Re: Apache SSL proxy to Weblogic fails
On 19 September 2014 22:34, Stromas, Aaron aaron.stro...@rsa.com wrote: Greetings, I am looking for help with a problem I've ran into a using mod_proxy/mod_ssl. The Apache HTTP server on SLES 11 SP3 64 bit, OpenSSL 1.0.1.f acts as SSL proxy to the Weblogic 10.3 running on Redhat. The mod_ssl is configured correctly - it works when proxying to SSL connections to non-SSL serves. Also, the certificate on the proxy was issued with extensions allowing it to be used as both SSL client and server. Yet, the Apache proxy fails connection over SSL to the Weblogic’s HTTPS port. Below is the excerpt from the Apache errors log. Any advice will be gerately appreciated. TIA [Thu Sep 18 09:32:14 2014] [debug] mod_proxy.c(1036): Running scheme https handler (attempt 0) [Thu Sep 18 09:32:14 2014] [debug] mod_proxy_http.c(1995): proxy: HTTP: serving URL https://appdev2.example.com:8102/auth/logon.jsp?aa_param=user [Thu Sep 18 09:32:14 2014] [debug] proxy_util.c(2022): proxy: HTTPS: has acquired connection for (appdev2.example.com) [Thu Sep 18 09:32:14 2014] [debug] proxy_util.c(2078): proxy: connecting https://appdev2.example.com:8102/auth/logon.jsp?aa_param=user to appdev2.example.com:8102 [Thu Sep 18 09:32:14 2014] [debug] proxy_util.c(2236): proxy: connected /auth/logon.jsp?aa_param=user to appdev2.example.com:8102 [Thu Sep 18 09:32:14 2014] [debug] proxy_util.c(2487): proxy: HTTPS: fam 2 socket created to connect to appdev2.example.com [Thu Sep 18 09:32:14 2014] [debug] proxy_util.c(2619): proxy: HTTPS: connection complete to 10.40.0.224:8102 (appdev2.example.com) [Thu Sep 18 09:32:14 2014] [info] [client 10.40.0.224] Connection to child 0 established (server aaproxiedel1:443) [Thu Sep 18 09:32:14 2014] [info] Seeding PRNG with 144 bytes of entropy [Thu Sep 18 09:32:14 2014] [debug] ssl_engine_io.c(1090): [client 10.40.0.224] SNI extension for SSL Proxy request set to ' appdev2.example.com' [Thu Sep 18 09:32:14 2014] [debug] ssl_engine_kernel.c(1903): OpenSSL: Handshake: start [Thu Sep 18 09:32:14 2014] [debug] ssl_engine_kernel.c(1911): OpenSSL: Loop: before/connect initialization [Thu Sep 18 09:32:14 2014] [debug] ssl_engine_kernel.c(1911): OpenSSL: Loop: SSLv2/v3 write client hello A [Thu Sep 18 09:32:14 2014] [debug] ssl_engine_io.c(1939): OpenSSL: read 7/7 bytes from BIO#994fe0 [mem: 9ea880] (BIO dump follows) [Thu Sep 18 09:32:14 2014] [debug] ssl_engine_io.c(1872): +-+ [Thu Sep 18 09:32:14 2014] [debug] ssl_engine_io.c(1911): | : 15 03 00 00 02 02 28 ..( | [Thu Sep 18 09:32:14 2014] [debug] ssl_engine_io.c(1917): +-+ Content type 15 is alert. [Thu Sep 18 09:32:14 2014] [debug] ssl_engine_kernel.c(1916): OpenSSL: Read: SSLv2/v3 read server hello A [Thu Sep 18 09:32:14 2014] [debug] ssl_engine_kernel.c(1940): OpenSSL: Exit: error in SSLv2/v3 read server hello A [Thu Sep 18 09:32:14 2014] [info] [client 10.40.0.224] SSL Proxy connect failed [Thu Sep 18 09:32:14 2014] [info] SSL Library Error: 336032784 error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure [Thu Sep 18 09:32:14 2014] [info] [client 10.40.0.224] Connection closed to child 0 with abortive shutdown (server aaproxiedel1:443) [Thu Sep 18 09:32:14 2014] [error] (502)Unknown error 502: proxy: pass request body failed to 10.40.0.224:8102 (appdev2.example.com) [Thu Sep 18 09:32:14 2014] [error] [client 141.1.3.134] proxy: Error during SSL Handshake with remote server returned by /auth/logon.jsp [Thu Sep 18 09:32:14 2014] [error] proxy: pass request body failed to 10.40.0.224:8102 (appdev2.example.com) from 