about the first part of this
 post... the side question
 about multiple domains is less important to me, but
 I'd still like to know.
 I sure hope someone can help me.
 
 Thanks heaps,
 Chris
 
 
 -- 
 http://cjordan.us
 



  

Be a better friend, newshound, and 
know-it-all with Yahoo! Mobile.  Try it now.  
http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ 


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

just installed certificate and I'm getting the wrong site...

[Chris Jordan]

Hi folks,

I'm a complete newbie to this stuff, and I need a little more help.

I'm running apache 2.2.4 on a Fadora Core 6 (2.6.20-1.292.fc6). My first
problem after I installed the certificate is that we apparently had an old
self-signed certificate installed. So, once I figured out that the SSL
directives were in the conf.d/ssl.conf and not in conf/httpd.conf, I was
able to put my certificate information in that file and now our server is
using our real certificate and not the self-signed one.

Our server runs multiple domains using virtual hosting, and I've read
through the archives enough to find out that I can't do named virtual host
with SSL. That's fine. My problem now is that when I browse to:
https://mysecuredomain.com, I'm getting sent to another one of our other
domains  (wrongdomain.com -- for the sake of discussion) except that the URL
in the address bar still says: https://mysecuredomain.com.

I'm confused. I've searched through the archives, but can't seem to find out
how this is happening.

Here's another strange bit. We've got an old version and a newer version of
wrongdomain.com and when I  browse to http://wrongdomain.com I get the new
version. When I browse to https://wrongdomain.com I get the *old* version of
the site -- just as I do when I browse to https://mysecuredomain.com...

I hope I'm explaining this well enough. I really need help on how to get
things working properly.

The other thing that I'm curious about is whether we'll be able to secure
any of our other domains hosted from this box in the future if we need to.
From the reading I've done I'm thinking that's going to be a 'No', but what
if we use the same certificate for all sites? That may be a dumb question,
but again, I'm a genuine newbie here.

My main concern is about the first part of this post... the side question
about multiple domains is less important to me, but I'd still like to know.
I sure hope someone can help me.

Thanks heaps,
Chris


-- 
http://cjordan.us

After replacing ssl certificate, apache fails to start but gives no error

[Richard Onanian]

I've updated my ssl public certificate and intermediate certificate
according to the instructions at
http://www.verisign.com/support/ssl-certificates-support/page_dev019509.html
I also made sure the file permissions match. Now apache won't start, and
doesn't indicate any error:

 [EMAIL PROTECTED] root]# apachectl startssl
 Apache/2.0.55 mod_ssl/2.0.55 (Pass Phrase Dialog)
 Some of your private key files are encrypted for security reasons.
 In order to read them you have to provide us with the pass phrases.

 Server webamc.annamaria.edu:443 (RSA)
 Enter pass phrase:
 [EMAIL PROTECTED] root]# netstat -anp | grep 443
 [EMAIL PROTECTED] root]#

Also, nothing shows up in /var/log/httpd/error_log,
/var/log/httpd/access_log (of course), or /var/log/messages.


If I put the old certificate back, it works:

 [EMAIL PROTECTED] root]# apachectl startssl
 Apache/2.0.55 mod_ssl/2.0.55 (Pass Phrase Dialog)
 Some of your private key files are encrypted for security reasons.
 In order to read them you have to provide us with the pass phrases.

 Server webamc.annamaria.edu:443 (RSA)
 Enter pass phrase:
 [EMAIL PROTECTED] root]# netstat -anp | grep 443
 tcp0  0 0.0.0.0:443 0.0.0.0:*
LISTEN  1197/httpd
 [EMAIL PROTECTED] root]#


How can I troubleshoot this? I don't have any experience with modssl, I've
inherited responsibility for this system. Our certificate expires in two
days. :(

Thanks,
  Rick Onanian
  Network Administrator
  Anna Maria College 

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: After replacing ssl certificate, apache fails to start but gives no error

[Richard Onanian]

I wrote:
  I've updated my ssl public certificate and intermediate certificate
  according to the instructions [...]
  I also made sure the file permissions match. Now apache won't start, and
  doesn't indicate any error:
  Also, nothing shows up in /var/log/httpd/error_log,
  /var/log/httpd/access_log (of course), or /var/log/messages.

Okay, I figured it out. I tried breaking things until I found the same 
symptom. I found that when I used the wrong private key, it had the same 
symptom. Sure enough, that was the problem. The CSR I used to get the 
certificate signed by Verisign was for a different key. I now have a 
significantly better understanding of how the whole process works.

Why doesn't modssl provide any error message or log entry?

Is it insecure to use an old key pair? What's the appropriate thing to 
do -- create a new key pair (and a new CSR) each time you renew your 
signed certificate, or just re-use the old key pair and get a new signed 
certificate?

Thanks,
  Rick Onanian
  Network Administrator
  Anna Maria College

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Apache2, modssl and wildcard certificate

[Wim Sturkenboom]

Apache/2.2.4 (Unix) mod_ssl/2.2.4 OpenSSL/0.9.8e DAV/2 PHP/5.2.3


Not sure if this belongs here or in another mailing list (apache). I
like to know how I can setup subdomains with a wildcard certificate?

1)
Originally I had a couple of websites with ssl (https), each site with
its own ip-address and its own certificate. In an attempt to save on
IP-addresses, I thought that subdomains and a wildcard certificate would
allow me to use one ip-address (and therefore name-based virtual
hosting).
Is this the correct assumption? If it's correct, please read on. If this
is not correct, what to do to get it working?

2)
I've created a self-signed wildcard certificate. When I (re)start
apache, the following warnings occur:

[Wed Nov 14 07:34:33 2007] [warn] RSA server certificate CommonName (CN)
`*.lbtd-techweb01' does NOT match server name!?
[Wed Nov 14 07:34:33 2007] [warn] RSA server certificate CommonName (CN)
`*.lbtd-techweb01' does NOT match server name!?
[Wed Nov 14 07:34:33 2007] [warn] Init: SSL server IP/port conflict:
cc.lbtd-techweb01:443 (/etc/httpd/extra/httpd-ssl.conf:52) vs.
tac.lbtd-techweb01:443 (/etc/httpd/extra/httpd-ssl.conf:79)
[Wed Nov 14 07:34:33 2007] [warn] Init: You should not use name-based
virtual hosts in conjunction with SSL!!
[Wed Nov 14 07:34:33 2007] [notice] Digest: generating secret for digest
authentication ...
[Wed Nov 14 07:34:33 2007] [notice] Digest: done
[Wed Nov 14 07:34:34 2007] [warn] RSA server certificate CommonName (CN)
`*.lbtd-techweb01' does NOT match server name!?
[Wed Nov 14 07:34:34 2007] [warn] RSA server certificate CommonName (CN)
`*.lbtd-techweb01' does NOT match server name!?
[Wed Nov 14 07:34:34 2007] [warn] Init: SSL server IP/port conflict:
cc.lbtd-techweb01:443 (/etc/httpd/extra/httpd-ssl.conf:52) vs.
tac.lbtd-techweb01:443 (/etc/httpd/extra/httpd-ssl.conf:79)


How do I get rid of the first 2 warnings (and the repeats later on for
different subdomains)? Something I did wrong while creating the
certificate?
I do understand the cause of the third warning (and its repeats). This
would imply that wildcard certificates and subdomains using name-based
virtual hosting are not possible. Any way that I can work around this?


This is (part of) my /etc/httpd/extra-httpd-ssl.conf

NameVirtualHost *:443

Listen 443

AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl.crl

SSLPassPhraseDialog  builtin

SSLSessionCacheshmcb:/var/run/httpd/ssl_scache(512000)
SSLSessionCacheTimeout  300

SSLMutex  file: /var/run/httpd/ssl_mutex #no space between colon and
first /

# command centre
#VirtualHost _default_:443
VirtualHost *:443

DocumentRoot /home/cc/www/ils/web
ServerName cc.lbtd-techweb01
#ServerAlias cc.lbtd-techweb01
ServerAdmin [EMAIL PROTECTED]
ErrorLog /var/log/httpd/error_log
TransferLog /var/log/httpd/access_log

SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/httpd/certificates/lbtd-techweb01.crt
SSLCertificateKeyFile /etc/httpd/certificates/lbtd-techweb01.key

BrowserMatch .*MSIE.* \
 nokeepalive ssl-unclean-shutdown \
 downgrade-1.0 force-response-1.0

Directory /home/cc/www/ils/web
Order allow,deny
Allow from all
/Directory

/VirtualHost


Wim Sturkenboom
_

Information contained in any e-mail or attachment from Multichoice Africa (Pty) 
Ltd (“MCA”) is confidential and may also be
privileged or protected by other legal rules or law. You should not 
disseminate, distribute or copy this e-mail. Any views
or opinions presented in this email are solely those of the author and do not 
necessarily represent those of MCA. Employees 
of MCA are expressly required not to make defamatory statements and not to 
infringe or authorise any infringement of 
copyright or any other legal right by email communications. Any such 
communication is contrary to MCA’s policy and outside
the scope of the employment of the individual concerned. MCA will not accept 
any liability in respect of such
communication, and the employee responsible will be personally liable for any 
damages or other liability arising from such
communication.
_
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Unable to configure X.509 CRL storage for certificate revocation

[Tim Boyer]

I'm moving a number of web pages from a RHEL3 server running Apache 2.0.46
to a 
RHEL5 system running 2.2.3. The unsecure pages are running just fine, but if
I 
have ssl.conf in the conf.d directory, httpd won't start up. 
 
The only error message I can find anywhere is in ssl.error_log: 
 
[Sat Sep 01 19:03:26 2007] [error] Unable to configure X.509 CRL storage for
certificate revocation 
 
Googling on that particular string is singularly unhelpful.  

Any nudge in the right direction gratefully appreciated...
 

-- 
Tim Boyer 
Chief Technology Officer
Denman Tire Corporation
[EMAIL PROTECTED]

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: Multiple OU components in certificate subject DN and SSL_CLIENT_S_DN_OU

[Arsen Hayrapetyan]

Hello Joe,
Thank you very much for the exhaustive answer.

Best regards,
Arsen.

On Tue, 7 Aug 2007, Joe Orton wrote:

 On Tue, Aug 07, 2007 at 02:25:54PM +0200, Arsen Hayrapetyan wrote:
  Hello,
  
  I am setting up client authentication with X.509 certificates.
  The client has the certificate subject DN of the following form:
  /C=XX/O=YYY/OU=ZZZ/OU=PPP/CN=TTT
  I need to catch both OUs in my perl CGI script. But when I am trying to
  get the values of OUs with the foolowing piece of code:
  
  $variable=$ENV{SSL_CLIENT_S_DN_OU};
  print $variable \n;
  $variable=$ENV{SSL_CLIENT_S_DN_OU};
  print $variable \n;
  
  both print statements print ZZZ (the first OU).
  
  How can I catch both OUs in my CGI script? Does mod_ssl see the first OU
  only?
 
 It has access to them all, but only exports the first.
 
 If you upgrade to 2.2.x, you could hack ssl_engine_kernel.c by adding:
 
  SSL_CLIENT_S_DN_OU_0,
  SSL_CLIENT_S_DN_OU_1,
 
 to the ssl_hook_Fixup_vars[] array.  This will force the first and 
 second OU field to be exported to CGI scripts in those named variables.  
 Note that this won't work with 2.0.x, which doesn't support the _N 
 suffix.
 
  My apache version is 2.0.55. However I don't know the version of mod_ssl.
  By the way, how can I determine what version of mod_ssl module do I have?
 
 mod_ssl is integrated into the httpd 2.x tree, so there is no separate 
 versino.
 
 joe
 
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Multiple OU components in certificate subject DN and SSL_CLIENT_S_DN_OU

[Arsen Hayrapetyan]

Hello,

I am setting up client authentication with X.509 certificates.
The client has the certificate subject DN of the following form:
/C=XX/O=YYY/OU=ZZZ/OU=PPP/CN=TTT
I need to catch both OUs in my perl CGI script. But when I am trying to
get the values of OUs with the foolowing piece of code:

$variable=$ENV{SSL_CLIENT_S_DN_OU};
print $variable \n;
$variable=$ENV{SSL_CLIENT_S_DN_OU};
print $variable \n;

both print statements print ZZZ (the first OU).

How can I catch both OUs in my CGI script? Does mod_ssl see the first OU
only?

My apache version is 2.0.55. However I don't know the version of mod_ssl.
By the way, how can I determine what version of mod_ssl module do I have?

Thanks for the help in advance,
Arsen.
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: Multiple OU components in certificate subject DN and SSL_CLIENT_S_DN_OU

[Joe Orton]

On Tue, Aug 07, 2007 at 02:25:54PM +0200, Arsen Hayrapetyan wrote:
 Hello,
 
 I am setting up client authentication with X.509 certificates.
 The client has the certificate subject DN of the following form:
 /C=XX/O=YYY/OU=ZZZ/OU=PPP/CN=TTT
 I need to catch both OUs in my perl CGI script. But when I am trying to
 get the values of OUs with the foolowing piece of code:
 
 $variable=$ENV{SSL_CLIENT_S_DN_OU};
 print $variable \n;
 $variable=$ENV{SSL_CLIENT_S_DN_OU};
 print $variable \n;
 
 both print statements print ZZZ (the first OU).
 
 How can I catch both OUs in my CGI script? Does mod_ssl see the first OU
 only?

It has access to them all, but only exports the first.

If you upgrade to 2.2.x, you could hack ssl_engine_kernel.c by adding:

 SSL_CLIENT_S_DN_OU_0,
 SSL_CLIENT_S_DN_OU_1,

to the ssl_hook_Fixup_vars[] array.  This will force the first and 
second OU field to be exported to CGI scripts in those named variables.  
Note that this won't work with 2.0.x, which doesn't support the _N 
suffix.

 My apache version is 2.0.55. However I don't know the version of mod_ssl.
 By the way, how can I determine what version of mod_ssl module do I have?

mod_ssl is integrated into the httpd 2.x tree, so there is no separate 
versino.

joe
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

re: client certificate authentication and IE friendly errors

[donal . hanna]

Hello,

I'm having a problem with Internet Explorer's Show friendly HTTP error
messages in response to a 403 generated by an SSLRequire directive, when
trying client certificate authentication. 

I've come across some information about over-riding the browser config by
setting the size of the message [greater than 512 bytes for a 403], which
doesn't appear to work. Unfortunately I can't rely on users having unchecked
this setting in the browser options.

The config directives that I'm using are an SSLRequire %{SSL_CLIENT_VERIFY} eq
SUCCESS in conjunction with an SSLVerifyClient Optional, both within the
same Location directive. I've combined these because there is a likelihood
that the resource will be accessed by clients without certificates, and I'm
trying to trap this in as friendly a way as possible.

Everything works fine in my testing [good cert, no cert, wrong cert], except
when I try to hit the server with an expired client certificate in IE. Because
of some testing constraints around where I get the certificates from I've been
simulating expiry by adjusting the time on both the desktop and server - just
the client cert is expired at the chosen time; not the issuing CA cert or web
server's.

With an expired client certificate, my ErrorDocument 403 is correctly
displayed if the 'show friendly messages' is unchecked, but the browser shows
a 'page cannot be displayed' error if the setting is enabled. I can't see
anything in the logs to distinguish the two states. A reload on the browser
correctly renders the error.

Is this something that anyone else has come across? I've checked the archives,
and although people have cited problems with friendly errors
[http://marc.info/?l=apache-modsslm=101554001204754w=2] the circumstances
seem different.

Is there a saner way of handling the access attempts from browsers attempting
to access the same resource both with and without client certs?

Version info:
- desktop: XP SP2, IE version 6.0.29...
- server: Suse Linux 10.1; Apache 1.3.37; mod_ssl 2.8.28-1.3.33; openssl
0.9.8e

I have the SetEnvIf HTTP_USER_AGENT .*MSIE.* ... enabled as per default
config. SSLCACertificateFile has a single entry for the issuing CA.

Thanks,

Donal




__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Web Interface Certificate Management

[ssmith3988]

I was interested in working on a project, and wanted to get some other 
people's ideas and inputs. My idea is to make a nice interface for creating 
SSL certificates for Apache/mod_ssl instead of running OpenSSL from the 
command line. I think there are a lot of people that would appreciate such 
a little tool. Since the certificate will eventually be used to protect a 
web server, I think the tool should be web based.


Here's what I'm thinking:

When you first install Apache, you can browse to some predetermined URL 
that's served by your installation. Obviously, you don't want this to be 
from outside the network, so let's just say we'll do some verification that 
the request comes from an authorized person. When you go to this URL, you 
encounter a form that asks for the typical certificate information such as 
the Common Name, the location, etc. We can populate this form with as much 
configuration info as we like.


When the user hits the Configure button, we'll call the necessary OpenSSL 
interfaces to create a certificate, and then update the configuration files 
to set everything up properly. We can even add an interface to ship off a 
CSR to a CA, and a nice interface to deal with the response.


I'd like this to be very easy for people to use. Something that can be used 
by just dropping a file someplace without dealing with any installation issues.


Has anyone ever heard of anything like this? Any good ideas on where to 
start for building such a tool? Is this something that could be built into 
mod_ssl, or should it be a sibling module? Should this be an Apache module 
at all? What kind of tools/architecture would you use? Any other ideas on 
how to make this better?



