Certs work, one doesn"t, cannot determine why

Hi folks. I'm *really* stumped here. If anyone has any
ideas, I would love to hear them. How can I debug this
further? I need more information that Apache + mod_ssl
is giving me right now.

All version information and configuration detail is after
this next paragraph.

Works: SSL via my corporate cert, SSL via 3 other people's
corporate certs
Fails: 1 person's cert so far, yet is logged as "SUCCESS"
when logging SSL_CLIENT_VERIFY via CustomLog

Example:

[15/Oct/2010:09:53:38 -0400] 1xx.xx.160.92 on TLSv1 RC4-MD5 128
/O=our.org/OU=People/UID=mbs/CN=Simpson Mary B SUCCESS 3 452E Simpson
Mary B - "GET /index.html HTTP/1.1" 295

[Fri Oct 15 09:53:38 2010] [error] [client 1xx.xx.160.92] access to
/apps/rtsrv1dev/share/html/index.html failed, reason: SSL requirement
expression not fulfilled (see SSL logfile for more details)

Config Specifics:

OS: RHELv5
Apache: 2.2.3
mod_ssl: 2.2.3-43.el5


ServerName rtdev1.our.org:443

ErrorLog logs/ssl_error443_log
TransferLog logs/ssl_access443_log
LogLevel warn

SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:SSLv3:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /apps/rtsrv1dev/PKI/rtdev1-signed.cer
SSLCertificateKeyFile /apps/rtsrv1dev/PKI/rtdev1.key
SSLCertificateChainFile /apps/rtsrv1dev/PKI/rtdev1-signed.cer
SSLCACertificateFile /apps/rtsrv1dev/PKI/MITRE-cert-bundle.cer
SSLVerifyClient require
SSLVerifyDepth 2

SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire


SSLOptions +StdEnvVars


SSLOptions +StdEnvVars


SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

CustomLog logs/ssl_access443_log \
"%h - - %t \"%r\" %{HTTPS}x %{SSL_PROTOCOL}x"

CustomLog logs/ssl_error443_log \
"%t %h %{HTTPS}x %{SSL_PROTOCOL}x %{SSL_CIPHER}x
%{SSL_CIPHER_USEKEYSIZE}x %{SSL_CLIENT_S_DN}x %{SSL_CLIENT_VERIFY}x
%{SSL_CLIENT_M_VERSION}x %{SSL_CLIENT_M_SERIAL}x %{SSL_CLIENT_S_DN_CN}x
%{SSL_CLIENT_S_DN_UID}x \"%r\" %b"

DocumentRoot /apps/rtsrv1dev/share/html
AddDefaultCharset UTF-8
PerlRequire "/apps/rtsrv1dev/bin/webmux.pl"
SetHandler default



SetHandler perl-script
PerlResponseHandler RT::Mason
SSLVerifyClient require

SSLRequire %{SSL_CLIENT_S_DN} in { \
"/O=our.org/OU=people/UID=jblaine/CN=Blaine Charles J.", \
"/O=our.org/OU=people/UID=mloveless/CN=Laveless Marc W.", \
"/O=our.org/OU=people/UID=mbs/CN=Simpson Mary B", \
"/O=our.org/OU=people/UID=bcietta/CN=Cietta Barbara A." \
}


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Certs work, one doesn"t, cannot determine why

Still trying to solve this, I stood up a separate
brand-spanking-new Apache 2.2.17 from source with builtin
SSL. I am using the same Apache SSL config as quoted below.
I experience the following failure (further context is in
my quoted message below):

....
[Tue Oct 19 16:20:42 2010] [info] Subsequent (No.2) HTTPS request
received for child 4 (server rtdev1.our.org:999)
[Tue Oct 19 16:20:42 2010] [error] [client 1xx.xx.9.45] client denied by
server configuration: /apps/rtsrv1dev/share/html/favicon.ico
[19/Oct/2010:16:20:42 -0400] 1xx.xx.9.45 on TLSv1 AES128-SHA 128
/O=our.org/OU=people/UID=jblaine/CN=Blaine Charles J. SUCCESS 3 369E
Blaine Charles J. - "GET /favicon.ico HTTP/1.1" 213
[Tue Oct 19 16:20:47 2010] [debug] ssl_engine_io.c(1900): OpenSSL: I/O
error, 5 bytes expected to read on BIO#1c2e8170 [mem: 1c2f98b0]
[Tue Oct 19 16:20:47 2010] [info] [client 1xx.xx.9.45] (70007)The
timeout specified has expired: SSL input filter read failed.
[Tue Oct 19 16:20:47 2010] [debug] ssl_engine_kernel.c(1884): OpenSSL:
Write: SSL negotiation finished successfully
[Tue Oct 19 16:20:47 2010] [info] [client 1xx.xx.9.45] Connection closed
to child 4 with standard shutdown (server rtdev1.our.org:999)

