SSLVerifyClient require per directory context

I'm trying to go through the most basic tutorials on mod_ssl and I'm
having a problem trying to get my server to issue a certificate request
for a particular URL. I'm listing my Apache and OpenSSL version
information.

# httpd -v
Server version: Apache/2.2.14 (Unix)
Server built: Dec 3 2009 10:25:53

# openssl version
OpenSSL 1.0.0-fips-beta4 10 Nov 2009

I've followed the steps of this tutorial:

http://www.vanemery.com/Linux/Apache/apache-SSL.html

I've also tried to follow the SSL HowTo on the Apache site:

http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html

I'll try to get at the heart of the issue. If I have the following in my
ssl.conf file in the VirtualHost section

SSLVerifyClient require
SSLVerifyDepth 1

then everything works as expected. I have the client certificate
installed in my client web browser, and when I click on the link to my
https server, which is https://myserver, then it prompts me to get the
certificate of the server and confirm a security exception, and also
prompts me with a user identification request, at which point I can chose
a certificate to identify the client to my server. I see my index.html
page, which has a link to the directory https://myserver/Certneeded. I
can click on this directory and see a list of the files in that directory=
..

However, if I change my ssl.conf in an attempt to "force clients to
authenticate using certificates for a particular URL, but still allow
arbitrary clients to access the rest of the server", as per the Apache
HowTo, then I never get prompted for this "user identification request" t=
o
which I can identify my client web browser to the server.

In this case, my ssl.conf file changes to the following.

SSLVerifyClient none

Options Indexes
SSLVerifyClient require
SSLVerifyDepth 1


Now, when I click on the link to https://myserver/Certneeded, the client
browser just hangs until a timeout is reached, I'm never prompted to
present a certificate for identification, and the contents of the
directory are not listed.

In Wireshark, I see a client hello, followed by a server hello, followed
by a change cipher spec, presumably because I was never prompted for an
identification certificate by the server within a set time.

In the "good" case, when my "SSLVerifyClient require" statement is in the
VirtualHost section of the ssl.conf file, in Wireshark, I see a client
hello, followed by a server hello, followed by a "certificate, server key
exchange, certificate request", which seems to be where the window pops u=
p
in my client prompting me with a user identification request.

In trying to debug this, I noticed that if I do a hack and revert back to
an earlier RPM version of openssl, openssl-0.9.8g-11.fc10.i386.rpm, that
both configurations (per-server and per-directory contexts) work as
expected. What might be wrong here?

Aaron


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSLVerifyClient require per directory context

--=-qNtIamD/cwzegWUj1t/O
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hello,

I faced the same issue.
Actually, client authentication has been disabled on recent versions. It
has nothing to do with your configuration.

See (on my blog):
http://www.phocean.net/2009/11/28/openssl-cve-2009-3555-secu rity-fix-and-mo=
d_ssl-client-authentication-breakage.html
and then :
http://www.phocean.net/2010/01/09/ssltls-rfc-updated-against -cve-2009-3555.=
html

