Re: client side certificates
Hello,
So can you confirm that entering Tools-Internet
Options-Content-Certificates shows Personal certs, and that if you
View them it states there's a private key associated with that cert?
And then confirm that the CA that signed that cert is one trusted by
Apache via SSLCACertificateFile or SSLCACertificatePath (those should
point to copies of the CA public keys - not the same cert that is on the
client. I can't figure out from your mail if you've already worked that
out, so sorry if that's pointing out the bleeding obvious ;-)
Yes, I have a Verisign Class 1 personal certificate.
It stats that:
You have a private key that corresponds to this certificate.
I asked versign for the certificate that signed my cert and they sent it to
me. It was base64, I converted to what appears to be a PEM format. I have
this file (verisign.pem) as my SSLCACertificateFile and manually created the
hash link to it.
So right now I have this included within this servers virtualhost:
# Config for the Client Side Certificates
SSLVerifyClient require
SSLVerifyDepth 1
SSLCACertificateFile /export/CA/certs/verisign.pem
SSLCACertificatePath /export/CA/certs
SSLProtocol ALL
SSLCipherSuite ALL
Location /
SSLRequire %{REMOTE_ADDR} =~ m/^x\.x\.x\.[0-9]+$/
/Location
/VirtualHost
And the certs dir has 1 link and 1 file:
lrwxrwxrwx 1 root other 12 Nov 2 10:57 c19d42c7.0 -
verisign.pem
-rw-r--r-- 1 root other 3028 Nov 2 10:49 verisign.pem
That's what SSLCACertificateFile or SSLCACertificatePath is about. You
can use that to restrict what client certs you support down to just
those signed by those CAs. To further restrict to a subselection, see
mod_ssl documentation for SSLRequire - e.g.
SSLRequire %{SSL_CLIENT_S_DN_O} eq Snake Oil, Ltd. \
and %{SSL_CLIENT_S_DN_OU} in {Staff, CA, Dev}
I see. Thanks for the tip.
To keep this simple I am using SSLRequire and check for my IP..
I continue to get the blank pop-up window that asks me to select a cert.
I rebooted my laptop for good measure.
The same error appears in my apache error log.
[Wed Nov 2 11:20:17 2005] [error] mod_ssl: SSL handshake failed (server
ice.choiceonecom.com:443, client 216.153.201.171) (OpenSSL library error
follows)
[Wed Nov 2 11:20:17 2005] [error] OpenSSL: error:140890C7:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
[Hint: No CAs known to server for verification?]
Is my verisign.pem in the wrong format?
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
39:ca:54:89:fe:50:22:32:fe:32:d9:db:fb:1b:84:19
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=VeriSign, Inc., OU=Class 1 Public Primary
Certification Authority - G2, OU=(c) 1998 VeriSign, Inc. - For authorized
use only, OU=VeriSign Trust Network
Validity
Not Before: May 18 00:00:00 1998 GMT
Not After : May 18 23:59:59 2018 GMT
Subject: C=US, O=VeriSign, Inc., OU=Class 1 Public Primary
Certification Authority - G2, OU=(c) 1998 VeriSign, Inc. - For authorized
use only, OU=VeriSign Trust Network
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:aa:d0:ba:be:16:2d:b8:83:d4:ca:d2:0f:bc:76:
31:ca:94:d8:1d:93:8c:56:02:bc:d9:6f:1a:6f:52:
36:6e:75:56:0a:55:d3:df:43:87:21:11:65:8a:7e:
8f:bd:21:de:6b:32:3f:1b:84:34:95:05:9d:41:35:
eb:92:eb:96:dd:aa:59:3f:01:53:6d:99:4f:ed:e5:
e2:2a:5a:90:c1:b9:c4:a6:15:cf:c8:45:eb:a6:5d:
8e:9c:3e:f0:64:24:76:a5:cd:ab:1a:6f:b6:d8:7b:
51:61:6e:a6:7f:87:c8:e2:b7:e5:34:dc:41:88:ea:
09:40:be:73:92:3d:6b:e7:75
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
8b:f7:1a:10:ce:76:5c:07:ab:83:99:dc:17:80:6f:34:39:5d:
98:3e:6b:72:2c:e1:c7:a2:7b:40:29:b9:78:88:ba:4c:c5:a3:
6a:5e:9e:6e:7b:e3:f2:02:41:0c:66:be:ad:fb:ae:a2:14:ce:
92:f3:a2:34:8b:b4:b2:b6:24:f2:e5:d5:e0:c8:e5:62:6d:84:
7b:cb:be:bb:03:8b:7c:57:ca:f0:37:a9:90:af:8a:ee:03:be:
1d:28:9c:d9:26:76:a0:cd:c4:9d:4e:f0:ae:07:16:d5:be:af:
57:08:6a:d0:a0:42:42:42:1e:f4:20:cc:a5:78:82:95:26:38:
8a:47
-BEGIN CERTIFICATE-
MIIDAjCCAmsCEDnKVIn+UCIy/jLZ2/sbhBkwDQYJKoZIhvcNAQEFBQAwgcExCzAJ
BgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE8MDoGA1UECxMzQ2xh
c3MgMSBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEcy
MTowOAYDVQQLEzEoYykgMTk5OCBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3Jp