Sander Smith


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Client Certificate size

[Vishal . Sharma]

Hi,
Is there an upper bound on maximum client certificate size that
Apache/Mod_ssl can handle.
I am using
SSL_VERSION_LIBRARY=OpenSSL/0.9.7b , Apache 1.3.27
Thanks,
Vishal




Visit our website at http://www.ubs.com

This message contains confidential information and is intended only 
for the individual named.  If you are not the named addressee you 
should not disseminate, distribute or copy this e-mail.  Please 
notify the sender immediately by e-mail if you have received this 
e-mail by mistake and delete this e-mail from your system.

E-mail transmission cannot be guaranteed to be secure or error-free 
as information could be intercepted, corrupted, lost, destroyed, 
arrive late or incomplete, or contain viruses.  The sender therefore 
does not accept liability for any errors or omissions in the contents 
of this message which arise as a result of e-mail transmission.  If 
verification is required please request a hard-copy version.  This 
message is provided for informational purposes and should not be 
construed as a solicitation or offer to buy or sell any securities or 
related financial instruments.

UBS Limited is a company registered in England  Wales under company
number 2035362, whose registered office is at 1 Finsbury Avenue,
London, EC2M 2PP, United Kingdom.

UBS AG (London Branch) is registered as a branch of a foreign company
under number BR004507, whose registered office is at
1 Finsbury Avenue, London, EC2M 2PP, United Kingdom.

UBS Clearing and Execution Services Limited is a company registered
in England  Wales under company number 03123037, whose registered
office is at 1 Finsbury Avenue, London, EC2M 2PP, United Kingdom.

Re: apache segfaults on startup after specifying the certificate file and key

[Yvo van Doorn]

You will have better luck on the apache mailing lists (
http://httpd.apache.org) as mod_ssl on this website, as told on modssl.org,
is only for apache 1.x. As of 2.x modssl is incorporated into the apache
distribution and is also maintained by the apache http server project.

On 12/29/06, Mark Robinson [EMAIL PROTECTED] wrote:


Hi all,
I am running freebsd 6.1 and apache 2.2.0_7
I am new to SSL and have configured a self-signed certificate
according to http://slacksite.com/apache/certificate.html
I placed the .crt and .pem files in /usr/local/etc/apache22 and set
the .pem file readable only by root
When I start up apache it gives a segmentation fault and stops.
When set the logging option in httpd.conf to debug.
The log file shows the following before the seg fault:

[Sat Dec 30 00:48:27 2006] [info] Init: Seeding PRNG with 136 bytes
of entropy
[Sat Dec 30 00:48:27 2006] [info] Loading certificate  private key
of SSL-aware server
[Sat Dec 30 00:48:27 2006] [debug] ssl_engine_pphrase.c(469):
unencrypted RSA private key - pass phrase not required
[Sat Dec 30 00:48:27 2006] [info] Init: Generating temporary RSA
private keys (512/1024 bits)
[Sat Dec 30 00:48:27 2006] [info] Init: Generating temporary DH
parameters (512/1024 bits)
[Sat Dec 30 00:48:27 2006] [info] Init: Initializing (virtual)
servers for SSL
[Sat Dec 30 00:48:27 2006] [info] Configuring server for SSL protocol
[Sat Dec 30 00:48:27 2006] [debug] ssl_engine_init.c(405): Creating
new SSL context (protocols: SSLv2, SSLv3, TLSv1)
[Sat Dec 30 00:48:27 2006] [debug] ssl_engine_init.c(601):
Configuring permitted SSL ciphers [ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:
+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL]
[Sat Dec 30 00:48:27 2006] [debug] ssl_engine_init.c(729):
Configuring RSA server certificate
[Sat Dec 30 00:48:27 2006] [warn] RSA server certificate CommonName
(CN) `mail.reoins.com' does NOT match server name!?
[Sat Dec 30 00:48:27 2006] [debug] ssl_engine_init.c(768):
Configuring RSA server private key
[Sat Dec 30 00:48:27 2006] [info] Server: Apache/2.2.0, Interface:
mod_ssl/2.2.0, Library: OpenSSL/0.9.8a
[Sat Dec 30 00:48:27 2006] [info] mod_unique_id: using ip addr
209.163.210.42

Thanks for any help or suggestions.
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

apache segfaults on startup after specifying the certificate file and key

[Mark Robinson]

Hi all,
I am running freebsd 6.1 and apache 2.2.0_7
I am new to SSL and have configured a self-signed certificate  
according to http://slacksite.com/apache/certificate.html
I placed the .crt and .pem files in /usr/local/etc/apache22 and set  
the .pem file readable only by root

When I start up apache it gives a segmentation fault and stops.
When set the logging option in httpd.conf to debug.
The log file shows the following before the seg fault:

[Sat Dec 30 00:48:27 2006] [info] Init: Seeding PRNG with 136 bytes  
of entropy
[Sat Dec 30 00:48:27 2006] [info] Loading certificate  private key  
of SSL-aware server
[Sat Dec 30 00:48:27 2006] [debug] ssl_engine_pphrase.c(469):  
unencrypted RSA private key - pass phrase not required
[Sat Dec 30 00:48:27 2006] [info] Init: Generating temporary RSA  
private keys (512/1024 bits)
[Sat Dec 30 00:48:27 2006] [info] Init: Generating temporary DH  
parameters (512/1024 bits)
[Sat Dec 30 00:48:27 2006] [info] Init: Initializing (virtual)  
servers for SSL

[Sat Dec 30 00:48:27 2006] [info] Configuring server for SSL protocol
[Sat Dec 30 00:48:27 2006] [debug] ssl_engine_init.c(405): Creating  
new SSL context (protocols: SSLv2, SSLv3, TLSv1)
[Sat Dec 30 00:48:27 2006] [debug] ssl_engine_init.c(601):  
Configuring permitted SSL ciphers [ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH: 
+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL]
[Sat Dec 30 00:48:27 2006] [debug] ssl_engine_init.c(729):  
Configuring RSA server certificate
[Sat Dec 30 00:48:27 2006] [warn] RSA server certificate CommonName  
(CN) `mail.reoins.com' does NOT match server name!?
[Sat Dec 30 00:48:27 2006] [debug] ssl_engine_init.c(768):  
Configuring RSA server private key
[Sat Dec 30 00:48:27 2006] [info] Server: Apache/2.2.0, Interface:  
mod_ssl/2.2.0, Library: OpenSSL/0.9.8a
[Sat Dec 30 00:48:27 2006] [info] mod_unique_id: using ip addr  
209.163.210.42


Thanks for any help or suggestions.
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Client certificate

[Vishal . Sharma]

Title: Client certificate






Hi ,

I am trying to implement client authentication based on client certificates.


I want to throw up an error message to the user/browser in case client certificate is invalid.


What I got was that The page cannot be displayed error if an invalid(expired one) client certificate is sent and I see the following in the logs.

==

[Tue Nov 14 16:52:53 2006] [info] [client 14.64.53.89] client stopped connection before rflush completed

[Tue Nov 14 16:52:57 2006] [error] mod_ssl: Certificate Verification: Error (10): certificate has expired

[Tue Nov 14 16:52:57 2006] [error] mod_ssl: Re-negotiation handshake failed: Not accepted by client!?

[Tue Nov 14 16:52:57 2006] [error] mod_ssl: Certificate Verification: Error (10): certificate has expired

[Tue Nov 14 16:52:57 2006] [error] mod_ssl: SSL error on writing data (OpenSSL library error follows)

[Tue Nov 14 16:52:57 2006] [error] OpenSSL: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certif

icate returned

[Tue Nov 14 16:52:57 2006] [info] [client 14.64.53.89] client stopped connection before rflush completed




Ideally , I would like to be able to find that the client certificate has expired using the SSL_Client.. variables and be able to give user some error message.

Is it possible?


Thanks,

Vishal







Visit our website at http://www.ubs.com

This message contains confidential information and is intended only 
for the individual named.  If you are not the named addressee you 
should not disseminate, distribute or copy this e-mail.  Please 
notify the sender immediately by e-mail if you have received this 
e-mail by mistake and delete this e-mail from your system.

E-mail transmission cannot be guaranteed to be secure or error-free 
as information could be intercepted, corrupted, lost, destroyed, 
arrive late or incomplete, or contain viruses.  The sender therefore 
does not accept liability for any errors or omissions in the contents 
of this message which arise as a result of e-mail transmission.  If 
verification is required please request a hard-copy version.  This 
message is provided for informational purposes and should not be 
construed as a solicitation or offer to buy or sell any securities or 
related financial instruments.

Certificate issue.

[Waller, Lonie]

Hello, 


Was wondering if 
anyone has seen this error and can help me correcting it? It is for a test box 
self signed certificate is all I need. 

Thanks
Lonie


HTTP Status 500 - 


type 
Exception report
message 

description The server encountered an internal error 
() that prevented it from fulfilling this request.
exception 
javax.servlet.ServletException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:319)
	edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:225)


root 
cause javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
	com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1476)
	com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)
	com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:168)
	com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:847)
	com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:106)
	com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
	com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)
	com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:815)
	com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1025)
	com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1038)
	sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:402)
	sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:170)
	sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:913)
	sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)
	edu.yale.its.tp.cas.util.SecureURL.retrieve(SecureURL.java:70)
	edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(ServiceTicketValidator.java:278)
	edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:283)
	edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:225)


note 
The full stack trace of the root cause is available in the Apache 
Tomcat/5.0.27 logs.


Apache Tomcat/5.0.27

Re: Certificate and CRL Path Validation Error

[Joe Orton]

On Thu, Aug 31, 2006 at 09:17:10AM -0400, Patrick Patterson wrote:
 On Thursday 31 August 2006 09:14, Patrick Patterson wrote:
 
  (I'll probably take this over to modssl-devel, but since you asked, I
  thought that I would bring it up here.)
 
 
 Hmm - I thought there WAS a developers mailing list, but apparently I was 
 mistaken - so I guess I have to ask is this the right place to have 
 discussions about the best way to add in the capability for mod_ssl to do 
 full 3280 path validation?

New mod_ssl development generally happens in the httpd 2.x tree, so 
dev@httpd.apache.org is where it is discussed.  I don't think Ralf is 
adding new features to mod_ssl 2.8 any more.

Regards,

joe
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Certificate and CRL Path Validation Error

[rlabbe]

All,

I am working in an environment utilizing a PKI consisting of several 
Root and Intermediate Certificate Authorities. In order to reduce the 
overhead when requiring client authentication using digital 
certificates, I am using the following two directives:

SSLCACertificatePath – Used for Root and Intermediate CAs
SSLCARevocationPath – Used to Process Certificate Revocation Lists

I’ve yet to encounter a version of Apache and Mod_SSL performing proper 
path validation. If a user presents a certificate that is revoked, but 
not included in the directory containing all the PEM/Base64 encoded CRL 
files and associated symbolic links, Apache allows access. 

If a user presents a certificate issued from an Intermediate 
Certificate Authority that is not included in the directory containing 
all the Root and Intermediate CA certificates in PEM/Base64 encoded 
format and associated symbolic links, he/she is allowed access.

I would prefer the system to validate the entire chain and not allow 
access in the event a local CRL file or Intermediate CA certificate is 
not available. By default, IIS performs this path validation correctly. 
If IIS does not have a current CRL file issued by each and every CA in 
the certificate path, the client is denied access. If IIS does not have 
a certificate from each and every CA in the certificate path, the 
client is denied access.

I am trying to automate the process of updating the CA certificate 
directory and associated CRL directories by scheduling a job to run on 
a nightly basis. If Apache has a local CRL and CA certificate from each 
and every CA in the path used to issue the client certificates, then 
all checks are performed and the client is properly validated. 

I would prefer the system default to “Closed” instead of “Open” in the 
event an Intermediate CA certificate is unavailable or no CRL file is 
available. Again, the system must have at least one CA certificate 
trusted and available locally, but no CRL files.

Note: I have issued a client certificate from a client certificate 
issued by on of the Intermediate CAs and Apache does deny access 
because the key usage of the client certificate does not allow it to be 
used as a Root CA and issue additional client certificates. I used 
OpenSSL in order to issue client certificates from a client 
certificate. This type of path validation seems to work on all the 
versions of Apache and Mod_SSL I’ve tested.

Thanks
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: Certificate and CRL Path Validation Error

[Patrick Patterson]

Hi There:

The limitations of mod_ssl for path validation are further than what you have 
described, in that it also cannot perform policy mapping up the entire 
certificate chain, and also has no concept of how to deal with AIA or SIA 
fields. I'm not sure where the developers are in terms of full RFC 3280 Path 
Validation compliance, but as we also have a need for more full path 
validation, especially a model that will work in a Cross-Certification type 
environment.

It is our intent to be starting to work on this this fall, unless we hear from 
the community that there is already work underway to add in full 3280 
validation to mod_ssl.

(I'll probably take this over to modssl-devel, but since you asked, I thought 
that I would bring it up here.)

Cheers.

On Thursday 31 August 2006 08:53, [EMAIL PROTECTED] wrote:
 All,

 I am working in an environment utilizing a PKI consisting of several
 Root and Intermediate Certificate Authorities. In order to reduce the
 overhead when requiring client authentication using digital
 certificates, I am using the following two directives:

 SSLCACertificatePath – Used for Root and Intermediate CAs
 SSLCARevocationPath – Used to Process Certificate Revocation Lists

 I’ve yet to encounter a version of Apache and Mod_SSL performing proper
 path validation. If a user presents a certificate that is revoked, but
 not included in the directory containing all the PEM/Base64 encoded CRL
 files and associated symbolic links, Apache allows access.

 If a user presents a certificate issued from an Intermediate
 Certificate Authority that is not included in the directory containing
 all the Root and Intermediate CA certificates in PEM/Base64 encoded
 format and associated symbolic links, he/she is allowed access.

 I would prefer the system to validate the entire chain and not allow
 access in the event a local CRL file or Intermediate CA certificate is
 not available. By default, IIS performs this path validation correctly.
 If IIS does not have a current CRL file issued by each and every CA in
 the certificate path, the client is denied access. If IIS does not have
 a certificate from each and every CA in the certificate path, the
 client is denied access.

 I am trying to automate the process of updating the CA certificate
 directory and associated CRL directories by scheduling a job to run on
 a nightly basis. If Apache has a local CRL and CA certificate from each
 and every CA in the path used to issue the client certificates, then
 all checks are performed and the client is properly validated.

 I would prefer the system default to “Closed” instead of “Open” in the
 event an Intermediate CA certificate is unavailable or no CRL file is
 available. Again, the system must have at least one CA certificate
 trusted and available locally, but no CRL files.

 Note: I have issued a client certificate from a client certificate
 issued by on of the Intermediate CAs and Apache does deny access
 because the key usage of the client certificate does not allow it to be
 used as a Root CA and issue additional client certificates. I used
 OpenSSL in order to issue client certificates from a client
 certificate. This type of path validation seems to work on all the
 versions of Apache and Mod_SSL I’ve tested.

 Thanks
 __
 Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
 User Support Mailing List  modssl-users@modssl.org
 Automated List Manager[EMAIL PROTECTED]

-- 
Patrick Patterson
President and CEO
Carillon Information Security Inc.
http://www.carillon.ca
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: Certificate and CRL Path Validation Error

[Patrick Patterson]

On Thursday 31 August 2006 09:14, Patrick Patterson wrote:

 (I'll probably take this over to modssl-devel, but since you asked, I
 thought that I would bring it up here.)


Hmm - I thought there WAS a developers mailing list, but apparently I was 
mistaken - so I guess I have to ask is this the right place to have 
discussions about the best way to add in the capability for mod_ssl to do 
full 3280 path validation?

Thanks.

-- 
Patrick Patterson
President and CEO
Carillon Information Security Inc.
http://www.carillon.ca
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

error handling if certificate based auth has failed

[André Weidemann]

Hi,
is there a way to display an error page in case certificate based 
authentication has failed? I have read the mod_ssl reference page and 
searched the mailing list archive, but have not found any hints.
It would be great to see an error page instead of an empty window or a 
cryptic browser error when a non-authorized user has tried to access a 
location with SSLVerifyClient require.


Thanks for you help.
 André
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: Mod_proxy and client certificate auth

[Joe Orton]

On Tue, Jun 06, 2006 at 03:36:37PM -0400, Paul D. Robertson wrote:
 I'm trying to get mod_proxy to work as an SSL proxy using a client 
 certificate on the proxy to connect to a backend IIS server that's set up 
 to use any client certificate signed by my OpenSSL-based CA.  
 
 If I use a browser with the same certificate bundled up as a PKCS12 
 bundle, through the proxy, it all works, but what I really need is for 
 Apache/mod_ssl to use a locally stored version of the cert/key to connect, 
 then let the IIS server do its normal basic auth.  That's one single 
 client cert/key for all externally connecting users (yes, I understand 
 the ramifaction- it's not for user authentication,) not a per-user proxy 
 cert.

There's no way to do this with mod_ssl without modifying the source. 
With httpd 2.2.x (and also I believe mod_ssl-2.8-for-1.3) what you can 
do is to pass through the client's SSL certificate (in PEM format) as a 
request header to the backend, then extract that on the backend server 
and then verify that against a CA cert independently; see 
http://httpd.apache.org/docs/2.2/mod/mod_headers.html#header and the 
%{...}s stuff.  

That is the traditional approach used when passing through client certs 
to Tomcat etc, and doesn't require an SSL connection between proxy and 
backend.  Doing this with an IIS backend might be a challenge.

