Client SSL authentication on Apache + mod_ssl - modssl
This is a discussion on Client SSL authentication on Apache + mod_ssl - modssl ; I am required to have our apache server using PKI client authentication
by the end of July.
I have set up a test server with the latest and greatest
Apache/2.2.2 (Unix)
mod_ssl/2.2.2
OpenSSL/0.9.7
I have set up a ssl.conf using
...
-
Client SSL authentication on Apache + mod_ssl
I am required to have our apache server using PKI client authentication
by the end of July.
I have set up a test server with the latest and greatest
Apache/2.2.2 (Unix)
mod_ssl/2.2.2
OpenSSL/0.9.7
I have set up a ssl.conf using
SSLVerifyClient require
SSLVerifyDepth 10
and populated a CA certification file and enabled
SSLCACertificateFile /usr/local/apache2/conf/dod_ca_bundle.crt
On start the logs (set to debug) show the dod_ca_bundle.crt file being
read in properly
---------------------- log output begin ---------------------
ssl_engine_init.c(405): Creating new SSL context (protocols: SSLv2,
SSLv3, TLSv1)
ssl_engine_init.c(538): Configuring client authentication
ssl_engine_init.c(1113): CA certificate: /C=3DUS/O=3DU.S.
Government/OU=3DDoD/OU=3DPKI/CN=3DDOD CLASS 3 CA-10
ssl_engine_init.c(1113): CA certificate: /C=3DUS/O=3DU.S.
Government/OU=3DDoD/OU=3DPKI/CN=3DDoD CLASS 3 Root CA
ssl_engine_init.c(601): Configuring permitted SSL ciphers
[ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSL v2:+EXP:+eNULL]
-------------------------- log output end -----------------------------
However, when attempting to connect with IE nothing is returned. The
pertinent log out looks like
---------------------- log output begin ---------------------
ssl_engine_kernel.c(1752): OpenSSL: Handshake: start
ssl_engine_kernel.c(1760): OpenSSL: Loop: before/accept initialization
ssl_engine_io.c(1775): OpenSSL: read 11/11 bytes from BIO#918b100 [mem:
9192780] (BIO dump follows)
:
:
ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 read client hello A
ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 write server hello A
ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 write certificate A
ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 write certificate
request A
ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 flush data
-------------------------- log output end -----------------------------
Looks like the next line indicates a problem:
---------------------- log output begin ---------------------
ssl_engine_io.c(1786): OpenSSL: I/O error, 5 bytes expected to read on
BIO #918b100 [mem: 9192780]
ssl_engine_kernel.c(1789): OpenSSL: Exit: error in SSLv3 read client
certificate A
ssl_engine_kernel.c(1789): OpenSSL: Exit: error in SSLv3 read client
certificate A
[client 157.187.160.114] (70014)End of file found: SSL handshake
interrupted by system [Hint: Stop button pressed in browser?!]
-------------------------- log output end -----------------------------
Any help with this problem would be greatly appreciated.
__________________________________________________ ____________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
-
Re: Client SSL authentication on Apache + mod_ssl
Just for reference I think I have found the answer to the above
problem.
If IE does not have a match to the list of distinguished names sent by
the server in the certificate_request it stops and results in a broken
ssl handshake (at least this is true for my IE version and
configuration). If you are having this problem dump your client
certificates and reload and be sure you have th CA in the server CA
file.
Also check your windows event log for debug messages as IE does not
provide any error messaging.