Regards,

--=20
Jean-Christophe Baptiste


Le mardi 19 janvier 2010 à 16:53 -0600, aaron@cs.wisc.edu a écrit=
:
> I'm trying to go through the most basic tutorials on mod_ssl and I'm
> having a problem trying to get my server to issue a certificate request
> for a particular URL. I'm listing my Apache and OpenSSL version
> information.
>=20
> # httpd -v
> Server version: Apache/2.2.14 (Unix)
> Server built: Dec 3 2009 10:25:53
>=20
> # openssl version
> OpenSSL 1.0.0-fips-beta4 10 Nov 2009
>=20
> I've followed the steps of this tutorial:
>=20
> http://www.vanemery.com/Linux/Apache/apache-SSL.html
>=20
> I've also tried to follow the SSL HowTo on the Apache site:
>=20
> http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html
>=20
> I'll try to get at the heart of the issue. If I have the following in my
> ssl.conf file in the VirtualHost section
>=20
> SSLVerifyClient require
> SSLVerifyDepth 1
>=20
> then everything works as expected. I have the client certificate
> installed in my client web browser, and when I click on the link to my
> https server, which is https://myserver, then it prompts me to get the
> certificate of the server and confirm a security exception, and also
> prompts me with a user identification request, at which point I can chose
> a certificate to identify the client to my server. I see my index.html
> page, which has a link to the directory https://myserver/Certneeded. I
> can click on this directory and see a list of the files in that directory=
..
>=20
> However, if I change my ssl.conf in an attempt to "force clients to
> authenticate using certificates for a particular URL, but still allow
> arbitrary clients to access the rest of the server", as per the Apache
> HowTo, then I never get prompted for this "user identification request" t=
o
> which I can identify my client web browser to the server.
>=20
> In this case, my ssl.conf file changes to the following.
>=20
> SSLVerifyClient none
>
> Options Indexes
> SSLVerifyClient require
> SSLVerifyDepth 1
>
>=20
> Now, when I click on the link to https://myserver/Certneeded, the client
> browser just hangs until a timeout is reached, I'm never prompted to
> present a certificate for identification, and the contents of the
> directory are not listed.
>=20
> In Wireshark, I see a client hello, followed by a server hello, followed
> by a change cipher spec, presumably because I was never prompted for an
> identification certificate by the server within a set time.
>=20
> In the "good" case, when my "SSLVerifyClient require" statement is in the
> VirtualHost section of the ssl.conf file, in Wireshark, I see a client
> hello, followed by a server hello, followed by a "certificate, server key
> exchange, certificate request", which seems to be where the window pops u=
p
> in my client prompting me with a user identification request.
>=20
> In trying to debug this, I noticed that if I do a hack and revert back to
> an earlier RPM version of openssl, openssl-0.9.8g-11.fc10.i386.rpm, that
> both configurations (per-server and per-directory contexts) work as
> expected. What might be wrong here?
>=20
> Aaron
>=20
>=20
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org

--=-qNtIamD/cwzegWUj1t/O
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Ceci est une partie de message
=?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e?=

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (GNU/Linux)

iQIcBAABAgAGBQJLVp7MAAoJEEElXOw26xO+u0AP/3Vls+98Y+wfinIxnOvA tD2O
JKSXS8hUQz7LufDNizNF4W84NWFGt2M7/2xOc6Lgoe1uvy7VUKwFJNJFSHlg ebVA
7mVCRbjTecsdzSu1HgD/2RR9u7fmU9tUfBEg+5XZM12s6ZY9qrOgWznkbIQb f5Sa
pythvZuf7yCqfnECtPIr/NOiWE0Gdl/MYYrijPDKwcRQjPtVzcVHJwsxBLzZ NnmQ
pXHWIi31zYCA0UoU+mk0Q4GgqpBBVjF52pBeOuPEMLlC9LWQahxVN1vURUmO OL4/
DZRdvUmeqNvut3T4hOSeDr/ig2G8K/VxpOQGzctHZuIjkcca2anUsOum1hzz Tfj3
Xs9Ir+GLDj43BfOza5z22Wnr+MxHmHSFuYeKMa1GMj7Nd+QlKaQdS6YtTAab l7fv
xaSNwJZ60y19HOR8uSBRr5XH27YBpGVh25+QMVM3CTKG2goMg1PhmVstlbDk sQhZ
cXb/6jwyidneJNcmeQHhGeeIxecZdeDidlHCqht+HdqQ7PxDzXCyhhqGypnQ d92Q
hUWZqU/JWCMNEXHxdkoMHd6zuDSj5+xKoQgoiDLZFPjcDhxiPpBPg1rCIQZU tXYJ
990YaelJ9nQlwoMibNFJoOs2LxEmuOe3Zc7KpBBwqx7fl+3OwFH3b6XnP84c 3w9P
tKRoVcqno1OTr+ZwXdI8
=2W8O
-----END PGP SIGNATURE-----

--=-qNtIamD/cwzegWUj1t/O--

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSLVerifyClient require per directory context

Thanks so much for your tip. Now I have a much better understanding of
the problem.