 Just in case, I've also added export OPENSSL_ALLOW_PROXY_CERTS=1 to 
 bin/envvars.

That affects handling of rfc3820 proxy certificates (which you not 
using unless you are doing some serious PKI voodoo ;).

joe
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: Mod_proxy and client certificate auth

[Paul D. Robertson]

On Wed, 7 Jun 2006, BJ Swope wrote:

 From everything I've heard and read, mod-proxy will not proxy HTTPS on the
 back like what you are asking.  You can have HTTPS on the front end but not
 on the back.  It will have to be HTTP to the back.
 
 If you get this working I would LOVE to hear how you got it done
 
 

I'm getting end-to-end SSL, just the undesired (this time) effect of 
having the client cert passed all the way through the chain, which I'd 
expect folks to want as normal behavior.

Paul
-
Paul D. Robertson  My statements in this message are personal opinions
[EMAIL PROTECTED]   which may have no basis whatsoever in fact.
http://fora.compuwar.net  Infosec discussion boards 

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: Mod_proxy and client certificate auth

[BJ Swope]

Guess I've been hearing wrong for 3 years now ;)

Time to go digging...On 6/8/06, Paul D. Robertson [EMAIL PROTECTED] wrote:
On Wed, 7 Jun 2006, BJ Swope wrote: From everything I've heard and read, mod-proxy will not proxy HTTPS on the back like what you are asking.You can have HTTPS on the front end but not on the back.It will have to be HTTP to the back.
 If you get this working I would LOVE to hear how you got it doneI'm getting end-to-end SSL, just the undesired (this time) effect ofhaving the client cert passed all the way through the chain, which I'd
expect folks to want as normal behavior.Paul-Paul D. RobertsonMy statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact.http://fora.compuwar.netInfosec discussion boards
__Apache
Interface to OpenSSL
(mod_ssl)
www.modssl.orgUser Support Mailing
Listmodssl-users@modssl.orgAutomated
List
Manager[EMAIL PROTECTED]-- We are all slave to our own paradigm. -- Joshua Williams

Re: Mod_proxy and client certificate auth

[BJ Swope]

>From everything I've heard and read, mod-proxy will not proxy HTTPS on
the back like what you are asking. You can have HTTPS on the
front end but not on the back. It will have to be HTTP to the
back.

If you get this working I would LOVE to hear how you got it done

On 6/6/06, Paul D. Robertson [EMAIL PROTECTED] wrote:
Hi,I'm trying to get mod_proxy to work as an SSL proxy using a clientcertificate on the proxy to connect to a backend IIS server that's set upto use any client certificate signed by my OpenSSL-based CA.
If I use a browser with the same certificate bundled up as a PKCS12bundle, through the proxy, it all works, but what I really need is forApache/mod_ssl to use a locally stored version of the cert/key to connect,
then let the IIS server do its normal basic auth.That's one singleclient cert/key for all externally connecting users (yes, I understandthe ramifaction- it's not for user authentication,) not a per-user proxy
cert.Here's what I have in my Apache ssl.conf file:RequestHeader set Front-End-Https OnCacheDisable *SSLProxyEngine OnProxyPass /app https://iisserver/app
ProxyPassReverse /app https://iisserver/appSSLProxyMachineCertificatePath conf/certSSLEngine onconf/cert contains user.pem, a .pem cert file with an RSA private key
catenated to it.I also have a hash link to the user.pem cert file.Just in case, I've also added export OPENSSL_ALLOW_PROXY_CERTS=1 tobin/envvars.Can anyone tell me what I'm doing wrong?
Thanks,Paul-Paul D. RobertsonMy statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact.__Apache
Interface to OpenSSL
(mod_ssl)
www.modssl.orgUser Support Mailing
Listmodssl-users@modssl.orgAutomated
List
Manager[EMAIL PROTECTED]-- We are all slave to our own paradigm. -- Joshua Williams

Mod_proxy and client certificate auth

[Paul D. Robertson]

Hi,

I'm trying to get mod_proxy to work as an SSL proxy using a client 
certificate on the proxy to connect to a backend IIS server that's set up 
to use any client certificate signed by my OpenSSL-based CA.  

If I use a browser with the same certificate bundled up as a PKCS12 
bundle, through the proxy, it all works, but what I really need is for 
Apache/mod_ssl to use a locally stored version of the cert/key to connect, 
then let the IIS server do its normal basic auth.  That's one single 
client cert/key for all externally connecting users (yes, I understand 
the ramifaction- it's not for user authentication,) not a per-user proxy 
cert.

Here's what I have in my Apache ssl.conf file:

RequestHeader set Front-End-Https On
CacheDisable *
SSLProxyEngine On
ProxyPass /app https://iisserver/app
ProxyPassReverse /app https://iisserver/app
SSLProxyMachineCertificatePath conf/cert
SSLEngine on

conf/cert contains user.pem, a .pem cert file with an RSA private key 
catenated to it.  I also have a hash link to the user.pem cert file.

Just in case, I've also added export OPENSSL_ALLOW_PROXY_CERTS=1 to 
bin/envvars.

Can anyone tell me what I'm doing wrong?

Thanks,

Paul
-
Paul D. Robertson  My statements in this message are personal opinions
[EMAIL PROTECTED]   which may have no basis whatsoever in fact.

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: Apache sends wrong certificate

[Frank van Beek]

Hi Cliff,

Cliff Woolley wrote:

You're doing IP-based virtual hosting, not named-based virtual hosting.  
(You only have one virtual host per IP/port combination.)  Thus you 
don't need NameVirtualHost.  If you scroll down in the page you gave, 
you'll see an example of IP-based virtual hosting, and note that it does 
*not* include any NameVirtualHost directives.


Hope this helps,


Thanks for the explanation. I *think* I understand the difference now. :)

The next time we add a new IP-address I'll check if Apache ignores 
invalid DNS PTR records if I remove the NameVirtualHost. This might take 
a while though before this happens.


I'll report my findings back to this list for documentation purposes.


Met groet,

Frank.
--
Frank van Beek

WAXTRAPP BV
van Diemenstraat 366
1013CR Amsterdam
The Netherlands

Phone:  +31 (0)20 672 2308
Fax:+31 (0)20 672 2488

http://www.waxtrapp.com
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: Apache sends wrong certificate

[Frank van Beek]

Hi Ron,

R. DuFresne wrote:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I'm sure this has been answered, but in case it has not;

You can not virtualize https to more then one hostsite, you have to have 
real IP addresses for https.


Thanks for your reply.

I understand your confusion. In my post I masked out the first two 
numbers of the IP-addresses.


But we do have 4 VirtualHosts on 4 different IP-addresses. As it turned 
out (see a previous post), our problem was caused by a misconfigured 
reverse DNS.


Frank.

WAXTRAPP BV
van Diemenstraat 366
1013CR Amsterdam
The Netherlands

Phone:  +31 (0)20 672 2308
Fax:+31 (0)20 672 2488

http://www.waxtrapp.com


Thanks,

Ron DuFresne

On Wed, 24 May 2006, Frank van Beek wrote:


Hi all,

This morning we migrated 4 of our websites to a new server. Each of 
these websites uses a certificate for https connections. We've got 
only one Apache instance running with 4 virtual hosts on 4 different 
IP-addresses.


This worked fine on the old server. But since the move this morning 
Apache sends the certificate for the first VirtualHost to all 4 
IP-addresses. Two of these sites need an additional 
SSLCertificateChainFile, and this file is send *correctly* depending 
on the IP-address. So Apache does see 4 different VirtualHosts, but 
somehow ignores the individual SSLCertificateFiles.


Here is the relevant part of httpd.conf for these 4 hosts:

-
   Listen xxx.xxx.198.62:443
   NameVirtualHost xxx.xxx.198.62:443

   VirtualHost xxx.xxx.198.62:443
   SSLEngine On
   SSLCertificateChainFile  chain1
   SSLCertificateFile   crt1
   SSLCertificateKeyFilekey1
   /VirtualHost

   Listen xxx.xxx.198.61:443
   NameVirtualHost xxx.xxx.198.61:443

   VirtualHost xxx.xxx.198.61:443
   SSLEngine On
   SSLCertificateChainFile  chain2
   SSLCertificateFile   crt2
   SSLCertificateKeyFilekey2
   /VirtualHost

   Listen xxx.xxx.198.63:443
   NameVirtualHost xxx.xxx.198.63:443

   VirtualHost xxx.xxx.198.63:443
   SSLEngine On
   SSLCertificateFile   crt3
   SSLCertificateKeyFilekey3
   /VirtualHost

   Listen xxx.xxx.198.64:443
   NameVirtualHost xxx.xxx.198.64:443

   VirtualHost xxx.xxx.198.64:443
   SSLEngine On
   SSLCertificateFile   crt4
   SSLCertificateKeyFilekey4
   /VirtualHost
-

The old server is still up and running. I've upgraded Apache on that 
system to the same version (2.0.58) and copied httpd.conf to that 
machine. The above configuration somehow works correctly there.


I've been trying to debug this using openssl s_client -state 
-connect and I do see some relevant differences, but I've been unable 
to interpret them.


I know this report lacks a lot of possibly relevant details. But I 
didn't want to send the whole httpd.conf and all of the terminal 
output to this list.


Is there an obvious mistake in my configuration? Or have I stumbled on 
a bug in Apache 2.0.58?


Met groet,

Frank.



- -- ~~
admin  senior security consultant:  sysinfo.com
http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

-Tom Robbins Still Life With Woodpecker
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEe4tVst+vzJSwZikRAq+sAJ4mHff+nYpHLXBgfoQdFIYVBMRhYgCgw29G
ZcxkcdgHNKCofvRN3Hc5miA=
=BwdU
-END PGP SIGNATURE-
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]



__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: Apache sends wrong certificate

[Cliff Woolley]

On 5/30/06, Frank van Beek [EMAIL PROTECTED] wrote:
I understand your confusion. In my post I masked out the first twonumbers of the IP-addresses.But we do have 4 VirtualHosts on 4 different IP-addresses. As it turnedout (see a previous post), our problem was caused by a misconfigured
reverse DNS.
I'm glad you figured it out, but it's still a little bit unclear to me why the DNS should have had any effect.

The NameVirtualHost directives in the config snippet you posted are
extraneous and should be removed. I wonder if you'd gotten rid of
those if the problem would have gone away regardless of DNS.

Hmm...

--Cliff

Re: Apache sends wrong certificate

[Frank van Beek]

Hey Cliff,

Cliff Woolley wrote:


On 5/30/06, *Frank van Beek* wrote:

I understand your confusion. In my post I masked out the first two
numbers of the IP-addresses.
But we do have 4 VirtualHosts on 4 different IP-addresses. As it turned
out (see a previous post), our problem was caused by a misconfigured
reverse DNS.



I'm glad you figured it out, but it's still a little bit unclear to me 
why the DNS should have had any effect.


The NameVirtualHost directives in the config snippet you posted are 
extraneous and should be removed.  I wonder if you'd gotten rid of those 
if the problem would have gone away regardless of DNS.


I checked a couple of pages on VirtualHosts in the Apache documentation. 
As far as I can see in the examples in most of them there a 
NameVirtualHost for every VirtualHost, even when it's running on a 
different port.


See the examples here:

  http://httpd.apache.org/docs/2.0/vhosts/examples.html

I don't know enough about Apache configuration to know when you need 
both, so could you please explain me why in our configuration the 
NameVirtualHost directives are extraneous?



Met groet,

Frank.
--
Frank van Beek

WAXTRAPP BV
van Diemenstraat 366
1013CR Amsterdam
The Netherlands

Phone:  +31 (0)20 672 2308
Fax:+31 (0)20 672 2488

http://www.waxtrapp.com
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: Apache sends wrong certificate

[Cliff Woolley]

On 5/30/06, Frank van Beek [EMAIL PROTECTED] wrote:
I checked a couple of pages on VirtualHosts in the Apache documentation.As far as I can see in the examples in most of them there aNameVirtualHost for every VirtualHost, even when it's running on adifferent port.
See the examples here: http://httpd.apache.org/docs/2.0/vhosts/examples.htmlAll of the examples on that page that use NameVirtualHost are actually *doing* name-based virtual hosting, which is where you have multiple virtual hosts with the same IP/port combination (thus the only thing that distinguishes them is their name, as given in the Host: HTTP header).
You're doing IP-based virtual hosting, not named-based virtual hosting. (You only have one virtual host per IP/port combination.) Thus you don't need NameVirtualHost. If you scroll down in the page you gave, you'll see an example of IP-based virtual hosting, and note that it does *not* include any NameVirtualHost directives.
Hope this helps,--Cliff

Re: Apache sends wrong certificate

[Frank van Beek]

Hi all,

Frank van Beek wrote:


Hi all,

This morning we migrated 4 of our websites to a new server. Each of 
these websites uses a certificate for https connections. We've got only 
one Apache instance running with 4 virtual hosts on 4 different 
IP-addresses.


Today we discovered the cause of our problems. Our new hosting provider 
had invalid reverse DNS records:


-
% dig -x xxx.xxx.198.61

-- snip --
;; ANSWER SECTION:
61.198.xxx.xxx.in-addr.arpa. 900 IN PTR .
-- snip --

-

After they changed their DNS, all we had to do was restart Apache to 
make it function correctly.


With many thanks to ssh on Mac OS X which reported: Nasty PTR record  
is set up for xxx.xxx.198.61, ignoring.


That's what gave us a clue that it might be reverse DNS related.

Frank.
--
Frank van Beek

WAXTRAPP BV
van Diemenstraat 366
1013CR Amsterdam
The Netherlands

Phone:  +31 (0)20 672 2308
Fax:+31 (0)20 672 2488

http://www.waxtrapp.com
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: Apache sends wrong certificate

[R. DuFresne]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



I'm sure this has been answered, but in case it has not;

You can not virtualize https to more then one hostsite, you have to have 
real IP addresses for https.


Thanks,

Ron DuFresne

On Wed, 24 May 2006, Frank van Beek wrote:


Hi all,

This morning we migrated 4 of our websites to a new server. Each of these 
websites uses a certificate for https connections. We've got only one Apache 
instance running with 4 virtual hosts on 4 different IP-addresses.


This worked fine on the old server. But since the move this morning Apache 
sends the certificate for the first VirtualHost to all 4 IP-addresses. Two of 
these sites need an additional SSLCertificateChainFile, and this file is send 
*correctly* depending on the IP-address. So Apache does see 4 different 
VirtualHosts, but somehow ignores the individual SSLCertificateFiles.


Here is the relevant part of httpd.conf for these 4 hosts:

-
   Listen xxx.xxx.198.62:443
   NameVirtualHost xxx.xxx.198.62:443

   VirtualHost xxx.xxx.198.62:443
   SSLEngine On
   SSLCertificateChainFile  chain1
   SSLCertificateFile   crt1
   SSLCertificateKeyFilekey1
   /VirtualHost

   Listen xxx.xxx.198.61:443
   NameVirtualHost xxx.xxx.198.61:443

   VirtualHost xxx.xxx.198.61:443
   SSLEngine On
   SSLCertificateChainFile  chain2
   SSLCertificateFile   crt2
   SSLCertificateKeyFilekey2
   /VirtualHost

   Listen xxx.xxx.198.63:443
   NameVirtualHost xxx.xxx.198.63:443

   VirtualHost xxx.xxx.198.63:443
   SSLEngine On
   SSLCertificateFile   crt3
   SSLCertificateKeyFilekey3
   /VirtualHost

   Listen xxx.xxx.198.64:443
   NameVirtualHost xxx.xxx.198.64:443

   VirtualHost xxx.xxx.198.64:443
   SSLEngine On
   SSLCertificateFile   crt4
   SSLCertificateKeyFilekey4
   /VirtualHost
-

The old server is still up and running. I've upgraded Apache on that system 
to the same version (2.0.58) and copied httpd.conf to that machine. The above 
configuration somehow works correctly there.


I've been trying to debug this using openssl s_client -state -connect and I 
do see some relevant differences, but I've been unable to interpret them.


I know this report lacks a lot of possibly relevant details. But I didn't 
want to send the whole httpd.conf and all of the terminal output to this 
list.


Is there an obvious mistake in my configuration? Or have I stumbled on a bug 
in Apache 2.0.58?


Met groet,

Frank.



- -- 
~~

admin  senior security consultant:  sysinfo.com
http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

-Tom Robbins Still Life With Woodpecker
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEe4tVst+vzJSwZikRAq+sAJ4mHff+nYpHLXBgfoQdFIYVBMRhYgCgw29G
ZcxkcdgHNKCofvRN3Hc5miA=
=BwdU
-END PGP SIGNATURE-
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Apache sends wrong certificate

[Frank van Beek]

Hi all,

This morning we migrated 4 of our websites to a new server. Each of 
these websites uses a certificate for https connections. We've got only 
one Apache instance running with 4 virtual hosts on 4 different 
IP-addresses.


This worked fine on the old server. But since the move this morning 
Apache sends the certificate for the first VirtualHost to all 4 
IP-addresses. Two of these sites need an additional 
SSLCertificateChainFile, and this file is send *correctly* depending on 
the IP-address. So Apache does see 4 different VirtualHosts, but somehow 
ignores the individual SSLCertificateFiles.