141.1.3.134 () [Thu Sep 18 09:32:14 2014] [debug] proxy_util.c(2040): proxy: HTTPS: has released connection for (appdev2.example.com) [Thu Sep 18 09:32:14 2014] [debug] ssl_engine_kernel.c(1921): OpenSSL: Write: SSL negotiation finished successfully [Thu Sep 18 09:32:14 2014] [info] [client 141.1.3.134] Connection closed to child 2 with standard shutdown (server aaproxiedel1:443) Best regards, -a -- *Aaron Stromas | ** RSA ** The Security Division of EMC | Practice Consultant | Identity Fraud Protection Practice | M – 240 271 64 58 | aaron.stro...@rsa.com aaron.stro...@rsa.com*
RE: Apache SSL proxy to Weblogic fails
I suspected that Apache and Weblogic fail to agree on the ciphers. The Weblogic logs shows its ciphers: Sep 18, 2014 2:05:52 PM EDT Debug SecuritySSL BEA-00 TLS_RSA_WITH_RC4_128_SHA Sep 18, 2014 2:05:52 PM EDT Debug SecuritySSL BEA-00 TLS_RSA_WITH_RC4_128_MD5 Sep 18, 2014 2:05:52 PM EDT Debug SecuritySSL BEA-00 TLS_RSA_WITH_AES_128_CBC_SHA Sep 18, 2014 2:05:52 PM EDT Debug SecuritySSL BEA-00 TLS_RSA_WITH_AES_256_CBC_SHA I’ve been trying to match them using the SSLCipherSuite directive, for example, setting it to AES:RC4+RSA:!TLSv1.2:!ECDH:!SPR:!DSS:!PSK:!EXP but none of the values work. Best regards, -a Aaron Stromas | RSA The Security Division of EMC | Practice Consultant | Identity Fraud Protection Practice | M – 240 271 64 58 | aaron.stro...@rsa.commailto:aaron.stro...@rsa.com From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Thulasi Goriparthi Sent: Tuesday, 23 September, 2014 03:20 To: openssl-users@openssl org Subject: Re: Apache SSL proxy to Weblogic fails On 19 September 2014 22:34, Stromas, Aaron aaron.stro...@rsa.commailto:aaron.stro...@rsa.com wrote: Greetings, I am looking for help with a problem I've ran into a using mod_proxy/mod_ssl. The Apache HTTP server on SLES 11 SP3 64 bit, OpenSSL 1.0.1.f acts as SSL proxy to the Weblogic 10.3 running on Redhat. The mod_ssl is configured correctly - it works when proxying to SSL connections to non-SSL serves. Also, the certificate on the proxy was issued with extensions allowing it to be used as both SSL client and server. Yet, the Apache proxy fails connection over SSL to the Weblogic’s HTTPS port. Below is the excerpt from the Apache errors log. Any advice will be gerately appreciated. TIA [Thu Sep 18 09:32:14 2014] [debug] mod_proxy.c(1036): Running scheme https handler (attempt 0) [Thu Sep 18 09:32:14 2014] [debug] mod_proxy_http.c(1995): proxy: HTTP: serving URL https://appdev2.example.com:8102/auth/logon.jsp?aa_param=user [Thu Sep 18 09:32:14 2014] [debug] proxy_util.c(2022): proxy: HTTPS: has acquired connection for (appdev2.example.comhttp://appdev2.example.com) [Thu Sep 18 09:32:14 2014] [debug] proxy_util.c(2078): proxy: connecting https://appdev2.example.com:8102/auth/logon.jsp?aa_param=user to appdev2.example.com:8102http://appdev2.example.com:8102 [Thu Sep 18 09:32:14 2014] [debug] proxy_util.c(2236): proxy: connected /auth/logon.jsp?aa_param=user to appdev2.example.com:8102http://appdev2.example.com:8102 [Thu Sep 18 09:32:14 2014] [debug] proxy_util.c(2487): proxy: HTTPS: fam 2 socket created to connect to appdev2.example.comhttp://appdev2.example.com [Thu Sep 18 09:32:14 2014] [debug] proxy_util.c(2619): proxy: HTTPS: connection complete to 10.40.0.224:8102http://10.40.0.224:8102 (appdev2.example.comhttp://appdev2.example.com) [Thu Sep 18 09:32:14 2014] [info] [client 10.40.0.224] Connection to child 0 established (server aaproxiedel1:443) [Thu Sep 18 09:32:14 2014] [info] Seeding PRNG with 144 bytes of