SSLVerifyClient applies to parent directory

Hi!

First of all: Thanks for your great software, I've used it on several
server and it proved to be very useful.

I have a little problem with the SSLVerifyClient directive on apache
2.2.9 with mod_ssl compiled from source on debian etch. I have the
following directory layout:

/usr/local/htdocs/directory/subdirectory

and the following configuration options (besides the defaults) in
httpd.conf:

Listen 443

SSLEngine On
SSLCertificateFile /etc/apache2/ssl/acoveo.com.pem
DocumentRoot "/usr/local/htdocs"



SSLVerifyClient require
SSLVerifyDepth 1


The problem is that apache denies access to:
https//MYSERVER/directory

as long as I don't present a valid client certificate.

People on freenode #apache were not able to help, therefore I'm asking
here before filing a bug report.

Thanks in advance,
Florian

--
DI Florian Hackenberger
florian@hackenberger.at
www.hackenberger.at
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSLVerifyClient applies to parent directory

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig4B26DB51F28045A0CA77EDD2
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable

Florian Hackenberger a =E9crit :
> Hi!
>
> First of all: Thanks for your great software, I've used it on several=20
> server and it proved to be very useful.
>
> I have a little problem with the SSLVerifyClient directive on apache=20
> 2.2.9 with mod_ssl compiled from source on debian etch. I have the=20
> following directory layout:
>
> /usr/local/htdocs/directory/subdirectory
>
> and the following configuration options (besides the defaults) in=20
> httpd.conf:
>
> Listen 443
>
> SSLEngine On
> SSLCertificateFile /etc/apache2/ssl/acoveo.com.pem
> DocumentRoot "/usr/local/htdocs"
>
>
>
> SSLVerifyClient require
> SSLVerifyDepth 1
>
>
> =20

Maybe try this:

Listen 443

SSLEngine On
SSLCertificateFile /etc/apache2/ssl/acoveo.com.pem
DocumentRoot "/usr/local/htdocs"


SSLVerifyClient require
SSLVerifyDepth 1



--=20
Chuck Norris =E9tait champion de CounterStrike avant que l'on n'invente I=
nternet.
Gilles CUESTA - Logiciels Libres
69139920



--------------enig4B26DB51F28045A0CA77EDD2
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIY718545quQSHen8RArftAJ0SrDbOGVTG2yilwczEgGZXrbfg4wCf ekuA
iJPnjUVjiBlJKxR617zySpA=
=Davj
-----END PGP SIGNATURE-----

--------------enig4B26DB51F28045A0CA77EDD2--
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSLVerifyClient applies to parent directory

On Thursday 26 June 2008, Cuesta Gilles wrote:
> Maybe try this:
>
> Listen 443
>
> SSLEngine On
> SSLCertificateFile /etc/apache2/ssl/acoveo.com.pem
> DocumentRoot "/usr/local/htdocs"
>
>
> SSLVerifyClient require
> SSLVerifyDepth 1
>
>

Unfortunately it leads to the same result, but thanks for the
suggestion.

Cheers,
Florian
--
DI Florian Hackenberger
florian@hackenberger.at
www.hackenberger.at
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSLVerifyClient applies to parent directory

On Thu, Jun 26, 2008 at 05:55:45PM +0200, Florian Hackenberger wrote:
>
> SSLVerifyClient require
> SSLVerifyDepth 1
>
>
> The problem is that apache denies access to:
> https//MYSERVER/directory

It denies access for what type of request, a directory listing?

joe
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSLVerifyClient applies to parent directory

On Thursday 26 June 2008, Joe Orton wrote:
> It denies access for what type of request, a directory listing?
Yes


--
DI Florian Hackenberger
florian@hackenberger.at
www.hackenberger.at
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSLVerifyClient applies to parent directory

Florian Hackenberger a =E9crit :
> On Thursday 26 June 2008, Cuesta Gilles wrote:
> =20
>> Maybe try this:
>>
>> Listen 443
>>
>> SSLEngine On
>> SSLCertificateFile /etc/apache2/ssl/acoveo.com.pem
>> DocumentRoot "/usr/local/htdocs"
>>
>>
>> SSLVerifyClient require
>> SSLVerifyDepth 1
>>
>>
>> =20
>
> Unfortunately it leads to the same result, but thanks for the=20
> suggestion.
>
> =20
Regarding mod_ssl:
"In per-server context it applies to the client authentication process=20
used in the standard SSL handshake when a connection is established. "
"In per-directory context it forces a SSL renegotation with the=20
reconfigured client verification level after the HTTP request was read=20
but before the HTTP response is sent."