Here is the relevant part of httpd.conf for these 4 hosts:

-
Listen xxx.xxx.198.62:443
NameVirtualHost xxx.xxx.198.62:443

VirtualHost xxx.xxx.198.62:443
SSLEngine On
SSLCertificateChainFile  chain1
SSLCertificateFile   crt1
SSLCertificateKeyFilekey1
/VirtualHost

Listen xxx.xxx.198.61:443
NameVirtualHost xxx.xxx.198.61:443

VirtualHost xxx.xxx.198.61:443
SSLEngine On
SSLCertificateChainFile  chain2
SSLCertificateFile   crt2
SSLCertificateKeyFilekey2
/VirtualHost

Listen xxx.xxx.198.63:443
NameVirtualHost xxx.xxx.198.63:443

VirtualHost xxx.xxx.198.63:443
SSLEngine On
SSLCertificateFile   crt3
SSLCertificateKeyFilekey3
/VirtualHost

Listen xxx.xxx.198.64:443
NameVirtualHost xxx.xxx.198.64:443

VirtualHost xxx.xxx.198.64:443
SSLEngine On
SSLCertificateFile   crt4
SSLCertificateKeyFilekey4
/VirtualHost
-

The old server is still up and running. I've upgraded Apache on that 
system to the same version (2.0.58) and copied httpd.conf to that 
machine. The above configuration somehow works correctly there.


I've been trying to debug this using openssl s_client -state -connect 
and I do see some relevant differences, but I've been unable to 
interpret them.


I know this report lacks a lot of possibly relevant details. But I 
didn't want to send the whole httpd.conf and all of the terminal output 
to this list.


Is there an obvious mistake in my configuration? Or have I stumbled on a 
bug in Apache 2.0.58?


Met groet,

Frank.
--
Frank van Beek

WAXTRAPP BV
van Diemenstraat 366
1013CR Amsterdam
The Netherlands

Phone:  +31 (0)20 672 2308
Fax:+31 (0)20 672 2488

http://www.waxtrapp.com
[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

make certificate hangs

[Matthias Teege]

Moin,

I've setup modssl with apache. I've followed the example from
modssl.org. Then i try make certificate type=custom and it hangs at
this point:

Getting CA Private Key
Verify: matching certificate  key modulus
Verify: matching certificate signature
../conf/ssl.crt/server.crt: OK

After that I made make certificate type=test and it hangs to:

Getting CA Private Key
Verify: matching certificate  key modulus
Verify: matching certificate signature
../conf/ssl.crt/server.crt: /C=XY/ST=Snake Desert/L=Snake Town/O=Snake
Oil, Ltd/OU=Certificate Authority/CN=Snake Oil
CA/[EMAIL PROTECTED]
error 10 at 1 depth lookup:certificate has expired
OK

How can I debug this issue?

Matthias

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: make certificate hangs

[Cliff Woolley]

make certificate is largely deprecated at this point, as far as I'm
concerned... it doesn't even ship with Apache 2.0 + mod_ssl.  The
expiration could be considered a bug in Apache 1.3's mod_ssl, but IMO
the best thing for you to do is to follow the steps in the mod_ssl
documentation for creating your own self-signed certificate using
openssl by hand.  The documentation isn't perfect, but that route is
still probably the best option right now that I know of.
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Grr.. where is my CA's Certificate file?

[Pigeon]

Hello, I am trying to setup apache to use a PKI (I think that is what it is 
called)... So each client will have to already have a public key to have 
access to my 'secure' apache server. I might hand out 5 of these public 
keys, and I want only those users to have access to this server.


My issue is this.. I cannot find my CA's certificate file (so I can tell 
ssl.conf about it via SSLCACertificateFile).


I have run  CA.pl -newca and then it creates these files:


--

[EMAIL PROTECTED] demoCA]# ls
cacert.pem  careq.pem  certs  crl  index.txt  index.txt.attr  index.txt.old 
newcerts  private  serial

[EMAIL PROTECTED] demoCA]# ls -R
.:
cacert.pem  careq.pem  certs  crl  index.txt  index.txt.attr  index.txt.old 
newcerts  private  serial


./certs:

./crl:

./newcerts:
EC895C0D3F2DC916.pem

./private:
cakey.pem
[EMAIL PROTECTED] demoCA]#

--

but now where is the file I tell ssl.conf about via  SSLCACertificateFile.


Sorry to bother you'll, but I have been trying to find this out nearly all 
day.. without sucess :(


thanks for any input!
Lee 
__

Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

RE: export client certificate CN?

[Hoda Nadeem]

Add the following line to you httpd configuration: 

JkEnvVar SSL_CLIENT_S_DN none

JkEnvVar SSL_CLIENT_CERT none

This will make the client cert and distinguished name available through Apache 
enviroment variables.

Then in Java (within a JSP/servlet):

String DN = (String) request.getAttribute(SSL_CLIENT_S_DN); // can also get 
the whole cert: SSL_CLIENT_CERT

And parse out the common name.

Nadeem




From: [EMAIL PROTECTED] on behalf of August West
Sent: Mon 8/22/2005 12:17 PM
To: modssl-users@modssl.org
Subject: export client certificate CN?



I am currently using mod_ssl to verify client certs.
are issued by trusted CAs (e.g. SSLVerifyClient
require), but then using username/password for
application identification/authorization, passing this
to Oracle via Tomcat using JAVA.  However, I'd like to
be able to use client certs. for I/A by exporting the
CN (or perhaps serial number) when verifying.  I have
tried to add SSLOptions +ExportCertData, but I am
not sure where this data is being exported too!  This
seemed like the appropriate SSL Option to be able to
parse the cert data, but please correct me if I am
wrong.  Does anyone have any implementation
suggestions exporting the CN from client certs,
particularly for retrieving this information with
JAVA?
TIA!

__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]


winmail.dat

export client certificate CN?

[August West]

I am currently using mod_ssl to verify client certs.
are issued by trusted CAs (e.g. SSLVerifyClient
require), but then using username/password for
application identification/authorization, passing this
to Oracle via Tomcat using JAVA.  However, I'd like to
be able to use client certs. for I/A by exporting the
CN (or perhaps serial number) when verifying.  I have
tried to add SSLOptions +ExportCertData, but I am
not sure where this data is being exported too!  This
seemed like the appropriate SSL Option to be able to
parse the cert data, but please correct me if I am
wrong.  Does anyone have any implementation
suggestions exporting the CN from client certs,
particularly for retrieving this information with
JAVA?
TIA!

__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: export client certificate CN?

[Andrew Musselman]

I am trying to use mod_auth_ldap with apache2, and I am having trouble
figuring out how to generate a trusted Certificate Authority
certificate.  I tried using the Netscape certificate database file as
the apache docs suggest, but I'm still getting a complaint from LDAP
that LDAP: ssl connections not supported.

Can I use openssl to make a DER_FILE or a BASE64_FILE?  Has anyone here
had experience getting this to work?

Thanks for your time.

Best,
Andrew

I am totally lost on this.  I appreciate any help 
 [EMAIL PROTECTED] 8/22/2005 9:17 AM 
I am currently using mod_ssl to verify client certs.
are issued by trusted CAs (e.g. SSLVerifyClient
require), but then using username/password for
application identification/authorization, passing this
to Oracle via Tomcat using JAVA.  However, I'd like to
be able to use client certs. for I/A by exporting the
CN (or perhaps serial number) when verifying.  I have
tried to add SSLOptions +ExportCertData, but I am
not sure where this data is being exported too!  This
seemed like the appropriate SSL Option to be able to
parse the cert data, but please correct me if I am
wrong.  Does anyone have any implementation
suggestions exporting the CN from client certs,
particularly for retrieving this information with
JAVA?
TIA!

__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org

User Support Mailing List  modssl-users@modssl.org

Automated List Manager[EMAIL PROTECTED]

Andrew Musselman
[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

RE: export client certificate CN?

[Gaydosh, Adam]

I am trying to use mod_auth_ldap with apache2, and I am having 
trouble figuring out how to generate a trusted Certificate 
Authority certificate.  I tried using the Netscape certificate 
database file as the apache docs suggest, but I'm still 
getting a complaint from LDAP that LDAP: ssl connections not 
supported.

Not sure but this sounds like you haven't enabled SSL, not that it cant
negotiate the session. 

Can I use openssl to make a DER_FILE or a BASE64_FILE?  Has 
anyone here had experience getting this to work?

Here's how I've generated server cert requests (PKCS #10 which works
fine with Netscape):
openssl req -config openssl.cnf -new -out hostname.csr
openssl rsa -in privkey.pem -out hostname.key

Then you'll need to tell point apache to the right certs:
SSLCertificateFile /server.crt
SSLCertificateKeyFile /server.key
SLCACertificateFile /CA.crt

If you want to generate the certs yourself rather then submit the CSRs
to a CA:
openssl x509 -in hostname.csr -out hostname.crt -req -signkey
hostname.key -days 365
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

access restriction based on RFC3280/4.2 'Certificate Extensions'

[Pitrich, Karl]

Hi,

is it somehow possible to restrict access to 
a httpd2/mod_ssl based on the presence
of an extended attribute with a specific OID 
in the client's certificate?

i was unsuccessfull looking that up in the docs or ml-archive.


than you for any hint,

 / pit
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: access restriction based on RFC3280/4.2 'Certificate Extensions'

[Mads Toftum]

On Mon, Aug 08, 2005 at 02:26:37PM +0200, Pitrich, Karl wrote:
 Hi,
 
 is it somehow possible to restrict access to 
 a httpd2/mod_ssl based on the presence
 of an extended attribute with a specific OID 
 in the client's certificate?
 
There is some support for that in the very latest httpd dev tree - see
http://mail-archives.apache.org/mod_mbox/httpd-cvs/200507.mbox/[EMAIL PROTECTED]

vh

Mads Toftum
-- 
`Darn it, who spiked my coffee with water?!' - lwall

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: certificate weirdness

[Matt Stevenson]

Hello Vlad,

You are trying to use NameVirtualHost for ssl which
will not work. Basically which cert does it use? The
ssl connection needs to be setup before the site name
(hence virtual host and cert) can be established by
apache.

You'll need two IPs, or use different ports (yuck).

Regards
Matt

--- Vlad Ciubotariu [EMAIL PROTECTED] wrote:

 I'm doing something wrong in my config file.  For
 some reason, when
 pointed to https://calendar.mydomain.ca the browser
 tells me the
 security certificate belongs to mail.mydomain.ca
 even though the two
 domains have been configured with different
 certificates.
 
 Could anyone shed some light, please? Thanks in
 advance.
 
 ##
 ##  SSL Support
 ##
 ##  When we also provide SSL we have to listen to
 the 
 ##  standard HTTP port (see above) and to the HTTPS
 port
 ##
 IfDefine SSL
 Listen 80
 Listen 443
 /IfDefine
 

...
 
 NameVirtualHost *:80
 NameVirtualHost *:443
 
 #
 # VirtualHost example:
 # Almost any Apache directive may go into a
 VirtualHost container.
 
 VirtualHost *
 ServerAdmin [EMAIL PROTECTED]
 DocumentRoot /var/www/virthosts/mail
 ServerName mail.mydomain.org
 Redirect / https://mail.mydomain.org/
 /VirtualHost
 
 VirtualHost *
 ServerAdmin [EMAIL PROTECTED]
 DocumentRoot /var/www/virthosts/calendar
 ServerName calendar.mydomain.org
 Redirect / https://calendar.mydomain.org/
 /VirtualHost
 
 
 ##
 ##  SSL Global Context
 ##
 ##  All SSL configuration in this context applies
 both to
 ##  the main server and all SSL-enabled virtual
 hosts.
 ##
 
 #
 #   Some MIME-types for downloading Certificates and
 CRLs
 #
 IfDefine SSL
 AddType application/x-x509-ca-cert .crt
 AddType application/x-pkcs7-crl.crl
 /IfDefine
 
 IfModule mod_ssl.c
 
 #   Pass Phrase Dialog:
 #   Configure the pass phrase gathering process.
 #   The filtering dialog program (`builtin' is a
 internal
 #   terminal dialog) has to provide the pass phrase
 on stdout.
 SSLPassPhraseDialog  builtin
 
 #   Inter-Process Session Cache:
 #   Configure the SSL Session Cache: First either
 `none'
 #   or `dbm:/path/to/file' for the mechanism to use
 and
 #   second the expiring timeout (in seconds).
 SSLSessionCache dbm:logs/ssl_scache
 SSLSessionCacheTimeout  300
 
 #   Semaphore:
 #   Configure the path to the mutual exclusion
 semaphore the
 #   SSL engine uses internally for inter-process
 synchronization. 
 SSLMutex  sem
 
 #   Pseudo Random Number Generator (PRNG):
 #   Configure one or more sources to seed the PRNG
 of the 
 #   SSL library. The seed data should be of good
 random quality.
 SSLRandomSeed startup builtin
 SSLRandomSeed connect builtin
 #SSLRandomSeed startup file:/dev/random  512
 #SSLRandomSeed startup file:/dev/urandom 512
 #SSLRandomSeed connect file:/dev/random  512
 #SSLRandomSeed connect file:/dev/urandom 512
 SSLRandomSeed startup file:/dev/arandom  512
 
 #   Logging:
 #   The home of the dedicated SSL protocol logfile.
 Errors are
 #   additionally duplicated in the general error log
 file.  Put
 #   this somewhere where it cannot be used for
 symlink attacks on
 #   a real server (i.e. somewhere where only root
 can write).
 #   Log levels are (ascending order: higher ones
 include lower ones):
 #   none, error, warn, info, trace, debug.
 SSLLog  logs/ssl_engine_log
 SSLLogLevel info
 
 /IfModule
 
 IfDefine SSL
 
 ##
 ## SSL Virtual Host Context
 ##
 
 VirtualHost *:443
 ServerAdmin [EMAIL PROTECTED]
 DocumentRoot /var/www/virthosts/mail
 ServerName mail.mydomain.org
 SSLEngine on
 SSLCertificateFile/etc/ssl/webmail.crt
 SSLCertificateKeyFile
 /etc/ssl/private/webmail.key
 Location /
   SSLRequireSsl
 /Location
 /VirtualHost
 
 VirtualHost *:443
 ServerAdmin [EMAIL PROTECTED]
 DocumentRoot /var/www/virthosts/calendar
 ServerName calendar.mydomain.org
 SSLEngine on
 SSLCertificateFile/etc/ssl/calendar.crt
 SSLCertificateKeyFile
 /etc/ssl/private/calendar.key
 Location /
   SSLRequireSsl
 /Location
 Directory /var/www/virthosts/calendar
 Order allow,deny
   Allow from all
 /Directory
 Location /cgi-bin/
 SetHandler perl-script
 PerlHandler Apache::Registry
 #PerlHandler Apache::PerlRun
 Options ExecCGI
 PerlSendHeader On
 /Location
 /VirtualHost
 #
 VirtualHost _default_:443
 #  General setup for the virtual host
 #DocumentRoot /var/www/htdocs
 #ServerName new.host.name
 #ServerAdmin [EMAIL PROTECTED]
 #ErrorLog logs/error_log
 #TransferLog logs/access_log
 
 #   SSL Engine Switch:
 #   Enable/Disable SSL for this virtual host.
 SSLEngine on
 
 #   SSL Cipher Suite:
 #   List the ciphers that the client is permitted to
 negotiate.
 #   See the mod_ssl documentation for a complete
 list.
 #SSLCipherSuite
 ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
 
 #   Server Certificate:
 #   Point

Re: certificate weirdness

[Vlad Ciubotariu]

I've finally got it to work.  I possibly see why it didn't work from the first
place.

Mod_ssl handles encryption before httpd even sees the url. Thus I can't set
certifaces in directory or name-based virtual containers.

Thanks!



On Wed, Jul 27, 2005 at 06:49:12AM -0700, Matt Stevenson wrote:
 Hello Vlad,
 
 You are trying to use NameVirtualHost for ssl which
 will not work. Basically which cert does it use? The
 ssl connection needs to be setup before the site name
 (hence virtual host and cert) can be established by
 apache.
 
 You'll need two IPs, or use different ports (yuck).
 
 Regards
 Matt
 
 --- Vlad Ciubotariu [EMAIL PROTECTED] wrote:
 
  I'm doing something wrong in my config file.  For
  some reason, when
  pointed to https://calendar.mydomain.ca the browser
  tells me the
  security certificate belongs to mail.mydomain.ca
  even though the two
  domains have been configured with different
  certificates.
  
  Could anyone shed some light, please? Thanks in
  advance.
  
  ##
  ##  SSL Support
  ##
  ##  When we also provide SSL we have to listen to
  the 
  ##  standard HTTP port (see above) and to the HTTPS
  port
  ##
  IfDefine SSL
  Listen 80
  Listen 443
  /IfDefine
  
 
 ...
  