entropy [Thu Sep 18 09:32:14 2014] [debug] ssl_engine_io.c(1090): [client 10.40.0.224] SNI extension for SSL Proxy request set to 'appdev2.example.comhttp://appdev2.example.com' [Thu Sep 18 09:32:14 2014] [debug] ssl_engine_kernel.c(1903): OpenSSL: Handshake: start [Thu Sep 18 09:32:14 2014] [debug] ssl_engine_kernel.c(1911): OpenSSL: Loop: before/connect initialization [Thu Sep 18 09:32:14 2014] [debug] ssl_engine_kernel.c(1911): OpenSSL: Loop: SSLv2/v3 write client hello A [Thu Sep 18 09:32:14 2014] [debug] ssl_engine_io.c(1939): OpenSSL: read 7/7 bytes from BIO#994fe0 [mem: 9ea880] (BIO dump follows) [Thu Sep 18 09:32:14 2014] [debug] ssl_engine_io.c(1872): +-+ [Thu Sep 18 09:32:14 2014] [debug] ssl_engine_io.c(1911): | : 15 03 00 00 02 02 28 ..( | [Thu Sep 18 09:32:14 2014] [debug] ssl_engine_io.c(1917): +-+ Content type 15 is alert. [Thu Sep 18 09:32:14 2014] [debug] ssl_engine_kernel.c(1916): OpenSSL: Read: SSLv2/v3 read server hello A [Thu Sep 18 09:32:14 2014] [debug] ssl_engine_kernel.c(1940): OpenSSL: Exit: error in SSLv2/v3 read server hello A [Thu Sep 18 09:32:14 2014] [info] [client 10.40.0.224] SSL Proxy connect failed [Thu Sep 18 09:32:14 2014] [info] SSL Library Error: 336032784 error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure [Thu Sep 18 09:32:14 2014] [info] [client 10.40.0.224] Connection closed to child 0 with abortive shutdown (server aaproxiedel1:443) [Thu Sep 18 09:32:14 2014] [error] (502)Unknown error 502: proxy: pass request body failed to 10.40.0.224:8102http://10.40.0.224:8102 (appdev2.example.comhttp://appdev2.example.com) [Thu Sep 18 09:32:14 2014] [error] [client 141.1.3.134] proxy: Error during SSL Handshake with remote server returned
Re: pkcs7_sign() / cms_sign() : using SHA256 hash
Thank you Stephen. I'll try to do that and then I'll tell the others OFTP2 editors how to do ! BTW: Rich told me : open a ticket. I tried to do by writing to r...@openssl.org but I got nothing back. Best regards, -- Francis Le 20/09/2014 01:36, Dr. Stephen Henson a écrit : On Fri, Sep 12, 2014, Francis GASCHET wrote: Hello, From the man page, it looks like signing packages always use SHA1, and there is no argument to pkcs7_sign and cms_sign functions which would allow to chose the algorithm. May be I missed something... Or is there some method to sign with another hsah algorithm ? CMS_sign() does use the default digest only. The cms application can use a different digest though. You can do the same: it's slightly more complex but not difficult. In outline you do this: Call CMS_sign() set the private key argument to NULL and include the flag CMS_PARTIAL (if you don't already). This just initialises the structure without actually signing anything. Add the signer(s) using CMS_add1_signer() you can specify the digest algorithm to use with this call. You can add multiplers signer using different digest algorithms here. If you're streaming call SMIME_write_CMS() as normal. If not call CMS_final() which will finalise the structure and you can then write it out. This finalises the strcutures and performs the content digesting and signing__ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Problem with Certificate Chains on Windows