So maybe:

Listen 443

SSLEngine On
SSLCertificateFile /etc/apache2/ssl/acoveo.com.pem
DocumentRoot "/usr/local/htdocs"


SSLVerifyClient require
SSLVerifyDepth 1



____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSLVerifyClient applies to parent directory

On Thursday 26 June 2008, Florian Hackenberger wrote:
> On Thursday 26 June 2008, Joe Orton wrote:
> It denies access for what type of request, a directory listing?
Ok, I think I understood the intention of your question. Accessing a
specific file works, but getting the directory listing fails. Would
that be a result of apache trying to access the protected directory in
oder to read attributes for the listing, causing the certificate
verification to kick in?

Cheers,
Florian

--
DI Florian Hackenberger
florian@hackenberger.at
www.hackenberger.at
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSLVerifyClient applies to parent directory

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig446AEBAC6C5AF6BCD22FAC91
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: quoted-printable

Florian Hackenberger a écrit :
> On Thursday 26 June 2008, Florian Hackenberger wrote:
> =20
>> On Thursday 26 June 2008, Joe Orton wrote:
>> It denies access for what type of request, a directory listing?
>> =20
> Ok, I think I understood the intention of your question. Accessing a=20
> specific file works, but getting the directory listing fails. Would=20
> that be a result of apache trying to access the protected directory in =

> oder to read attributes for the listing, causing the certificate=20
> verification to kick in?
>
> =20

It's more an apache specific question; try setting
Options +Indexes
in your vhost, allowing directory listing.

--=20
Beaucoup d'hommes ont recherché la boîte de pandore à trav=
ers le monde, pendant ce temp Chuck Norris l'utilisait pour ranger ses ch=
aussures.
Gilles CUESTA - Logiciels Libres
69139920



--------------enig446AEBAC6C5AF6BCD22FAC91
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIZJVo545quQSHen8RAp2iAJoDO3dazNvYBHs3Gicvzkeh47KRgACf Uiiv
KQql95PZLRMfPo0kCi4QAEo=
=rlrb
-----END PGP SIGNATURE-----

--------------enig446AEBAC6C5AF6BCD22FAC91--
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSLVerifyClient applies to parent directory

On Friday 27 June 2008, Cuesta Gilles wrote:
> It's more an apache specific question; try setting
> Options +Indexes
> in your vhost, allowing directory listing.
Thanks, but that is certainly not the problem, as apache creates a
listing as soon as I remove 'SSLVerifyClient require'.

Cheers,
Florian

--
DI Florian Hackenberger
florian@hackenberger.at
www.hackenberger.at
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSLVerifyClient applies to parent directory

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigF2102C8B1FE228C6B7C0C17F
Content-Type: text/plain; charset=ISO-8859-15; format=flowed
Content-Transfer-Encoding: quoted-printable

Florian Hackenberger a =E9crit :
> On Friday 27 June 2008, Cuesta Gilles wrote:
> =20
>> It's more an apache specific question; try setting
>> Options +Indexes
>> in your vhost, allowing directory listing.
>> =20
> Thanks, but that is certainly not the problem, as apache creates a=20
> listing as soon as I remove 'SSLVerifyClient require'.
>
> Cheers,
> Florian
>
> =20
That seems to point that it's already activated.

For your issue, two questions:
- is a VerifyDepth 1 enough for verification chaining ?
- No default VerifyClient by default for VirtualHost
Try adding:

SSLVerifyClient none

or=20


SSLVerifyClient none


Listen 443

SSLEngine On
SSLCertificateFile /etc/apache2/ssl/acoveo.com.pem
DocumentRoot "/usr/local/htdocs"

SSLVerifyClient none


SSLVerifyClient require
SSLVerifyDepth 1



--=20
Chuck Norris comprend Lassie et Flipper le dauphin. C'est d'ailleurs lui =
qui =E0 r=E9alis=E9 les traductions dans l'int=E9gralit=E9 des =E9pisodes=
!
Gilles CUESTA - Logiciels Libres
69139920