  NameVirtualHost *:80
  NameVirtualHost *:443
  
  #
  # VirtualHost example:
  # Almost any Apache directive may go into a
  VirtualHost container.
  
  VirtualHost *
  ServerAdmin [EMAIL PROTECTED]
  DocumentRoot /var/www/virthosts/mail
  ServerName mail.mydomain.org
  Redirect / https://mail.mydomain.org/
  /VirtualHost
  
  VirtualHost *
  ServerAdmin [EMAIL PROTECTED]
  DocumentRoot /var/www/virthosts/calendar
  ServerName calendar.mydomain.org
  Redirect / https://calendar.mydomain.org/
  /VirtualHost
  
  
  ##
  ##  SSL Global Context
  ##
  ##  All SSL configuration in this context applies
  both to
  ##  the main server and all SSL-enabled virtual
  hosts.
  ##
  
  #
  #   Some MIME-types for downloading Certificates and
  CRLs
  #
  IfDefine SSL
  AddType application/x-x509-ca-cert .crt
  AddType application/x-pkcs7-crl.crl
  /IfDefine
  
  IfModule mod_ssl.c
  
  #   Pass Phrase Dialog:
  #   Configure the pass phrase gathering process.
  #   The filtering dialog program (`builtin' is a
  internal
  #   terminal dialog) has to provide the pass phrase
  on stdout.
  SSLPassPhraseDialog  builtin
  
  #   Inter-Process Session Cache:
  #   Configure the SSL Session Cache: First either
  `none'
  #   or `dbm:/path/to/file' for the mechanism to use
  and
  #   second the expiring timeout (in seconds).
  SSLSessionCache dbm:logs/ssl_scache
  SSLSessionCacheTimeout  300
  
  #   Semaphore:
  #   Configure the path to the mutual exclusion
  semaphore the
  #   SSL engine uses internally for inter-process
  synchronization. 
  SSLMutex  sem
  
  #   Pseudo Random Number Generator (PRNG):
  #   Configure one or more sources to seed the PRNG
  of the 
  #   SSL library. The seed data should be of good
  random quality.
  SSLRandomSeed startup builtin
  SSLRandomSeed connect builtin
  #SSLRandomSeed startup file:/dev/random  512
  #SSLRandomSeed startup file:/dev/urandom 512
  #SSLRandomSeed connect file:/dev/random  512
  #SSLRandomSeed connect file:/dev/urandom 512
  SSLRandomSeed startup file:/dev/arandom  512
  
  #   Logging:
  #   The home of the dedicated SSL protocol logfile.
  Errors are
  #   additionally duplicated in the general error log
  file.  Put
  #   this somewhere where it cannot be used for
  symlink attacks on
  #   a real server (i.e. somewhere where only root
  can write).
  #   Log levels are (ascending order: higher ones
  include lower ones):
  #   none, error, warn, info, trace, debug.
  SSLLog  logs/ssl_engine_log
  SSLLogLevel info
  
  /IfModule
  
  IfDefine SSL
  
  ##
  ## SSL Virtual Host Context
  ##
  
  VirtualHost *:443
  ServerAdmin [EMAIL PROTECTED]
  DocumentRoot /var/www/virthosts/mail
  ServerName mail.mydomain.org
  SSLEngine on
  SSLCertificateFile/etc/ssl/webmail.crt
  SSLCertificateKeyFile
  /etc/ssl/private/webmail.key
  Location /
SSLRequireSsl
  /Location
  /VirtualHost
  
  VirtualHost *:443
  ServerAdmin [EMAIL PROTECTED]
  DocumentRoot /var/www/virthosts/calendar
  ServerName calendar.mydomain.org
  SSLEngine on
  SSLCertificateFile/etc/ssl/calendar.crt
  SSLCertificateKeyFile
  /etc/ssl/private/calendar.key
  Location /
SSLRequireSsl
  /Location
  Directory /var/www/virthosts/calendar
  Order allow,deny
  Allow from all
  /Directory
  Location /cgi-bin/
  SetHandler perl-script
  PerlHandler Apache::Registry
  #PerlHandler Apache::PerlRun
  Options ExecCGI
  PerlSendHeader On
  /Location
  /VirtualHost
  #
  VirtualHost _default_:443
  #  General setup for the virtual host

certificate weirdness

[Vlad Ciubotariu]

I'm doing something wrong in my config file.  For some reason, when
pointed to https://calendar.mydomain.ca the browser tells me the
security certificate belongs to mail.mydomain.ca even though the two
domains have been configured with different certificates.

Could anyone shed some light, please? Thanks in advance.

##
##  SSL Support
##
##  When we also provide SSL we have to listen to the 
##  standard HTTP port (see above) and to the HTTPS port
##
IfDefine SSL
Listen 80
Listen 443
/IfDefine

...

NameVirtualHost *:80
NameVirtualHost *:443

#
# VirtualHost example:
# Almost any Apache directive may go into a VirtualHost container.

VirtualHost *
ServerAdmin [EMAIL PROTECTED]
DocumentRoot /var/www/virthosts/mail
ServerName mail.mydomain.org
Redirect / https://mail.mydomain.org/
/VirtualHost

VirtualHost *
ServerAdmin [EMAIL PROTECTED]
DocumentRoot /var/www/virthosts/calendar
ServerName calendar.mydomain.org
Redirect / https://calendar.mydomain.org/
/VirtualHost


##
##  SSL Global Context
##
##  All SSL configuration in this context applies both to
##  the main server and all SSL-enabled virtual hosts.
##

#
#   Some MIME-types for downloading Certificates and CRLs
#
IfDefine SSL
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl.crl
/IfDefine

IfModule mod_ssl.c

#   Pass Phrase Dialog:
#   Configure the pass phrase gathering process.
#   The filtering dialog program (`builtin' is a internal
#   terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog  builtin

#   Inter-Process Session Cache:
#   Configure the SSL Session Cache: First either `none'
#   or `dbm:/path/to/file' for the mechanism to use and
#   second the expiring timeout (in seconds).
SSLSessionCache dbm:logs/ssl_scache
SSLSessionCacheTimeout  300

#   Semaphore:
#   Configure the path to the mutual exclusion semaphore the
#   SSL engine uses internally for inter-process synchronization. 
SSLMutex  sem

#   Pseudo Random Number Generator (PRNG):
#   Configure one or more sources to seed the PRNG of the 
#   SSL library. The seed data should be of good random quality.
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random  512
#SSLRandomSeed startup file:/dev/urandom 512
#SSLRandomSeed connect file:/dev/random  512
#SSLRandomSeed connect file:/dev/urandom 512
SSLRandomSeed startup file:/dev/arandom  512

#   Logging:
#   The home of the dedicated SSL protocol logfile. Errors are
#   additionally duplicated in the general error log file.  Put
#   this somewhere where it cannot be used for symlink attacks on
#   a real server (i.e. somewhere where only root can write).
#   Log levels are (ascending order: higher ones include lower ones):
#   none, error, warn, info, trace, debug.
SSLLog  logs/ssl_engine_log
SSLLogLevel info

/IfModule

IfDefine SSL

##
## SSL Virtual Host Context
##

VirtualHost *:443
ServerAdmin [EMAIL PROTECTED]
DocumentRoot /var/www/virthosts/mail
ServerName mail.mydomain.org
SSLEngine on
SSLCertificateFile/etc/ssl/webmail.crt
SSLCertificateKeyFile /etc/ssl/private/webmail.key
Location /
  SSLRequireSsl
/Location
/VirtualHost

VirtualHost *:443
ServerAdmin [EMAIL PROTECTED]
DocumentRoot /var/www/virthosts/calendar
ServerName calendar.mydomain.org
SSLEngine on
SSLCertificateFile/etc/ssl/calendar.crt
SSLCertificateKeyFile /etc/ssl/private/calendar.key
Location /
  SSLRequireSsl
/Location
Directory /var/www/virthosts/calendar
Order allow,deny
Allow from all
/Directory
Location /cgi-bin/
SetHandler perl-script
PerlHandler Apache::Registry
#PerlHandler Apache::PerlRun
Options ExecCGI
PerlSendHeader On
/Location
/VirtualHost
#
VirtualHost _default_:443
#  General setup for the virtual host
#DocumentRoot /var/www/htdocs
#ServerName new.host.name
#ServerAdmin [EMAIL PROTECTED]
#ErrorLog logs/error_log
#TransferLog logs/access_log

#   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
SSLEngine on

#   SSL Cipher Suite:
#   List the ciphers that the client is permitted to negotiate.
#   See the mod_ssl documentation for a complete list.
#SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP

#   Server Certificate:
#   Point SSLCertificateFile at a PEM encoded certificate.  If
#   the certificate is encrypted, then you will be prompted for a
#   pass phrase.  Note that a kill -HUP will prompt again. A test
#   certificate can be generated with `make certificate' under
#   built time.
SSLCertificateFile/etc/ssl/server.crt

#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.
SSLCertificateKeyFile /etc/ssl/private/server.key

#   Certificate Authority (CA):
#   Set the CA

Client certificate expiry handling

[Matt Stevenson]

Hi,

I know this has been raised before but please read on.

Currently AFAIK client certificate expiry checking is
done by openssl and the connection is terminated
before apache comes into play, hence no error page can
be sent. This is a problem as IE doesn't tell the user
the client certificate is expired. Hence the user
experiences a horrible disconnect page (not nice for
issue tracking either as its pretty generic).

Both Netscape and IIS can send back an error to the
browser under this condition. The company I work for
would also like apache to be able to do this. There is
a good possiblity that the changes would be funded.

I'm looking for someone who has experience with
apache/mod_ssl/openssl to give an idea on the
feasibility and a time estimate to do the work.
Suggestions on who could do this are also welcome.

Regards
Matt



__ 
Yahoo! Mail Mobile 
Take Yahoo! Mail with you! Check email on your mobile phone. 
http://mobile.yahoo.com/learn/mail 
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: certificate and authentication re-prompting

[Daniel Kimblad]

Could be your browsers settings. If you're running 
Firefox go to
the menu Tools  Options. Select Advanced and 
scroll down to
the Certificates area.
Set Client Certificate Selection to Select 
Automatically. This is
often the cause of such behaviour. Hope this helps.

Bestregards
/Daniel

  - Original Message - 
  From: 
  C T 
  To: modssl-users@modssl.org 
  Sent: Wednesday, June 22, 2005 2:34 
  AM
  Subject: certificate and authentication 
  re-prompting
  
  
  I need some advice/help.
  I am running...well my web host service is running...
  Apache/2.0.46 (Red Hat) Server
  openssl-0.9.7a-33.12 
  mod_ssl-2.0.46-44.ent
  Also, I was originally set up through some kind of "virtual hosting", but I 
  paid extra for SSL, and I have a httpsdocs folder. (if you can't tell I'm new 
  to this)
  I also use .htaccess with .htpasswd for user authentication.
  Everything seems to be working fine, but my problem is...
  I can enter my domain with the https://. OK
  I get prompted to accept the certificate, and I get prompted for the 
  username/password. OK
  The problem surfaces when I begin to browse around in the https area. 
  Sooner or later I will get re-prompted to accept the certificate and enter my 
  username/password, again.
  I don't know why it does this, and my web hosting service can't seem to 
  explain it either.
  I've reproduced the error on more than 4 computers.
  I can't find anything that would cause my browser session to expire, in 
  mid-session.
  Can anyone help me or give me a direction to go in?
  Be Kind, I'm a new to apache and mod_ssl.
  Thanks,
  Craig 
  [EMAIL PROTECTED]

certificate and authentication re-prompting

[C T]

I need some advice/help.
I am running...well my web host service is running...
Apache/2.0.46 (Red Hat) Server
openssl-0.9.7a-33.12 
mod_ssl-2.0.46-44.ent
Also, I was originally set up through some kind of "virtual hosting", but I 
paid extra for SSL, and I have a httpsdocs folder. (if you can't tell I'm new to 
this)
I also use .htaccess with .htpasswd for user authentication.
Everything seems to be working fine, but my problem is...
I can enter my domain with the https://. OK
I get prompted to accept the certificate, and I get prompted for the 
username/password. OK
The problem surfaces when I begin to browse around in the https area. Sooner 
or later I will get re-prompted to accept the certificate and enter my 
username/password, again.
I don't know why it does this, and my web hosting service can't seem to 
explain it either.
I've reproduced the error on more than 4 computers.
I can't find anything that would cause my browser session to expire, in 
mid-session.
Can anyone help me or give me a direction to go in?
Be Kind, I'm a new to apache and mod_ssl.
Thanks,
Craig 
[EMAIL PROTECTED]

client certificate problems

[john mcnicholas]

In short I'm working on duplicating a web site locally for testing and 
I am unable to get Client certificates to work here in my lab.  

The main/public site is using apache 1.3.33 on OS X and is properly 
configured for client certs, but I can't get this test configuration 
to work. I am using Apache 2.0.52 so that could be a factor.  
(if necessary, I will try to reconfigure with 1.3.33)

The client browser is IE 6.x and what is odd is when I navigate to the
main/public site I am prompted to select a certificate, but when
I  navigate to the test site IE 6.x just times out.  For that reason
I am suspicious of the apache configuration but I can't be certain.

I tried with FireFox (1.0) and it also timed out. Firefox is 
configured to ask every time for client cert. selection and
like IE, I am not prompted.

(I'm also suspicious as to why I can't select the client certificate 
from the IE dialog for the test site - only the certificate for the 
public site is listed.)

The virtual host configuration is listed below (ssl.conf was 
unchanged for 2.0.52) and the error in the ssl.log is also listed 
below.  If anyone could offer any trouble shooting tips that would 
be greatly appreciated.

Thanks for your time and assistance.

John

//-

Additional information:

Version: Apache/2.0.52
OS:  Mac OS X 10.3.7

//-

// here is the log of the error:

[info] Initial (No.1) HTTPS request received for child 5 (server 
www.apollo.home:443)
[debug] ssl_engine_kernel.c(422): Changed client verification type will 
force renegotiation
[info] Requesting connection re-negotiation
[debug] ssl_engine_kernel.c(650): Performing full renegotiation: 
complete handshake protocol
[info] Awaiting re-negotiation handshake
[debug] ssl_engine_kernel.c(1756): OpenSSL: Handshake: start
[debug] ssl_engine_kernel.c(1764): OpenSSL: Loop: before accept 
initialization
[debug] ssl_engine_io.c(1517): OpenSSL: I/O error, 5 bytes expected to 
read on BIO#1280be0 [mem: 7f7000]
[debug] ssl_engine_kernel.c(1793): OpenSSL: Exit: error in SSLv2 read 
client hello B
[error] Re-negotiation handshake failed: Not accepted by client!?


//-

// here is the virtual host info:

VirtualHost www.apollo.home:443
 DocumentRoot /some_directory/ssl_site
 ServerAdmin [EMAIL PROTECTED]
 ServerName www.apollo.home
 LogLevel warn
 # LogLevel debug

 SetEnvIf User-Agent .*MSIE.* \
  nokeepalive ssl-unclean-shutdown \
  downgrade-1.0 force-response-1.0

 #   Per-Server Logging:

 CustomLog  logs/apollo/443.access.log %t %h %{SSL_PROTOCOL}x 
%{SSL_CIPHER}x \%r\ %b

 ErrorLog   logs/apollo/443.error.log
 DirectoryIndex index.html
 IfModule mod_ssl.c
 #
 #  ssl stuff
 #
 SSLEngine On
 SSLProtocol all -SSLv3
 SSLCipherSuite 
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

 #
 #
 LogLevel debug
 ErrorLog logs/apollo/ssl.log
 SSLOptions +StdEnvVars +ExportCertData

 #
 #
 # path to certificates and private key
 #
 SSLCertificateFile  
/some_directory/openssl/servers/www.apollo.home.cert.pem
 SSLCertificateKeyFile   
/some_directory/openssl/servers/www.apollo.home.key.unencrypted

 SSLCACertificateFile
/some_directory/openssl/private/CA-1.cert.pem
 /IfModule

 Location /secure_dir
 SSLVerifyClient require
 SSLVerifyDepth  3
 /Location

/VirtualHost




__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

More certificate problems

[richard skeggs]

I am having problems signing the certificate

I can successfully generate the RSA private key using the command
openssl genrsa -des3 -out server.key 1024

I can a CSR file using
openssl req -new -key server.key -out server.csr

I can even generate the RSA frivate key for the CA
openssl genrsa -des3 -out ca.key 1024

I have even created the self sign certificate using
openssl req -new -x509 -days 365 -key ca.key -out ca.crt

When I try and run the shell script sign.sh I get as far as
Sign the certificate? [y/n]
to which I answer 'y'

The reply i get back from the script is

'failed to update database'
'TT_DB error number 2'
'unable to load certificate'
'16129:error:0906D06C:PEM routines:PEM_read_bio: no start
line:pem_lib.c:632 Expecting TRUSTED CERTIFICATE'

I obviously find that the server.crt is empty. I would appreciate some
help with this problem

Thanks

Richard Skeggs




The sign.sh shell script I am using is shown below

#!/bin/sh
 ##
 ##  sign.sh -- Sign a SSL Certificate Request (CSR)
 ##  Copyright (c) 1998-1999 Ralf S. Engelschall, All Rights
Reserved.
 ##

 #   argument line handling
 CSR=$1
 if [ $# -ne 1 ]; then
 echo Usage: sign.sign whatever.csr; exit 1
 fi
 if [ ! -f $CSR ]; then
 echo CSR not found: $CSR; exit 1
 fi
 case $CSR in
 *.csr ) CERT=`echo $CSR | sed -e 's/\.csr/.crt/'` ;;
 * ) CERT=$CSR.crt ;;
 esac

 #   make sure environment exists
 if [ ! -d ca.db.certs ]; then
 mkdir ca.db.certs
 fi
 if [ ! -f ca.db.serial ]; then
 echo '01' ca.db.serial
 fi
 if [ ! -f ca.db.index ]; then
 cp /dev/null ca.db.index
 fi

 #   create an own SSLeay config
 cat ca.config EOT
 [ ca ]
 default_ca = CA_own
 [ CA_own ]
 dir= /etc/ssl
 certs  = /etc/ssl/certs
 new_certs_dir  = /etc/ssl/ca.db.certs
 database   = /etc/ssl/ca.db.index
 serial = /etc/ssl/ca.db.serial
 RANDFILE   = /etc/ssl/ca.db.rand
 certificate= /etc/ssl/certs/ca.crt
 private_key= /etc/ssl/private/ca.key
 default_days   = 365
 default_crl_days   = 30
 default_md = md5
 preserve   = no
 policy = policy_anything
 [ policy_anything ]
 countryName= optional
 stateOrProvinceName= optional
 localityName   = optional
 organizationName   = optional
 organizationalUnitName = optional
 commonName = supplied
 emailAddress   = optional
 EOT

 #  sign the certificate
 echo CA signing: $CSR - $CERT:
 openssl ca -config ca.config -out $CERT -infiles $CSR
 echo CA verifying: $CERT - CA cert
 openssl verify -CAfile /etc/ssl/certs/ca.crt $CERT

 #  cleanup after SSLeay
 rm -f ca.config
 rm -f ca.db.serial.old
 rm -f ca.db.index.old

 #  die gracefully
 exit 0


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Certificate Problems

[Richard Skeggs]

Title: Certificate Problems






I am trying to set up ssl on my server and I have been through what I believe are the correct settings. I can run the command line script 'openssl s_client -connect eghapp:443 -state -debug' I don't appear to get an error message. However when trying to start apache using the startssl switch the following error turns up in the ssl_error_log

[Tue Jun 15 15:11:04 2004] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Jun 15 15:11:04 2004] [warn] RSA server certificate CommonName (CN) `localhost.localdomain' does NOT match server name!?