Hi, I am getting a 'Certificate Signature Failure' (verify error:num=7:certificate signature failure) on Windows Server 2008 R2 Enterprise during certificate verification on the client side. I used the 'openssl s_client' command to check this behavior after seeing SSL handshake failure in my application that uses Python M2Crypto for the SSL communication. This failure is seen only on the windows platform, RHEL and Ubuntu running the same python app using the same certificates does have this problem. The CAs are loaded from files that contain: Cert #1: Single self-signed cert with Subject ='ABC' and Issuer = 'ABC' And the following chain of 3 certs Cert#2: This is part of a cert chain with Subject = 'ABC' and Issuer = 'ABC' Cert#3: Intermediate CA Subject = 'ABC' and Issuer = 'Custom CA' Cert#4: Self-signed root Subject = 'Custom CA' and Issuer = 'Custom CA' Cert #1 and the chain have overlapping validity dates, so both are currently valid. I encounter the problem only when I load 2 such CA files. One that corresponds to the server cert ('ABC') and another (say 'XYZ') that is used to verify a different server cert. The structure of both the certs are identical and the chains in them use the same self-signed root cert. But each have different Subject and Issuer for the top level cert ('ABC' and 'XYZ). I used exactly the same certificates for my Unix clients and they do not have this problem. An identical 'openssl s_client' command is successful on the Unix clients. I am using OpenSSL 1.0.1h libraries. Any suggestions on how to troubleshoot/resolve this problem will be very helpful. Thank you, Jag.
Re: Problem with Certificate Chains on Windows
Check the digests used for signing. Windows (after updates) may refuse MD5 signatures on certificates; I would recommend regenerating new certs with at least SHA256. -Kyle H On September 22, 2014 9:34:59 AM PST, Vellore-Arumugam, Jagdish (Svr Automation) jagdish.arumu...@hp.com wrote: Hi, I am getting a 'Certificate Signature Failure' (verify error:num=7:certificate signature failure) on Windows Server 2008 R2 Enterprise during certificate verification on the client side. I used the 'openssl s_client' command to check this behavior after seeing SSL handshake failure in my application that uses Python M2Crypto for the SSL communication. This failure is seen only on the windows platform, RHEL and Ubuntu running the same python app using the same certificates does have this problem. The CAs are loaded from files that contain: Cert #1: Single self-signed cert with Subject ='ABC' and Issuer = 'ABC' And the following chain of 3 certs Cert#2: This is part of a cert chain with Subject = 'ABC' and Issuer = 'ABC' Cert#3: Intermediate CA Subject = 'ABC' and Issuer = 'Custom CA' Cert#4: Self-signed root Subject = 'Custom CA' and Issuer = 'Custom CA' Cert #1 and the chain have overlapping validity dates, so both are currently valid. I encounter the problem only when I load 2 such CA files. One that corresponds to the server cert ('ABC') and another (say 'XYZ') that is used to verify a different server cert. The structure of both the certs are identical and the chains in them use the same self-signed root cert. But each have different Subject and Issuer for the top level cert ('ABC' and 'XYZ). I used exactly the same certificates for my Unix clients and they do not have this problem. An identical 'openssl s_client' command is successful on the Unix clients. I am using OpenSSL 1.0.1h libraries. Any suggestions on how to troubleshoot/resolve this problem will be very helpful. Thank you, Jag. -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
RE: pkcs7_sign() / cms_sign() : using SHA256 hash
RT is sometimes slow. If you sent email to rt, give it a couple of days and resend. -- Principal Security Engineer, Akamai Technologies IM: rs...@jabber.me Twitter: RichSalz __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org