Client SSL authentication on Apache + mod_ssl - modssl

This is a discussion on Client SSL authentication on Apache + mod_ssl - modssl ; I am required to have our apache server using PKI client authentication by the end of July. I have set up a test server with the latest and greatest Apache/2.2.2 (Unix) mod_ssl/2.2.2 OpenSSL/0.9.7 I have set up a ssl.conf using ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Client SSL authentication on Apache + mod_ssl

  1. Client SSL authentication on Apache + mod_ssl

    I am required to have our apache server using PKI client authentication
    by the end of July.

    I have set up a test server with the latest and greatest

    Apache/2.2.2 (Unix)
    mod_ssl/2.2.2
    OpenSSL/0.9.7

    I have set up a ssl.conf using

    SSLVerifyClient require
    SSLVerifyDepth 10

    and populated a CA certification file and enabled

    SSLCACertificateFile /usr/local/apache2/conf/dod_ca_bundle.crt

    On start the logs (set to debug) show the dod_ca_bundle.crt file being
    read in properly

    ---------------------- log output begin ---------------------
    ssl_engine_init.c(405): Creating new SSL context (protocols: SSLv2,
    SSLv3, TLSv1)
    ssl_engine_init.c(538): Configuring client authentication
    ssl_engine_init.c(1113): CA certificate: /C=3DUS/O=3DU.S.
    Government/OU=3DDoD/OU=3DPKI/CN=3DDOD CLASS 3 CA-10
    ssl_engine_init.c(1113): CA certificate: /C=3DUS/O=3DU.S.
    Government/OU=3DDoD/OU=3DPKI/CN=3DDoD CLASS 3 Root CA
    ssl_engine_init.c(601): Configuring permitted SSL ciphers
    [ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSL v2:+EXP:+eNULL]
    -------------------------- log output end -----------------------------

    However, when attempting to connect with IE nothing is returned. The
    pertinent log out looks like

    ---------------------- log output begin ---------------------
    ssl_engine_kernel.c(1752): OpenSSL: Handshake: start
    ssl_engine_kernel.c(1760): OpenSSL: Loop: before/accept initialization
    ssl_engine_io.c(1775): OpenSSL: read 11/11 bytes from BIO#918b100 [mem:
    9192780] (BIO dump follows)
    :
    :
    ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 read client hello A
    ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 write server hello A
    ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 write certificate A
    ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 write certificate
    request A
    ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 flush data
    -------------------------- log output end -----------------------------

    Looks like the next line indicates a problem:

    ---------------------- log output begin ---------------------
    ssl_engine_io.c(1786): OpenSSL: I/O error, 5 bytes expected to read on
    BIO #918b100 [mem: 9192780]
    ssl_engine_kernel.c(1789): OpenSSL: Exit: error in SSLv3 read client
    certificate A
    ssl_engine_kernel.c(1789): OpenSSL: Exit: error in SSLv3 read client
    certificate A
    [client 157.187.160.114] (70014)End of file found: SSL handshake
    interrupted by system [Hint: Stop button pressed in browser?!]
    -------------------------- log output end -----------------------------

    Any help with this problem would be greatly appreciated.
    __________________________________________________ ____________________
    Apache Interface to OpenSSL (mod_ssl) www.modssl.org
    User Support Mailing List modssl-users@modssl.org
    Automated List Manager majordomo@modssl.org

  2. Re: Client SSL authentication on Apache + mod_ssl

    Just for reference I think I have found the answer to the above
    problem.

    If IE does not have a match to the list of distinguished names sent by
    the server in the certificate_request it stops and results in a broken
    ssl handshake (at least this is true for my IE version and
    configuration). If you are having this problem dump your client
    certificates and reload and be sure you have th CA in the server CA
    file.

    Also check your windows event log for debug messages as IE does not
    provide any error messaging.


+ Reply to Thread