[Tue Jun 15 15:11:07 2004] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Jun 15 15:11:07 2004] [warn] RSA server certificate CommonName (CN) `localhost.localdomain' does NOT match server name!?

[Tue Jun 15 15:26:34 2004] [error] [client 10.14.1.150] Invalid method in request 


I have also been able to successfully run the command 'curl https://eghapp'. However when I try to run 'https://eghapp' through the browser I get an error saying that the DNS server cannot be found. On checking the nothing gets written to any of the ssl log files.

Does anyone know how I can resolve this?


Thanks


Richard Skeggs
Software Engineer
Mobius Management Systems
Cavendish House
5 The Avenue
Egham
Surrey
TW20 9AB
Tel: +44 (0) 1784 484700
Mobile: + 44 (0) 7971 608315
email: [EMAIL PROTECTED]
 

RE: Certificate Problems

[Boyle Owen]

Plain text please...

If you got an error in the ssl error-log then apache must be running.
The invalid method error is exactly that - the HTTP method wasn't GET,
POST etc... What request were you making when you got the error?
Cross-check the access log for details...

It looks like your certificate common name is localhost.localdomain and
this doesn't match the ServerName argument which is what the warning is
about.

The DNS error means that he browser cannot resolve eghapp to an IP
address while curl, apparently, can. No idea why - depends on OS,
browser version, config etc. (eg, if the browser goes via a proxy, the
proxy will not see a local /etc/hosts definition of eghapp). 

Tip: if you post back, cut'n'paste exact error messages - do not
paraphrase as this loses important information. Also, give OS, apache
1.3 or 2 etc.

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored. 

Diese E-mail ist eine private und persönliche Kommunikation. Sie hat
keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Gruppe. This
e-mail is of a private and personal nature. It is not related to the
exchange or business activities of the SWX Group. Le présent e-mail est
un message privé et personnel, sans rapport avec l'activité boursière du
Groupe SWX.



-Original Message-
From: Richard Skeggs [mailto:[EMAIL PROTECTED]
Sent: Mittwoch, 16. Juni 2004 11:07
To: '[EMAIL PROTECTED]'
Subject: Certificate Problems




I am trying to set up ssl on my server and I have been through what I
believe are the correct settings. I can run the command line script
'openssl s_client -connect eghapp:443 -state -debug' I don't appear to
get an error message. However when trying to start apache using the
startssl switch the following error turns up in the ssl_error_log
[Tue Jun 15 15:11:04 2004] [warn] RSA server certificate is a CA
certificate (BasicConstraints: CA == TRUE !?) 
[Tue Jun 15 15:11:04 2004] [warn] RSA server certificate CommonName (CN)
`localhost.localdomain' does NOT match server name!?
[Tue Jun 15 15:11:07 2004] [warn] RSA server certificate is a CA
certificate (BasicConstraints: CA == TRUE !?) 
[Tue Jun 15 15:11:07 2004] [warn] RSA server certificate CommonName (CN)
`localhost.localdomain' does NOT match server name!?
[Tue Jun 15 15:26:34 2004] [error] [client 10.14.1.150] Invalid method
in request 
I have also been able to successfully run the command 'curl
https://eghapp'. However when I try to run 'https://eghapp' through the
browser I get an error saying that the DNS server cannot be found. On
checking the nothing gets written to any of the ssl log files.
Does anyone know how I can resolve this? 
Thanks 
Richard Skeggs 
Software Engineer 
Mobius Management Systems 
Cavendish House 
5 The Avenue 
Egham 
Surrey 
TW20 9AB 
Tel: +44 (0) 1784 484700 
Mobile: + 44 (0) 7971 608315 
email: [EMAIL PROTECTED]

This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please notify the sender urgently
and then immediately delete the message and any copies of it from your
system. Please also immediately destroy any hardcopies of the message.
You must not, directly or indirectly, use, disclose, distribute, print,
or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail
communications through their networks. Any views expressed in this
message are those of the individual sender, except where the message
states otherwise and the sender is authorised to state them to be the
views of the sender's company. 


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

FW: Certificate Problems

[richard skeggs]

Thanks for the response, to explain abit more the error I see in the log
file only get written when I start apache using apachactl startssl the
message written to ssl_error_log is:

[Wed Jun 16 10:59:48 2004] [warn] RSA server certificate is a CA
certificate (BasicConstraints: CA == TRUE !?) [Wed Jun 16 10:59:48 2004]
[warn] RSA server certificate CommonName (CN) `localhost.localdomain' does
NOT match server name!? [Wed Jun 16 10:59:50 2004] [warn] RSA server
certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Wed Jun
16 10:59:50 2004] [warn] RSA server certificate CommonName (CN)
`localhost.localdomain' does NOT match server name!?

As for the the request I was making it was to simply get the home page of
eghapp

Using the url http://eghapp:8000 through my browser I get to view the home
page of eghapp

However https://eghapp:8000 I get the following log message  from
error_log: [Wed Jun 16 11:08:05 2004] [error] [client 10.14.2.8] Invalid
method in request!L!!  From access_log: 10.14.2.8 - -
[16/Jun/2004:11:07:38 +0100]  L 501 1007 Nothing gets written to the ssl
message files. The browser returns

Cannot find server or DNS Error
Internet Explorer

I am trying to install ssl on the eghapp server which is a RedHat9 linux
box. An extract from the hosts file on eghapp is:

127.0.0.1   localhost loghost
10.14.1.150 eghapp

An extract from the httpd.conf file is shown below
Listen 8000
NameVirtualHost 10.14.1.150

VirtualHost 10.14.1.150
ProxyPass /esav http://eghsnap1:8081/esav
ProxyPassReverse /esav http://eghsnap1:8081/esav
ProxyPass /ddrint http://eghsnap2:8081/ddrint
ProxyPassReverse /ddrint http://eghsnap2:8081/ddrint
ProxyPass /vnc http://eghsnap1:80/vnc
ProxyPassReverse /vnc http://eghsnap1:80/vnc
ServerAdmin [EMAIL PROTECTED]
DocumentRoot /var/www/html
ServerName eghapp
ErrorLog logs/error_log
CustomLog logs/access_log common
#/VirtualHost


SSLProtocol -all +SSLv2
SSLCipherSuite SSLv2:+HIGH:+MEDIUM:+LOW:+EXP
SSLCertificateFile /etc/httpd/server.csr
SSLCertificateKeyFile /etc/httpd/server.key
/VirtualHost

For your information I am running
   Apache 2.0.4.0
   IE 6.0.2

Richard


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Boyle Owen
Sent: 16 June 2004 10:20
To: [EMAIL PROTECTED]
Subject: RE: Certificate Problems


Plain text please...

If you got an error in the ssl error-log then apache must be running. The
invalid method error is exactly that - the HTTP method wasn't GET, POST
etc... What request were you making when you got the error? Cross-check
the access log for details...

It looks like your certificate common name is localhost.localdomain and
this doesn't match the ServerName argument which is what the warning is
about.

The DNS error means that he browser cannot resolve eghapp to an IP address
while curl, apparently, can. No idea why - depends on OS, browser version,
config etc. (eg, if the browser goes via a proxy, the proxy will not see a
local /etc/hosts definition of eghapp).

Tip: if you post back, cut'n'paste exact error messages - do not
paraphrase as this loses important information. Also, give OS, apache 1.3
or 2 etc.

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored.

Diese E-mail ist eine private und persönliche Kommunikation. Sie hat
keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Gruppe. This
e-mail is of a private and personal nature. It is not related to the
exchange or business activities of the SWX Group. Le présent e-mail est un
message privé et personnel, sans rapport avec l'activité boursière du
Groupe SWX.



-Original Message-
From: Richard Skeggs [mailto:[EMAIL PROTECTED]
Sent: Mittwoch, 16. Juni 2004 11:07
To: '[EMAIL PROTECTED]'
Subject: Certificate Problems




I am trying to set up ssl on my server and I have been through what I
believe are the correct settings. I can run the command line script
'openssl s_client -connect eghapp:443 -state -debug' I don't appear to get
an error message. However when trying to start apache using the startssl
switch the following error turns up in the ssl_error_log [Tue Jun 15
15:11:04 2004] [warn] RSA server certificate is a CA certificate
(BasicConstraints: CA == TRUE !?)
[Tue Jun 15 15:11:04 2004] [warn] RSA server certificate CommonName (CN)
`localhost.localdomain' does NOT match server name!? [Tue Jun 15 15:11:07
2004] [warn] RSA server certificate is a CA certificate (BasicConstraints:
CA == TRUE !?)
[Tue Jun 15 15:11:07 2004] [warn] RSA server certificate CommonName (CN)
`localhost.localdomain' does NOT match server name!? [Tue Jun 15 15:26:34
2004] [error] [client 10.14.1.150] Invalid method in request
I have also been able to successfully run the command 'curl
https://eghapp'. However when I try to run 'https://eghapp' through the
browser I get an error saying that the DNS server cannot be found. On
checking the nothing gets written to any

[Fwd: FW: Certificate Problems]

[richard skeggs]

Thanks for the response, to explain abit more the error I see in the log
file only get written when I start apache using apachactl startssl the
message written to ssl_error_log is:

[Wed Jun 16 10:59:48 2004] [warn] RSA server certificate is a CA
certificate (BasicConstraints: CA == TRUE !?) [Wed Jun 16 10:59:48 2004]
[warn] RSA server certificate CommonName (CN) `localhost.localdomain' does
NOT match server name!? [Wed Jun 16 10:59:50 2004] [warn] RSA server
certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Wed Jun
16 10:59:50 2004] [warn] RSA server certificate CommonName (CN)
`localhost.localdomain' does NOT match server name!?

As for the the request I was making it was to simply get the home page of
eghapp

Using the url http://eghapp:8000 through my browser I get to view the home
page of eghapp

However https://eghapp:8000 I get the following log message  from
error_log: [Wed Jun 16 11:08:05 2004] [error] [client 10.14.2.8] Invalid
method in request!L!!  From access_log: 10.14.2.8 - -
[16/Jun/2004:11:07:38 +0100]  L 501 1007 Nothing gets written to the ssl
message files. The browser returns

Cannot find server or DNS Error
Internet Explorer

I am trying to install ssl on the eghapp server which is a RedHat9 linux
box. An extract from the hosts file on eghapp is:

127.0.0.1   localhost loghost
10.14.1.150 eghapp

An extract from the httpd.conf file is shown below
Listen 8000
NameVirtualHost 10.14.1.150

VirtualHost 10.14.1.150
ProxyPass /esav http://eghsnap1:8081/esav
ProxyPassReverse /esav http://eghsnap1:8081/esav
ProxyPass /ddrint http://eghsnap2:8081/ddrint
ProxyPassReverse /ddrint http://eghsnap2:8081/ddrint
ProxyPass /vnc http://eghsnap1:80/vnc
ProxyPassReverse /vnc http://eghsnap1:80/vnc
ServerAdmin [EMAIL PROTECTED]
DocumentRoot /var/www/html
ServerName eghapp
ErrorLog logs/error_log
CustomLog logs/access_log common
#/VirtualHost


SSLProtocol -all +SSLv2
SSLCipherSuite SSLv2:+HIGH:+MEDIUM:+LOW:+EXP
SSLCertificateFile /etc/httpd/server.csr
SSLCertificateKeyFile /etc/httpd/server.key
/VirtualHost

For your information I am running
   Apache 2.0.4.0
   IE 6.0.2

Richard


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Boyle Owen
Sent: 16 June 2004 10:20
To: [EMAIL PROTECTED]
Subject: RE: Certificate Problems


Plain text please...

If you got an error in the ssl error-log then apache must be running. The
invalid method error is exactly that - the HTTP method wasn't GET, POST
etc... What request were you making when you got the error? Cross-check
the access log for details...

It looks like your certificate common name is localhost.localdomain and
this doesn't match the ServerName argument which is what the warning is
about.

The DNS error means that he browser cannot resolve eghapp to an IP address
while curl, apparently, can. No idea why - depends on OS, browser version,
config etc. (eg, if the browser goes via a proxy, the proxy will not see a
local /etc/hosts definition of eghapp).

Tip: if you post back, cut'n'paste exact error messages - do not
paraphrase as this loses important information. Also, give OS, apache 1.3
or 2 etc.

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored.

Diese E-mail ist eine private und persönliche Kommunikation. Sie hat
keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Gruppe. This
e-mail is of a private and personal nature. It is not related to the
exchange or business activities of the SWX Group. Le présent e-mail est un
message privé et personnel, sans rapport avec l'activité boursière du
Groupe SWX.



-Original Message-
From: Richard Skeggs [mailto:[EMAIL PROTECTED]
Sent: Mittwoch, 16. Juni 2004 11:07
To: '[EMAIL PROTECTED]'
Subject: Certificate Problems




I am trying to set up ssl on my server and I have been through what I
believe are the correct settings. I can run the command line script
'openssl s_client -connect eghapp:443 -state -debug' I don't appear to get
an error message. However when trying to start apache using the startssl
switch the following error turns up in the ssl_error_log [Tue Jun 15
15:11:04 2004] [warn] RSA server certificate is a CA certificate
(BasicConstraints: CA == TRUE !?)
[Tue Jun 15 15:11:04 2004] [warn] RSA server certificate CommonName (CN)
`localhost.localdomain' does NOT match server name!? [Tue Jun 15 15:11:07
2004] [warn] RSA server certificate is a CA certificate (BasicConstraints:
CA == TRUE !?)
[Tue Jun 15 15:11:07 2004] [warn] RSA server certificate CommonName (CN)
`localhost.localdomain' does NOT match server name!? [Tue Jun 15 15:26:34
2004] [error] [client 10.14.1.150] Invalid method in request
I have also been able to successfully run the command 'curl
https://eghapp'. However when I try to run 'https://eghapp' through the
browser I get an error saying that the DNS server cannot be found. On
checking the nothing gets written to any

Cannot find peer certificate chain

[Erwin Huber]

Dear all
I'm using the following components:
   * apache 1.3.29
   * mod_ssl 2.8.16-1.3.29
   * openssl 0.9.7d
   * mm 1.3.0
   * Solaris 8
I've configured: SSLSessionCache 
shmcb:/opt/slt/ses/apache/run/ssl_scache(512000)

The problem only occures if we use client certs. If we do multiple requests 
on the same ssl session then I get an error the *first time* the request is 
handled by the *same* apache child that has stored the SSL session ID in 
the cache. All other childs can acces the cache without problems.

trace output in ssl_engine_log (debug level does not provide better info):
[21/Apr/2004 09:48:18 01201] [trace] OpenSSL: Handshake: start
[21/Apr/2004 09:48:18 01201] [trace] OpenSSL: Loop: before/accept 
initialization
[21/Apr/2004 09:48:18 01201] [trace] OpenSSL: Loop: SSLv3 read client hello 
A
[21/Apr/2004 09:48:18 01201] [trace] OpenSSL: Loop: SSLv3 write server 
hello A
[21/Apr/2004 09:48:18 01201] [trace] OpenSSL: Loop: SSLv3 write change 
cipher spec A
[21/Apr/2004 09:48:18 01201] [trace] OpenSSL: Loop: SSLv3 write finished A
[21/Apr/2004 09:48:18 01201] [trace] OpenSSL: Loop: SSLv3 flush data
[21/Apr/2004 09:48:18 01201] [trace] OpenSSL: Loop: SSLv3 read finished A
[21/Apr/2004 09:48:18 01201] [trace] OpenSSL: Handshake: done
[21/Apr/2004 09:48:18 01201] [info] Connection: Client IP: 192.168.167.99, 
Protocol: TLSv1, Cipher: RC4-MD5 (128/128 bits)
[21/Apr/2004 09:48:18 01201] [info] Initial (No.1) HTTPS request received 
for child 0 (server airlock_baumi.ergon.ch:4442)
[21/Apr/2004 09:48:18 01201] [trace] Changed client verification type will 
force quick renegotiation
[21/Apr/2004 09:48:18 01201] [info] Requesting connection re-negotiation
[21/Apr/2004 09:48:18 01201] [trace] Performing quick renegotiation: just 
re-verifying the peer
[21/Apr/2004 09:48:18 01201] [error] Cannot find peer certificate chain
[21/Apr/2004 09:48:18 01201] [trace] OpenSSL: Write: SSL negotiation 
finished successfully
[21/Apr/2004 09:48:18 01201] [info] Connection to child 0 closed with 
standard shutdown (server airlock_baumi.ergon.ch:4442, client 
192.168.167.99)

I wonder about the Cannot find peer certificate chain and then the SSL 
negotiation finished successfully. hmmm.