NOTE: "SUCCESS"
NOTE: "SSL negotiation finished successfully"
NOTE: /apps/rtsrv1dev/share/html and all files in it are
world-readable (644)

Browser shows "Forbidden"

IE 8
and Chrome 6

On 10/15/2010 5:49 PM, Jeff Blaine wrote:
> Hi folks. I'm *really* stumped here. If anyone has any
> ideas, I would love to hear them. How can I debug this
> further? I need more information that Apache + mod_ssl
> is giving me right now.
>
> All version information and configuration detail is after
> this next paragraph.
>
> Works: SSL via my corporate cert, SSL via 3 other people's
> corporate certs
> Fails: 1 person's cert so far, yet is logged as "SUCCESS"
> when logging SSL_CLIENT_VERIFY via CustomLog
>
> Example:
>
> [15/Oct/2010:09:53:38 -0400] 1xx.xx.160.92 on TLSv1 RC4-MD5 128
> /O=our.org/OU=People/UID=mbs/CN=Simpson Mary B SUCCESS 3 452E Simpson
> Mary B - "GET /index.html HTTP/1.1" 295
>
> [Fri Oct 15 09:53:38 2010] [error] [client 1xx.xx.160.92] access to
> /apps/rtsrv1dev/share/html/index.html failed, reason: SSL requirement
> expression not fulfilled (see SSL logfile for more details)
>
> Config Specifics:
>
> OS: RHELv5
> Apache: 2.2.3
> mod_ssl: 2.2.3-43.el5
>
>
> ServerName rtdev1.our.org:443
>
> ErrorLog logs/ssl_error443_log
> TransferLog logs/ssl_access443_log
> LogLevel warn
>
> SSLEngine on
> SSLProtocol all -SSLv2
> SSLCipherSuite ALL:!ADH:!EXPORT:SSLv3:RC4+RSA:+HIGH:+MEDIUM:+LOW
> SSLCertificateFile /apps/rtsrv1dev/PKI/rtdev1-signed.cer
> SSLCertificateKeyFile /apps/rtsrv1dev/PKI/rtdev1.key
> SSLCertificateChainFile /apps/rtsrv1dev/PKI/rtdev1-signed.cer
> SSLCACertificateFile /apps/rtsrv1dev/PKI/MITRE-cert-bundle.cer
> SSLVerifyClient require
> SSLVerifyDepth 2
>
> SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
>
>
> SSLOptions +StdEnvVars
>
>
> SSLOptions +StdEnvVars
>
>
> SetEnvIf User-Agent ".*MSIE.*" \
> nokeepalive ssl-unclean-shutdown \
> downgrade-1.0 force-response-1.0
>
> CustomLog logs/ssl_access443_log \
> "%h - - %t \"%r\" %{HTTPS}x %{SSL_PROTOCOL}x"
>
> CustomLog logs/ssl_error443_log \
> "%t %h %{HTTPS}x %{SSL_PROTOCOL}x %{SSL_CIPHER}x
> %{SSL_CIPHER_USEKEYSIZE}x %{SSL_CLIENT_S_DN}x %{SSL_CLIENT_VERIFY}x
> %{SSL_CLIENT_M_VERSION}x %{SSL_CLIENT_M_SERIAL}x %{SSL_CLIENT_S_DN_CN}x
> %{SSL_CLIENT_S_DN_UID}x \"%r\" %b"
>
> DocumentRoot /apps/rtsrv1dev/share/html
> AddDefaultCharset UTF-8
> PerlRequire "/apps/rtsrv1dev/bin/webmux.pl"
> SetHandler default
>
>
>
> SetHandler perl-script
> PerlResponseHandler RT::Mason
> SSLVerifyClient require
>
> SSLRequire %{SSL_CLIENT_S_DN} in { \
> "/O=our.org/OU=people/UID=jblaine/CN=Blaine Charles J.", \
> "/O=our.org/OU=people/UID=mloveless/CN=Laveless Marc W.", \
> "/O=our.org/OU=people/UID=mbs/CN=Simpson Mary B", \
> "/O=our.org/OU=people/UID=bcietta/CN=Cietta Barbara A." \
> }
>
>
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Certs work, one doesn"t, cannot determine why