emVkIHVzZSBvbmx5MR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMB4X
DTk4MDUxODAwMDAwMFoXDTE4MDUxODIzNTk1OVowgcExCzAJBgNVBAYTAlVTMRcw
FQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE8MDoGA1UECxMzQ2xhc3MgMSBQdWJsaWMg
Re: client side certificates
Raymond Popowich wrote:
One thing that I'd like some clarification on. Once I get this working,
shouldn't there be a way for me to say I only want certain client side
certificates to be able to connect to this web site? Otherwise anyone
with a client side cert can connect. I'm sure I'm missing an important
piece of information here and I just need to be pointed in the right
direction.
If a server supports or requires client auth, it sends a cert
request that includes what type of cert is required, and a list
of DN's of recognized certificate authorities. If you do not
present a cert signed directly by one of these, or a certificate
chain that has a cert signed by one of these, the handshake will
fail.
See the spec:
http://wp.netscape.com/eng/ssl3
SSL 3.0 Specification
5.6.4 Certificate request
A non-anonymous server can optionally request a certificate from
the client, if appropriate for the selected cipher suite.
enum {
rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
rsa_ephemeral_dh(5), dss_ephemeral_dh(6), fortezza_kea(20),
(255)
} ClientCertificateType;
opaque DistinguishedName1..2^16-1;
struct {
ClientCertificateType certificate_types1..2^8-1;
DistinguishedName certificate_authorities3..2^16-1;
} CertificateRequest;
certificate_types This field is a list of the types of
certificates requested, sorted in order of the
server's preference.
certificate_authorities
A list of the distinguished names of acceptable
certificate authorities.
Note: DistinguishedName is derived from [X509].
Note: It is a fatal handshake_failure alert for an
anonymous server to request client identification.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
Re: client side certificates
Raymond Popowich wrote:
I tried using both the CA cert and a cert that came with the signed
client side certificate from Geotrust. I also have a client side
certificate from Verisign on another computer. Both computers get a
pop-up to pick a cert to use to connect from within IE, but the box is
empty. Below is what I added to the apache config within the
virtualhost section for this particular web site. If it matters this
web site is nothing more than an HTTPS proxy to another web server
that is not internet accessible.
If IE gives you an empty popup for choosing a cert, then either IE has
no client cert to offer, or the server is asking for certs signed by CAs
that don't include the ones the client has. (BTW it's a bug in IE - it
can do the same thing for clients without *any* certs when faced with
the SSLVerifyClient optional rule!).
So can you confirm that entering Tools-Internet
Options-Content-Certificates shows Personal certs, and that if you
View them it states there's a private key associated with that cert?
And then confirm that the CA that signed that cert is one trusted by
Apache via SSLCACertificateFile or SSLCACertificatePath (those should
point to copies of the CA public keys - not the same cert that is on the
client. I can't figure out from your mail if you've already worked that
out, so sorry if that's pointing out the bleeding obvious ;-)
One thing that I'd like some clarification on. Once I get this
working, shouldn't there be a way for me to say I only want certain
client side certificates to be able to connect to this web site?
Otherwise anyone with a client side cert can connect. I'm sure I'm
missing an important piece of information here and I just need to be
pointed in the right direction.
That's what SSLCACertificateFile or SSLCACertificatePath is about. You
can use that to restrict what client certs you support down to just
those signed by those CAs. To further restrict to a subselection, see
mod_ssl documentation for SSLRequire - e.g.
SSLRequire %{SSL_CLIENT_S_DN_O} eq Snake Oil, Ltd. \
and %{SSL_CLIENT_S_DN_OU} in {Staff, CA, Dev}
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