If we use dbm instead of shmcb then this problem does not occure.
I had a look at the source code.
ssl_engine_kernel.c, line 963:
   ssl_log(r-server, SSL_LOG_TRACE,
   Performing quick renegotiation: just re-verifying the 
peer);
   certstack = SSL_get_peer_cert_chain(ssl);
   cert = SSL_get_peer_certificate(ssl);
   if (certstack == NULL  cert != NULL) {
   /* client certificate is in the SSL session cache, but
  there is no chain, since ssl3_get_client_certificate()
  sk_X509_shift()'ed the peer certificate out of the
  chain. So we put it back here for the purpose of quick
  renegotiation. */
   certstack = sk_new_null();
   sk_X509_push(certstack, cert);
   }
   if (certstack == NULL || sk_X509_num(certstack) == 0) {
   ssl_log(r-server, SSL_LOG_ERROR, Cannot find peer 
certificate chain);
   return FORBIDDEN;
   }

If I omit the check on certstack == NULL with the following change:
   if (cert != NULL) {
   /* client certificate is in the SSL session cache, but
  there is no chain, since ssl3_get_client_certificate()
  sk_X509_shift()'ed the peer certificate out of the
  chain. So we put it back here for the purpose of quick
  renegotiation. */
   certstack = sk_new_null();
   sk_X509_push(certstack, cert);
   }
then the error does not occure.
Since there was no change in ssl_engine_kernel.c in version 2.8.17-1.3.31
I do not expect that this behaviour has changed. Of course I will do the 
tests
again with updated apache and mod_ssl.

My question is now:
Does anybody know about a problem in this area?
What are the side-effects of my code change?
You can see the details also here: http://cvs.ossp.org/tktview?tn=46
thanks for any ideas and replies
Erwin Huber
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Client certificate verification Error handling in apache2 with mod_ssl

[Lamot Michael]

Hello,

Does mod_ssl support any type of error handling for 
the client certificate authentification? 
I'd really like to have another page load than a 
server not found one when a client presents an invalid certificate.

If not, is it possible to bypass some verifications 
such as the cert date, so my servlet engine can check that itself
and display an appropriated error page instead of 
the server not found one? 
So Apache would just take the certificate, 
not check anything, export it, and I'll handle 
all cert related errors somewhere else.

Thanks,

Michael Lamot

RE: Expired CA Certificate

[Florian Yanez]

We recently had a problem with our Verisign Intermediate CA Certificate.
This link (https://www.verisign.com/support/site/caReplacement.html) points
to how they said to fix the problem.  Your case may be similar.

Florian Yanez
Manager of Technical Systems
Helzberg Diamond Shops, Inc.
[EMAIL PROTECTED]
816-627-1253


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Rory Chisholm
Sent: Tuesday, February 10, 2004 7:14 AM
To: [EMAIL PROTECTED]
Subject: Expired CA Certificate


This isn't totally modssl related but maybe someone knows the answer.

I'm using OpenSCEP with openssl. My CA Certificate has just expired.
Now since our VPN sees very little use (only one important user) I'd like
to re-issue
the x509 CA certificate with the same key but different attributes (a later
expiry date).

Can this be done without re-generating every certificate ever issued from
scratch ? The
real question here is do x509 certificates that have been signed by a CA
certificate store a
hash of the CA certificate based solely on the CA's key or based on the
full CA certificate including
it's attributes ?

Has anyone had any experience doing this ?

Thanks for any help,

Rory Chisholm

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

How to import self signed certificate as trusted certificate ?

[Arthur Chan]

Hi all.
I've created a self-signed certificate for testing 
purposes. I would like to import that into my IE5 and Ntescape7.1 browsers as 
trusted certificate so that the browser will accept the applet requests 
implicitly.
Can someone point me in the right direction please 
i.e. read-ups, howto documentation, etc?
Also this: my applet can access and display jpeg 
images butjava console throws the typical "Access Denied" error when I try 
to access a local notepad.txt file.
HTML's, applets,  jpegs and text files are all in 
the same directory on the server, I find it astounding that the applet cannot 
access its own text files, co-located in exactly the same directory without 
being a "signed applet", which brings me back to the purpose of this 
email...
Does anyone find this a bit over the 
top?
TIA :-)

Re: Replacing an SSL certificate

[Huw Jenkins]

I rebooted the unit eventually, which I guess had the same effect. However I
will remember that in future.

Many thanks.

Huw Jenkins

 From: Cliff Woolley [EMAIL PROTECTED]
 Reply-To: [EMAIL PROTECTED]
 Date: Thu, 18 Dec 2003 14:16:44 -0500 (EST)
 To: [EMAIL PROTECTED]
 Subject: Re: Replacing an SSL certificate
 
 On Thu, 18 Dec 2003, Huw Jenkins wrote:
 
 I've just replaced an SSL certificate (on a Mac OS 10.2 machine) and
 restarted apache however it's still not recognising the new certificates
 (still seeing the old one). I've not been asked for the passphrase either.
 What's the command for getting apache to re read the SSL certificates?
 
 What kind of restart did you do?  Try stopping and starting again rather
 than doing a plain restart or a graceful restart.
 
 --Cliff
 __
 Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
 User Support Mailing List  [EMAIL PROTECTED]
 Automated List Manager[EMAIL PROTECTED]

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Replacing an SSL certificate

[Cliff Woolley]

On Thu, 18 Dec 2003, Huw Jenkins wrote:

 I've just replaced an SSL certificate (on a Mac OS 10.2 machine) and
 restarted apache however it's still not recognising the new certificates
 (still seeing the old one). I've not been asked for the passphrase either.
 What's the command for getting apache to re read the SSL certificates?

What kind of restart did you do?  Try stopping and starting again rather
than doing a plain restart or a graceful restart.

--Cliff
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Non SSL requires a certificate acceptance

[Takeshi Kuriyama]

Hi,

That's all my mistake.
I've gorgotten that an index.html in non-ssl contains a javascript that
accesses to an ssl-url for counting access log. I gave up ssl communication.
All I do is changing a logging tool into non-ssl  'cause luckily a
logging tool is running also on server.
So, IE or Opera isn't the matter. Neither mod_ssl nor apache
configuration. Sorry I easily posted into ML.

Thanks,
Takeshi

[EMAIL PROTECTED]

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Non SSL requires a certificate acceptance

[Peter Brown]

Takeshi,

Can you share with us how you stopped the warning message - presumably in IE?

Peter'

At 19:35 28/10/03 +0900, you wrote:
Everything is settled.
A reason is that a tiny Javascript in domainC index.html goes to a SSl
host every time accessed.
Thanks,
Takeshi
[EMAIL PROTECTED]

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Non SSL requires a certificate acceptance

[Takeshi Kuriyama]

Hi,

I'm running some name-based vhosts and one of them is a self-signed ssl
vhost under:
apache-1.3.27-13
openssl-0.9.6k-2
mod_ssl-2.8.14-13.
My apache configure is like this:
Port 80
IfDefine SSL
Listen 80
Listen 443
/IfDefine
ServerName domainA
DocumentRoot /dummy/doc/root
NameVirtualHost *
VirtualHost *
ServerName domainA
DocumentRoot /domainA/doc/root
/VirtualHost
VirtualHost *
ServerName domainB
DocumentRoot /domainB/doc/root
/VirtualHost
VirtualHost *
ServerName domainC
DocumentRoot /domainC/doc/root
/VirtualHost
VirtualHost _default_:443
ServerName domainA
DocumentRoot /ssl-domainA/doc/root
SSLEngine on
/VirtualHost

The trouble is:
When I connect a non-SSL domainC(http://domainC/) , I get a pop-up warning
which says certificate is self generated, and I can't see any secret
icon on the brouser when I accept or not. And more confusing, any
another non-SSL domains(A and B) don't! A both-domain(domainA) goes good
non-ssl and ssl.

I walked around some archives and googles but could not find any answers.
Anybody met this problem? 
I would really appreciate any help or suggestion.

Thanks,
Takeshi

[EMAIL PROTECTED]

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Certificate verification problem (required client certificate)

[Herbert Neugebauer]

Hello,

I'm having a strange problem with Apache 2.0.45 / openssl 0.9.6 (and
possibly tomcat 4.1.27).

The web-server should run all applications only over SSL and with client
certificate verification enabled.

So I set up all the necessary configuration, including server and client
certificates (our company has it's own internal CA), and moved three
different applications from the non-SSL to the SSL virtual-host.
Everything works fine, the applications can access the environment
variables, where the user-ID coming from the certificate is stored, in
order to authenticate the users and provide user-specific content.

However the 4th application doesn't work. One of the working applications
is PHP, another also working application is JSP based, so using Tomcat.

The fourth application is not JSP, but a Servlet/Applet combination.

What happens when accessing the page is that the index.html downloads to
the client, but then the applet should be retrieved by the browser (IE),
but the JAVA Plug-In just says applet not found, and in the web-server
error file (put in INFO) I see the following errors.:

[Tue Aug 05 18:56:52 2003] [info] Connection to child 4 established
(server esds
v07.bbn.hp.com:443, client 15.191.1.8)
[Tue Aug 05 18:56:52 2003] [info] Seeding PRNG with 136 bytes of entropy
[Tue Aug 05 18:56:52 2003] [info] SSL library error 1 in handshake (server
esdsv
07.bbn.hp.com:443, client 15.191.1.8)
[Tue Aug 05 18:56:52 2003] [info] SSL Library Error: 336105671
error:140890C7:SS
L routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
No CAs
known to server for verification?
[Tue Aug 05 18:56:52 2003] [info] Connection to child 4 closed with
abortive shu
tdown(server esdsv07.bbn.hp.com:443, client 15.191.1.8)
[Tue Aug 05 18:56:52 2003] [info] Connection to child 69 established
(server esd
sv07.bbn.hp.com:443, client 15.136.126.30)
[Tue Aug 05 18:56:52 2003] [info] Seeding PRNG with 136 bytes of entropy
[Tue Aug 05 18:56:53 2003] [info] SSL library error 1 in handshake (server
esdsv
07.bbn.hp.com:443, client 15.136.126.30)
[Tue Aug 05 18:56:53 2003] [info] SSL Library Error: 336105671
error:140890C7:SS
L routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
No CAs
known to server for verification?
[Tue Aug 05 18:56:53 2003] [info] Connection to child 69 closed with
abortive sh
utdown(server esdsv07.bbn.hp.com:443, client 15.136.126.30)


I know, normally this peer did not return a certificate indicates that
either my browser does not have a certificate (which it has) or that the
certificate can not be verified by the server due to a missing CA
certificate (which it has). If one of these or both problems were there,
the other three applications would not work as well, but they do!

Now I was wondering if it could be an issue somewhere inbetween mod_ssl,
mod_jk, Tomcat??

In principal the connector between Apache and Tomcat works, otherwise the
JSP application would not work as well. That can be easily verified by
inserting a bug in this configuration and voila, the JSP app stops
working.

Any ideas?

   thanks in advance

Herbert

PS: if I switch on debug level, I get even more info, which does not help
me, but it first says something about client certificate A (success) and
then something about a certificate B? what is this about?

[Tue Aug 05 19:14:46 2003] [info] Loading certificate  private key of
SSL-aware
 server
[Tue Aug 05 19:14:46 2003] [info] Init: Requesting pass phrase from dialog
filte
r program (/opt/hpws/apache/conf/passPhrase.dialog)
[Tue Aug 05 19:14:46 2003] [debug] ssl_engine_pphrase.c(499): encrypted
RSA priv
ate key - pass phrase requested
[Tue Aug 05 19:14:48 2003] [info] Configuring server for SSL protocol
[Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(436): Creating new
SSL cont
ext (protocols: SSLv2, SSLv3, TLSv1)
[Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(553): Configuring
client au
thentication
[Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(1096): CA
certificate: /O=my.com/OU=IT Infrastructure/C=US/O=MY Company/CN=MY
Primary Class 2 Certification Authority
[Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(611): Configuring
permitted
 SSL ciphers [!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL]
[Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(739): Configuring RSA
serve
r certificate
[Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(778): Configuring RSA
serve
r private key
[Tue Aug 05 19:14:49 2003] [info] Loading certificate  private key of
SSL-aware
 server
[Tue Aug 05 19:14:49 2003] [info] esdsv07.my.com:443 reusing existing RSA pr
ivate key on restart
[Tue Aug 05 19:14:51 2003] [info] Configuring server for SSL protocol
[Tue Aug 05 19:14:51 2003] [debug] ssl_engine_init.c(436): Creating new
SSL cont
ext (protocols: SSLv2, SSLv3, TLSv1)
[Tue Aug 05 19:14:51 2003] [debug] ssl_engine_init.c(553): Configuring
client au
thentication
[Tue Aug 05 19:14:51 2003] [debug] ssl_engine_init.c(1096

How to installing a trusted certificate in Netscape

[Arthur Chan]

Hi all.
This may be a trivial question...
I have signed my own ceritificate.
How do I install that as a trusted certificate so that Netscape6 doesn't
throw the warning screen that I have been presented with a certificate form
an untrusted site.

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Certificate verification problem (required client certificate)

[Kiyoshi Watanabe]

Hello,

I have seen the similar questions posted on the openssl mailing list
before, but I have not seen much discussion. One thing that you may
want to try to upgrade the version of the openssl itself, but I have
no clue that applies to your problem.

Why don't you post this question on the openssl mailing list?, hopoing
to get that somebody solves the question since then.

-Kiyoshi
Kiyoshi Watanabe





 Hello,
 
 I posted this question already some days ago, but did not yet receive any
 hint. Does really no-one have any idea what could be the problem?
 
 ---
 
 I'm having a strange problem with Apache 2.0.45, mod_ssl with openssl
 0.9.6i  (and possibly a factor also tomcat 4.1.27 server, client IE6 with
 Java 1.4 plugin from Sun).
 
 The web-server should run all applications only over SSL and with client
 certificate verification enabled.
 
 So I set up all the necessary configuration, including server and client
 certificates (our company has it's own internal CA), and moved three
 different applications from the non-SSL to the SSL virtual-host.
 Everything works fine, the applications can access the environment
 variables, where the user-ID coming from the certificate is stored, in
 order to authenticate the users and provide user-specific content. One of
 the working applications is PHP based, another one is JSP based, so via
 Tomcat. (only explaining this so that it is clear the whole server
 combination including the SSL setup seems to be right in principal).
 
 However the 4th application doesn't work.
 
 The fourth application is not JSP, but a Servlet/Applet combination.
 
 What happens when accessing the page is that the index.html downloads to
 the client, but then the applet should be retrieved by the browser
 (IE/Java plug-in), but the JAVA Plug-In just says applet not found, and
 in the web-server error file (put in INFO) I see the following:
 
 [Tue Aug 05 18:56:52 2003] [info] Connection to child 4 established
 (server esdsv07.my.com:443, client 115.191.1.8)
 [Tue Aug 05 18:56:52 2003] [info] Seeding PRNG with 136 bytes of entropy
 [Tue Aug 05 18:56:52 2003] [info] SSL library error 1 in handshake (server
 esdsv07.my.com:443, client 115.191.1.8)
 [Tue Aug 05 18:56:52 2003] [info] SSL Library Error: 336105671
 error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not
 return a certificate No CAs known to server for verification?
 [Tue Aug 05 18:56:52 2003] [info] Connection to child 4 closed with
 abortive shutdown(server esdsv07.my.com:443, client 115.191.1.8)
 [Tue Aug 05 18:56:52 2003] [info] Connection to child 69 established
 (server esdsv07.my.com:443, client 115.136.126.30)
 [Tue Aug 05 18:56:52 2003] [info] Seeding PRNG with 136 bytes of entropy
 [Tue Aug 05 18:56:53 2003] [info] SSL library error 1 in handshake (server
 esdsv07.my.com:443, client 115.136.126.30)
 [Tue Aug 05 18:56:53 2003] [info] SSL Library Error: 336105671
 error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not
 return a certificate No CAs known to server for verification?
 [Tue Aug 05 18:56:53 2003] [info] Connection to child 69 closed with
 abortive shutdown(server esdsv07.my.com:443, client 115.136.126.30)
 
 
 I know, normally this peer did not return a certificate indicates that
 either my browser does not have a certificate (which it has) or that the
 certificate can not be verified by the server due to a missing CA
 certificate (which it has). If one of these or both problems were there,
 the other three applications would not work as well, right? But they do!
 
 Any ideas?
 
 If I switch on debug level, I get even more info (which does not tell me a
 lot more). First there is a verification/handshake on client certificate A
 (successful) and then there is something about a certificate B? what
 is this about? What is certificate A and B?
 