--------------enigF2102C8B1FE228C6B7C0C17F
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIZKPs545quQSHen8RArh4AKDE5GhQxCMN4D8rWH6RwCpH+a7byQCg ysFn
HWMukDrO3hjVCtt3gIYQrx4=
=3gmd
-----END PGP SIGNATURE-----

--------------enigF2102C8B1FE228C6B7C0C17F--
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSLVerifyClient applies to parent directory

On Friday 27 June 2008, Cuesta Gilles wrote:
> For your issue, two questions:
> - is a VerifyDepth 1 enough for verification chaining ?
It is, however that is not relevant for the problem, because apache
should not request a client certificate in the first place.

> - No default VerifyClient by default for VirtualHost
> Try adding:


I tried your suggestion, but it does not help unfortunately.

Cheers,
Florian

--
DI Florian Hackenberger
florian@hackenberger.at
www.hackenberger.at
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSLVerifyClient applies to parent directory

On Fri, Jun 27, 2008 at 08:40:43AM +0200, Florian Hackenberger wrote:
> On Thursday 26 June 2008, Florian Hackenberger wrote:
> > On Thursday 26 June 2008, Joe Orton wrote:
> > It denies access for what type of request, a directory listing?
> Ok, I think I understood the intention of your question. Accessing a
> specific file works, but getting the directory listing fails. Would
> that be a result of apache trying to access the protected directory in
> oder to read attributes for the listing, causing the certificate
> verification to kick in?

Yup. Changing the "SSLVerifyClient require" to:

SSLVerifyClient optional
SSLRequire %{SSL_CLIENT_VERIFY} eq "SUCCESS"

might work around it; you'll still get a client cert request for the
subrequest, but it should end in a 403 rather than terminating the SSL
connection. (That will cause the protected directory to disappear from
the directory listing, unless you use "IndexOptions ShowForbidden")

Test this carefully though!

joe


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSLVerifyClient applies to parent directory

On Friday 27 June 2008, Joe Orton wrote:
> Yup. Changing the "SSLVerifyClient require" to:
> SSLVerifyClient optional
> SSLRequire %{SSL_CLIENT_VERIFY} eq "SUCCESS"

Thanks a lot! The workaround worked ;-). Please consider this issue
solved.

I have another question: Has anyone successfully established a
connection to an apache/mod_ssl server with client authentication using
a java client? My client (code below) generates the following log
(exception at the end) upon execution:

*** ServerHelloDone
*** Certificate chain
***
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1
main, WRITE: TLSv1 Handshake, length = 157
SESSION KEYGEN:
PreMaster Secret:
0000: 03 01 71 CC D3 DC AF 35 A3 A2 70 1C E5 9A 06
00 ..q....5..p.....
0010: 1F 8B 18 05 6E 55 69 4E 44 18 D2 E5 0A 57 FB
D4 ....nUiND....W..
0020: 71 62 17 14 57 2A FE 8F 4D 5A CF 7A 82 09 31 8C
qb..W*..MZ.z..1.
CONNECTION KEYGEN:
Client Nonce:
0000: 48 64 A7 92 45 15 E8 74 E3 75 A7 BD F7 E3 B8 82
Hd..E..t.u......
0010: 94 D4 1E 75 ED 3D D3 41 0E 5F BA 12 ED 47 E6
B1 ...u.=.A._...G..
Server Nonce:
0000: 48 64 A7 92 B5 6D 56 62 6D E3 7B 67 C7 08 78 13
Hd...mVbm..g..x.
0010: 45 47 5A 93 18 62 D4 E5 75 25 A1 65 F8 DD 85 86
EGZ..b..u%.e....
Master Secret:
0000: 0C 65 EA 1D A6 E6 FC 3C AD AA 34 04 C6 82 81
50 .e.....<..4....P
0010: 07 78 38 FC B6 04 77 3E 7E 90 BC 24 A9 D3 B1 86 .x8...w>...
$....
0020: F9 99 26 1A FD 08 9A C3 E0 32 43 D0 A1 59 21 5C ..&......2C..Y!
\
Client MAC write Secret:
0000: D0 7D F1 90 58 AF 0B 43 F7 02 39 0C 0C B2 87
C3 ....X..C..9.....
Server MAC write Secret:
0000: 5C AD 45 74 3D 58 96 FB 41 37 72 99 12 D5 BD 3A
\.Et=X..A7r....:
Client write key:
0000: 38 AE 1A 7E 63 26 C7 7F 9D E2 74 9E D2 12 55 C9
8...c&....t...U.
Server write key:
0000: 7E 57 BF 54 A7 74 D8 72 72 AC 18 B8 5F 2D F6
06 .W.T.t.rr..._-..
.... no IV used for this cipher
main, WRITE: TLSv1 Change Cipher Spec, length = 17
*** Finished
verify_data: { 150, 113, 105, 3, 36, 96, 160, 52, 133, 8, 145, 137 }
***
main, WRITE: TLSv1 Handshake, length = 32
main, waiting for close_notify or alert: state 3
main, READ: TLSv1 Alert, length = 18
main, RECV TLSv1 ALERT: fatal, handshake_failure
%% Invalidated: [Session-3, SSL_RSA_WITH_RC4_128_MD5]
main, called closeSocket()
main, Exception while waiting for close
javax.net.ssl.SSLHandshakeException: Received fatal alert:
handshake_failure
main, handling exception: javax.net.ssl.SSLHandshakeException: Received
fatal alert: handshake_failure
main, called close()
main, called closeInternal(true)
javax.net.ssl.SSLHandshakeException: Received fatal alert:
handshake_failure
at
com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.j ava:174)
at
com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.j ava:136)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSock etImpl.java:1657)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSoc ketImpl.java:932)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.waitForClose(SSLS ocketImpl.java:1435)
at
com.sun.net.ssl.internal.ssl.HandshakeOutStream.flush(Handsh akeOutStream.java:103)
at
com.sun.net.ssl.internal.ssl.Handshaker.sendChangeCipherSpec (Handshaker.java:612)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.sendChangeCiph erAndFinish(ClientHandshaker.java:808)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverHelloDon e(ClientHandshaker.java:734)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage (ClientHandshaker.java:197)
at
com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshak er.java:516)
at
com.sun.net.ssl.internal.ssl.Handshaker.process_record(Hands haker.java:454)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSoc ketImpl.java:884)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(SS LSocketImpl.java:746)
at
com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStr eam.java:75)
at
java.io.BufferedInputStream.fill(BufferedInputStream.java:21 8)
at java.io.BufferedInputStream.read1
(BufferedInputStream.java:258)
at
java.io.BufferedInputStream.read(BufferedInputStream.java:31 7)
at
sun.net.www.http.HttpClient.parseHTTPHeader(HttpClient.java: 687)
at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:632)
at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:652)
at
sun.net.www.protocol.http.HttpURLConnection.getInputStream(H ttpURLConnection.java:1000)
at
com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnecti onOldImpl.getInputStream(HttpsURLConnectionOldImpl.java:204)
at java.net.URL.openStream(URL.java:1009)
at URLClient.main(URLClient.java:17)


The server logs the following error:
[error] Re-negotiation handshake failed: Not accepted by client!?

Has someone experience with java client verification or can someone
formulate an educated guess what the problem could be? I have the
cacert root certificate imported at the server side
(SSLCACertificateFile), as well as the client side (within the trust
store). The server, as well as the client certificate are issued by
cacert. The server certificate is specified using SSLCertificateFile
within the VirtualHost and the client certificate is stored within the
key store. I can establish an https connection to the same host without
client authentication, which leads to the assumption that the server
certificate ca nbe verified by the java client.
I have tried to find answers to the problem using google, but none were
useful for the problem at hand.

Cheers,
Florian



--
DI Florian Hackenberger
florian@hackenberger.at
www.hackenberger.at
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSLVerifyClient applies to parent directory

On Friday 27 June 2008, Florian Hackenberger wrote:
> I have another question: Has anyone successfully established a
> connection to an apache/mod_ssl server with client authentication
> using a java client? My client (code below) generates the following
> log (exception at the end) upon execution:

Sorry, please scrap my posting. I made an embarrassing mistake: Instead
of exporting the client certificate including the public/private
keypair from the browser and importing that into the keystore, I
imported the certificate only, without the public/private keypair...

Thanks for your help once again!
Florian

--
DI Florian Hackenberger
florian@hackenberger.at
www.hackenberger.at
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org