Aaron

> Hello,
>
> I faced the same issue.
> Actually, client authentication has been disabled on recent versions. I=
t
> has nothing to do with your configuration.
>
> See (on my blog):
> http://www.phocean.net/2009/11/28/openssl-cve-2009-3555-secu rity-fix-an=
d-mod_ssl-client-authentication-breakage.html
> and then :
> http://www.phocean.net/2010/01/09/ssltls-rfc-updated-against -cve-2009-3=
555.html
>
> Regards,
>
> --
> Jean-Christophe Baptiste
>
>
> Le mardi 19 janvier 2010 à 16:53 -0600, aaron@cs.wisc.edu a é=
crit :
>> I'm trying to go through the most basic tutorials on mod_ssl and I'm
>> having a problem trying to get my server to issue a certificate reques=
t
>> for a particular URL. I'm listing my Apache and OpenSSL version
>> information.
>>
>> # httpd -v
>> Server version: Apache/2.2.14 (Unix)
>> Server built: Dec 3 2009 10:25:53
>>
>> # openssl version
>> OpenSSL 1.0.0-fips-beta4 10 Nov 2009
>>
>> I've followed the steps of this tutorial:
>>
>> http://www.vanemery.com/Linux/Apache/apache-SSL.html
>>
>> I've also tried to follow the SSL HowTo on the Apache site:
>>
>> http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html
>>
>> I'll try to get at the heart of the issue. If I have the following in
>> my
>> ssl.conf file in the VirtualHost section
>>
>> SSLVerifyClient require
>> SSLVerifyDepth 1
>>
>> then everything works as expected. I have the client certificate
>> installed in my client web browser, and when I click on the link to my
>> https server, which is https://myserver, then it prompts me to get the
>> certificate of the server and confirm a security exception, and also
>> prompts me with a user identification request, at which point I can
>> chose
>> a certificate to identify the client to my server. I see my index.htm=
l
>> page, which has a link to the directory https://myserver/Certneeded. =
I
>> can click on this directory and see a list of the files in that
>> directory.
>>
>> However, if I change my ssl.conf in an attempt to "force clients to
>> authenticate using certificates for a particular URL, but still allow
>> arbitrary clients to access the rest of the server", as per the Apache
>> HowTo, then I never get prompted for this "user identification request=
"
>> to
>> which I can identify my client web browser to the server.
>>
>> In this case, my ssl.conf file changes to the following.
>>
>> SSLVerifyClient none
>>
>> Options Indexes
>> SSLVerifyClient require
>> SSLVerifyDepth 1
>>
>>
>> Now, when I click on the link to https://myserver/Certneeded, the clie=
nt
>> browser just hangs until a timeout is reached, I'm never prompted to
>> present a certificate for identification, and the contents of the
>> directory are not listed.
>>
>> In Wireshark, I see a client hello, followed by a server hello, follow=
ed
>> by a change cipher spec, presumably because I was never prompted for a=
n
>> identification certificate by the server within a set time.
>>
>> In the "good" case, when my "SSLVerifyClient require" statement is in
>> the
>> VirtualHost section of the ssl.conf file, in Wireshark, I see a client
>> hello, followed by a server hello, followed by a "certificate, server
>> key
>> exchange, certificate request", which seems to be where the window pop=
s
>> up
>> in my client prompting me with a user identification request.
>>
>> In trying to debug this, I noticed that if I do a hack and revert back
>> to
>> an earlier RPM version of openssl, openssl-0.9.8g-11.fc10.i386.rpm, th=
at
>> both configurations (per-server and per-directory contexts) work as
>> expected. What might be wrong here?
>>
>> Aaron
>>
>>
>> ____________________________________________________________ __________
>> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>> User Support Mailing List modssl-users@modssl.org
>> Automated List Manager majordomo@modssl.org
>


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org