Thanks in advance
 
 Herbert
 
 Debugging info:
 
 [Tue Aug 05 19:14:46 2003] [info] Loading certificate  private key of
 SSL-aware server
 [Tue Aug 05 19:14:46 2003] [info] Init: Requesting pass phrase from dialog
 filter program (/opt/hpws/apache/conf/passPhrase.dialog)
 [Tue Aug 05 19:14:46 2003] [debug] ssl_engine_pphrase.c(499): encrypted
 RSA private key - pass phrase requested
 [Tue Aug 05 19:14:48 2003] [info] Configuring server for SSL protocol [Tue
 Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(436): Creating new SSL
 context (protocols: SSLv2, SSLv3, TLSv1)
 [Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(553): Configuring
 client authentication
 [Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(1096): CA
 certificate: /O=my.com/OU=IT Infrastructure/C=US/O=MY Company/CN=MY
 Primary Class 2 Certification Authority
 [Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(611): Configuring
 permitted SSL ciphers
 [!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL]
 [Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(739): Configuring RSA
 server certificate
 [Tue Aug 05 19:14:48

RE: Certificate verification problem (required client certificate)

[Herbert Neugebauer]

Hello,

I posted this question already some days ago, but did not yet receive any
hint. Does really no-one have any idea what could be the problem?

---

I'm having a strange problem with Apache 2.0.45, mod_ssl with openssl
0.9.6i  (and possibly a factor also tomcat 4.1.27 server, client IE6 with
Java 1.4 plugin from Sun).

The web-server should run all applications only over SSL and with client
certificate verification enabled.

So I set up all the necessary configuration, including server and client
certificates (our company has it's own internal CA), and moved three
different applications from the non-SSL to the SSL virtual-host.
Everything works fine, the applications can access the environment
variables, where the user-ID coming from the certificate is stored, in
order to authenticate the users and provide user-specific content. One of
the working applications is PHP based, another one is JSP based, so via
Tomcat. (only explaining this so that it is clear the whole server
combination including the SSL setup seems to be right in principal).

However the 4th application doesn't work.

The fourth application is not JSP, but a Servlet/Applet combination.

What happens when accessing the page is that the index.html downloads to
the client, but then the applet should be retrieved by the browser
(IE/Java plug-in), but the JAVA Plug-In just says applet not found, and
in the web-server error file (put in INFO) I see the following:

[Tue Aug 05 18:56:52 2003] [info] Connection to child 4 established
(server esdsv07.my.com:443, client 115.191.1.8)
[Tue Aug 05 18:56:52 2003] [info] Seeding PRNG with 136 bytes of entropy
[Tue Aug 05 18:56:52 2003] [info] SSL library error 1 in handshake (server
esdsv07.my.com:443, client 115.191.1.8)
[Tue Aug 05 18:56:52 2003] [info] SSL Library Error: 336105671
error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not
return a certificate No CAs known to server for verification?
[Tue Aug 05 18:56:52 2003] [info] Connection to child 4 closed with
abortive shutdown(server esdsv07.my.com:443, client 115.191.1.8)
[Tue Aug 05 18:56:52 2003] [info] Connection to child 69 established
(server esdsv07.my.com:443, client 115.136.126.30)
[Tue Aug 05 18:56:52 2003] [info] Seeding PRNG with 136 bytes of entropy
[Tue Aug 05 18:56:53 2003] [info] SSL library error 1 in handshake (server
esdsv07.my.com:443, client 115.136.126.30)
[Tue Aug 05 18:56:53 2003] [info] SSL Library Error: 336105671
error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not
return a certificate No CAs known to server for verification?
[Tue Aug 05 18:56:53 2003] [info] Connection to child 69 closed with
abortive shutdown(server esdsv07.my.com:443, client 115.136.126.30)


I know, normally this peer did not return a certificate indicates that
either my browser does not have a certificate (which it has) or that the
certificate can not be verified by the server due to a missing CA
certificate (which it has). If one of these or both problems were there,
the other three applications would not work as well, right? But they do!

Any ideas?

If I switch on debug level, I get even more info (which does not tell me a
lot more). First there is a verification/handshake on client certificate A
(successful) and then there is something about a certificate B? what
is this about? What is certificate A and B?

   Thanks in advance

Herbert

Debugging info:

[Tue Aug 05 19:14:46 2003] [info] Loading certificate  private key of
SSL-aware server
[Tue Aug 05 19:14:46 2003] [info] Init: Requesting pass phrase from dialog
filter program (/opt/hpws/apache/conf/passPhrase.dialog)
[Tue Aug 05 19:14:46 2003] [debug] ssl_engine_pphrase.c(499): encrypted
RSA private key - pass phrase requested
[Tue Aug 05 19:14:48 2003] [info] Configuring server for SSL protocol [Tue
Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(436): Creating new SSL
context (protocols: SSLv2, SSLv3, TLSv1)
[Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(553): Configuring
client authentication
[Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(1096): CA
certificate: /O=my.com/OU=IT Infrastructure/C=US/O=MY Company/CN=MY
Primary Class 2 Certification Authority
[Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(611): Configuring
permitted SSL ciphers
[!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL]
[Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(739): Configuring RSA
server certificate
[Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(778): Configuring RSA
server private key
[Tue Aug 05 19:14:49 2003] [info] Loading certificate  private key of
SSL-aware server
[Tue Aug 05 19:14:49 2003] [info] esdsv07.my.com:443 reusing existing RSA
private key on restart
[Tue Aug 05 19:14:51 2003] [info] Configuring server for SSL protocol [Tue
Aug 05 19:14:51 2003] [debug] ssl_engine_init.c(436): Creating new SSL
context (protocols: SSLv2, SSLv3, TLSv1)
[Tue Aug 05 19:14:51 2003] [debug] ssl_engine_init.c(553

rewrite data form client certificate

[mario eugster]

HiI am 
trying to get the SSL_CLIENT_S_DN_CN from a client certificateto use it in a 
RewriteRule. But I always get empty quary string. The configis as 
following:SSLOptions +StdEnvVarsRewriteEngine OnRewriteLog 
logs/rewrite.logRewriteLogLevel 9RewriteCond %{ENV:SSL_CLIENT_S_DN_CN} 
^Simpson*RewriteRule 
^/$ 
/dir/index.html[L]Can I get environment variable like SSL_CLIENT_XXX 
within Rewrite Module? Orare there any other possibilities to get access to 
them?thanks for your 
helpmario

self signed certificate

[Jan Staschulat]

Hi, I have problems creating a self signed certificate. 
I'm using OpenSSL 0.9.7a on SunOS 5.7 sparc SUNW,Ultra-2
I went through the description of FAQ-page:
http://www.corserv.com/freebsd/apache-ssl-howto.html

OpenSSL quits with the error when I want to sign the server.csr:

$ openssl ca -config ca.config -out server.crt -infiles server.csr
...
Sign the certificate? [y/n]:y
failed to update database
TXT_DB error number 2

I searched on google and found the same question on the modssl-users
mailing list (Dez 2002) , which is still unanswered:

http://www.mail-archive.com/[EMAIL PROTECTED]/msg15877.html


Any Ideas?

Jan

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: self signed certificate

[Alex Kuehne]

 -Original Message-
 From: Jan Staschulat [mailto:[EMAIL PROTECTED]
 Sent: Thursday, March 13, 2003 2:12 PM
 To: [EMAIL PROTECTED]
 Subject: self signed certificate


 Hi, I have problems creating a self signed certificate.
 I'm using OpenSSL 0.9.7a on SunOS 5.7 sparc SUNW,Ultra-2
 I went through the description of FAQ-page:
 http://www.corserv.com/freebsd/apache-ssl-howto.html

 OpenSSL quits with the error when I want to sign the server.csr:

 $ openssl ca -config ca.config -out server.crt -infiles server.csr
 ...
 Sign the certificate? [y/n]:y
 failed to update database
 TXT_DB error number 2

 I searched on google and found the same question on the modssl-users
 mailing list (Dez 2002) , which is still unanswered:

 http://www.mail-archive.com/[EMAIL PROTECTED]/msg15877.html
Hello,

don't mess with openssl. Please refer to

http://www.modssl.org/docs/2.8/ssl_faq.html#ToC29.

There is a script sign.sh in the contrib dir of modssl source package.

Best regards
Alex Kuehne
--
Network Manager, SAG, Berlin, Germany
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: self signed certificate

[Aaron Stromas]

Jan Staschulat said:
 Hi, I have problems creating a self signed certificate.
 I'm using OpenSSL 0.9.7a on SunOS 5.7 sparc SUNW,Ultra-2
 I went through the description of FAQ-page:
 http://www.corserv.com/freebsd/apache-ssl-howto.html

 OpenSSL quits with the error when I want to sign the server.csr:

 $ openssl ca -config ca.config -out server.crt -infiles server.csr ...
 Sign the certificate? [y/n]:y
 failed to update database
 TXT_DB error number 2

 I searched on google and found the same question on the modssl-users
 mailing list (Dez 2002) , which is still unanswered:

 http://www.mail-archive.com/[EMAIL PROTECTED]/msg15877.html


 Any Ideas?

My guess is you don't have the database file. On unix system do touch f,
where f is the value of the database in ca.config.

I also remember having to initialise the serial file: echo 00  serial

HTH

 Jan

 __
 Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
 User Support Mailing List  [EMAIL PROTECTED]
 Automated List Manager[EMAIL PROTECTED]


-- 
Aaron Stromas | Tik-tik-tik!!!... ja, Pantani is weg...
[EMAIL PROTECTED]| BRTN commentator
+1 (301) 493 4933 | L'Alpe d'Huez
http://www.izoard.com | 1995 Tour de France



__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

mod_ssl/openssl error with test certificate?

[Otto L. Miller]

modssl-users,

OK, I just built an apache + mod_ssl + mod_perl configuration.  I
built the test certificate and installed it (make certificate  make
install).  But when I 'apachectl startssl' I get the following
message:

[error] Init: Unable to read server certificate from file 
/opt/sisapache/conf/ssl.crt/server.crt (OpenSSL library error follows)
[error] OpenSSL: error:0D09F007:asn1 encoding routines:d2i_X509:expecting an asn1 
sequence

I checked permissions and thought that might be the problem, however,
the problem persists even if I 'chmod 444
/opt/sisapache/conf/ssl.crt/server.crt'.  Any thoughts?

Thanks,
Otto
---
Otto L. Miller
Network Architect
[EMAIL PROTECTED]
Titan Systems
3877 Fairfax Ridge Road
Fairfax, VA  22030-7448
Phone:  703-383-8022
Fax:703-383-4055

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: mod_ssl/openssl error with test certificate?

[Geoff Thorpe]

* Otto L. Miller ([EMAIL PROTECTED]) wrote:

[snip]

 I checked permissions and thought that might be the problem, however,
 the problem persists even if I 'chmod 444
 /opt/sisapache/conf/ssl.crt/server.crt'.  Any thoughts?

Could you post a copy of the server.crt file?

Cheers,
Geoff

-- 
Geoff Thorpe
[EMAIL PROTECTED]
http://www.geoffthorpe.net/

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re[2]: mod_ssl/openssl error with test certificate?

[Otto L. Miller]

Geoff,

Opps!  Checked out the file and it is a dummy ascii file :-(.  I
replaced it with a 'real' file from the source tree and then it whined
about the private key.  It too was a dummy ascii file.  I replaced it
with a 'real' key file and voila... it all works!  It never occurred
to me that 'make install' *does not* install the certificate files
files. Thanks to all who spent time on this!

Thanks,
Otto
---
Otto L. Miller
Network Architect
[EMAIL PROTECTED]
Titan Systems
3877 Fairfax Ridge Road
Fairfax, VA  22030-7448
Phone:  703-383-8022
Fax:703-383-4055

Wednesday, March 5, 2003, 1:21:59 PM, you wrote:

 * Otto L. Miller ([EMAIL PROTECTED]) wrote:

 [snip]

 I checked permissions and thought that might be the problem, however,
 the problem persists even if I 'chmod 444
 /opt/sisapache/conf/ssl.crt/server.crt'.  Any thoughts?

 Could you post a copy of the server.crt file?

 Cheers,
 Geoff

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

SSLProxy - Howto delegate Client Certificate to backend server

[ulrich . lohrmann]

Hi all,

I have the following scenario:

Apache webserver 2.0.44 with mod_ssl requires client authentication during
SSL handshake
for a particular URL. All further requests coming in over the established
SSL connection are
delegated to a backend server. The connection between the webserver and the
backend
server is also configured to be a SSL connection with client
authentication, so the webserver
has to provide a client certificate to the backend server.

I'd like to pass the client certificate provided by the end user to the
backend server. Is there a
chance to do this with mod_ssl?

Any help and comments appreciated.

Best regards
Ulrich


Deutscher Sparkassen Verlag GmbH

Am Wallgraben 115
70565 Stuttgart
Telefon: 0711/782-0
Webseite: http://www.dsv-gruppe.de


Dieses E-Mail einschließlich evtl. angehängter Dateien enthält vertrauliche
und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige
Adressat sind und Sie dieses E-Mail irrtümlich erhalten haben, dürfen Sie
weder den Inhalt dieses E-Mails nutzen noch dürfen Sie die evtl.
angehängten Dateien öffnen und auch nichts kopieren oder
weitergeben/verbreiten.
Bitte verständigen Sie den Absender und löschen Sie dieses E-Mail und evtl.
angehängte Dateien umgehend. Vielen Dank!


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: SSLProxy - Howto delegate Client Certificate to backend server

[Mads Toftum]

On Fri, Feb 21, 2003 at 07:39:07AM +0100, [EMAIL PROTECTED] wrote:
 I'd like to pass the client certificate provided by the end user to the
 backend server. Is there a
 chance to do this with mod_ssl?
 
Currently there isn't a solution with mod_ssl. There is however a couple
of ways to do this if you don't mind hacking the code. I made a POC module
for Apache 1.3 http://www.toftum.org/www2/apache/ which is just a very
simple example of how this can be done. There has also been sent a patch
to the [EMAIL PROTECTED] list recently - they have not been included, but see 
http://marc.theaimsgroup.com/?t=10449923556r=1w=2

vh

Mads Toftum
-- 
`Darn it, who spiked my coffee with water?!' - lwall

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

certificate authentication alternate authentication REMOTE_USER variable

[Sophia Petridou]

Hi all,
SERVER: Apache 1.3.27 + mod_ssl/2.8.12
My problem:
I want to authenticate clients of my domain based on certificates
and obtain my users' usenames. I try using the two methods mentioned
in http://www.modssl.org/docs/2.8/ssl_howto.html#ToC9
but they don't seem to be completely equivalent.
Specifically, when I try without SSLRequire and Load an authentication
module such as mod_auth_ldap or mod_auth_mysql (in order to offer
an alternate authentication schema - Satisfy any), in the browser,
a dialog window appears asking for Username/Password just after the
window for chosing the certificate.
This window (asking for username/password) does not appear
1. when I use SSLRequire directive and load other modules (but REMOTE_USER
variable is empty) and
2. when I use AuthUserFile directive and don't load the modules (but
I can't offer alternate authentication)
Apache configuration

#LoadModule ldap_auth_module libexec/mod_auth_ldap.so
SSLCACertificatePath /etc/apache/conf/ssl.crt
SSLCACertificateFile /etc/apache/conf/ssl.crt/ca-bundle.crt
SSLVerifyClient 0
Directory "/apache/secure/area">
 AllowOverride None
 Options None
 Order deny,allow
 Deny from all
 Allow from localnetwork
 SSLVerifyClient require
 SSLVerifyDepth 2
 SSLOptions +FakeBasicAuth
+StdEnvVars
 SSLRequireSSL
 #SSLRequire %{SSL_CLIENT_S_DN_O}
eq "My Organization" and \
 #
%{SSL_CLIENT_S_DN_OU} eq "My Departement"
 AuthName
"Certificate Authentication"
 AuthType
Basic
 AuthUserFile
/path/to/httpd.passwd
 require
valid-user
 #Satisfy any
 #AuthType Basic
 #AuthName "LDAP Authentication"
 #LDAP_Server MyLdapServer
 #LDAP_Port 389
 #Base_DN "o=MyOrganization,c=GR"
 #UID_Attr uid
 #require valid-user
/Directory>
thanks in advance
-sophia


smime.p7s
Description: S/MIME Cryptographic Signature

add a certificate to a Certificate Revocation List

[Zampognaro Sergio]

How to add a client certificate to an already created and empty Certificate
Revocation List?

thanks
Sergio
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: add a certificate to a Certificate Revocation List

[Mads Toftum]

On Wed, Feb 19, 2003 at 11:57:20AM +0100, Zampognaro Sergio wrote:
 How to add a client certificate to an already created and empty Certificate
 Revocation List?
 
openssl ca -revoke filename

see man ca and man crl in the openssl docs.

vh

Mads Toftum
-- 
`Darn it, who spiked my coffee with water?!' - lwall

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: add a certificate to a Certificate Revocation List

[Mads Toftum]

On Wed, Feb 19, 2003 at 12:10:14PM +0100, Mads Toftum wrote:
 openssl ca -revoke filename
 
 see man ca and man crl in the openssl docs.
 
I forgot to add this link - http://www.apacheweek.com/features/crl

vh

Mads Toftum
-- 
`Darn it, who spiked my coffee with water?!' - lwall

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]