On Tue, Oct 19, 2010 at 04:35:49PM -0400, Jeff Blaine wrote:
> >Works: SSL via my corporate cert, SSL via 3 other people's
> >corporate certs
> >Fails: 1 person's cert so far, yet is logged as "SUCCESS"
> >when logging SSL_CLIENT_VERIFY via CustomLog

Your verbose description of "something goes is not working" is hard to
follow or condense down. Are you saying with the below configuration,
you are seeing the SSLRequire work for all the users but that with the
jblaine cert?

It could be an SSLRequire implementation bug but it is hard to tell. Is
the order of the users within the SSLRequire list significant? Why are
you matching by the whole S_DN rather than based on e.g. S_DN_CN alone?

You might be better off trying the httpd users' list:

http://httpd.apache.org/lists.html#http-users

Regards, Joe

> >
> >SetHandler perl-script
> >PerlResponseHandler RT::Mason
> >SSLVerifyClient require
> >
> >SSLRequire %{SSL_CLIENT_S_DN} in { \
> >"/O=our.org/OU=people/UID=jblaine/CN=Blaine Charles J.", \
> >"/O=our.org/OU=people/UID=mloveless/CN=Laveless Marc W.", \
> >"/O=our.org/OU=people/UID=mbs/CN=Simpson Mary B", \
> >"/O=our.org/OU=people/UID=bcietta/CN=Cietta Barbara A." \
> >}
> >
> >
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Certs work, one doesn"t, cannot determine why

On 11/1/2010 7:14 AM, Joe Orton wrote:
> On Tue, Oct 19, 2010 at 04:35:49PM -0400, Jeff Blaine wrote:
>>> Works: SSL via my corporate cert, SSL via 3 other people's
>>> corporate certs
>>> Fails: 1 person's cert so far, yet is logged as "SUCCESS"
>>> when logging SSL_CLIENT_VERIFY via CustomLog
>
> Your verbose description of "something goes is not working" is hard to
> follow or condense down. Are you saying with the below configuration,
> you are seeing the SSLRequire work for all the users but that with the
> jblaine cert?

I was originally seeing it work fine for everyone but 1 user
(Simpson Mary B, below). Now it almost seems somewhat random
in failure. People who used to succeed are now failing.
I can get in fine (Blaine Charles J.)

Granted, I am messing with all sorts of things trying to get
it work after all this time dead in the water.

> It could be an SSLRequire implementation bug but it is hard to tell. Is
> the order of the users within the SSLRequire list significant?

Ah, you mean if I reorder them, does the success/failure
situation change as well? I don't know, I can try that.

> Why are you matching by the whole S_DN rather than based on
> e.g. S_DN_CN alone?

Why not? It seems like the more fully correct way to match
for security. It's documented and supposedly legit/correct.
The cert-extracted DN (reported in log) matches the configured
DN in the ssl.conf file exactly.

I will try the httpd list.

Thanks Joe
Jeff

>>>
>>> SetHandler perl-script
>>> PerlResponseHandler RT::Mason
>>> SSLVerifyClient require
>>>
>>> SSLRequire %{SSL_CLIENT_S_DN} in { \
>>> "/O=our.org/OU=people/UID=jblaine/CN=Blaine Charles J.", \
>>> "/O=our.org/OU=people/UID=mloveless/CN=Laveless Marc W.", \
>>> "/O=our.org/OU=people/UID=mbs/CN=Simpson Mary B", \
>>> "/O=our.org/OU=people/UID=bcietta/CN=Cietta Barbara A." \
>>> }
>>>
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org