SSL client authentication

I=B4m trying to setup a system where the client authentication for a special
directory should be done via client certificates. I have set up a CA (using=
=20
OpenSSL) and the according certificate and key files for the CA the server=
=20
and a client.
The client browser (Mozilla Firefox) has all certificates necessary.
My vhost-ssl.conf (based on the standard template file) contains the
following directory entry


        SSLVerifyClient=A0require
        SSLVerifyDepth  1
        SSLRequireSSL
        SSLOptions        =A 0  +FakeBas=
icAuth
        SSLCACertificateFile=A0/etc/apache2/ ssl.crt/ca.crt
        SSLCipherSuite=A0HIGH:MEDIUM
        SSLRequire      %{SSL_CL IENT_S_DN_O}=A0=
eq=A0"My=A0Organisation"=A0\
                     and=A0%{SSL_CLI=
ENT_S_DN_OU}=A0eq=A0"My=A0Department"


However the browser cannot access the directory. The client is waiting for =
my=20
server until server timeout.
Apaches errror.log (level=3Dinfo) shows

Creating new config (0x5cbfc8) for (null)
[Thu Jun 09 17:28:45 2005] [info] Init: Initializing OpenSSL library
[Thu Jun 09 17:28:45 2005] [info] Init: Seeding PRNG with 144 bytes of
entropy
[Thu Jun 09 17:28:45 2005] [info] Loading certificate & private key of
SSL-aware server
[Thu Jun 09 17:28:45 2005] [info] Init: Generating temporary RSA private
keys (512/1024 bits)
[Thu Jun 09 17:28:45 2005] [info] Init: Generating temporary DH parameters
(512/1024 bits)
[Thu Jun 09 17:28:45 2005] [info] Shared memory session cache initialised
[Thu Jun 09 17:28:45 2005] [info] Init: Initializing (virtual) servers for
SSL
[Thu Jun 09 17:28:45 2005] [info] Configuring server for SSL protocol
[Thu Jun 09 17:28:45 2005] [info] Server: Apache/2.0.53, Interface:
mod_ssl/2.0.53, Library: OpenSSL/0.9.7e
[Thu Jun 09 17:28:46 2005] [notice] Apache/2.0.53 (Linux/SUSE) configured --
resuming normal operations
[Thu Jun 09 17:28:46 2005] [info] Server built: Mar 19 2005 22:42:07
[Thu Jun 09 17:33:46 2005] [info] Connection to child 0 established (server
www.myserver.com:443, client 192.168.0.253)
[Thu Jun 09 17:33:46 2005] [info] Seeding PRNG with 144 bytes of entropy
[Thu Jun 09 17:33:46 2005] [info] Initial (No.1) HTTPS request received for
child 0 (server www.myserver.com:443)
[Thu Jun 09 17:33:46 2005] [info] Requesting connection re-negotiation
[Thu Jun 09 17:33:46 2005] [info] Awaiting re-negotiation handshake
[Thu Jun 09 17:38:46 2005] [error] Re-negotiation handshake failed: Not
accepted by client!?

The other directories of the server can be accessed with SSL without any
problems.
Also the SSLRequireSSL directive doesn=B4t work as expected. I still can ac=
cess=20
that directory without using SSL.

What=B4s wrong?
(I=B4m using a version 2.0.53 apache (mod_ssl builtin) on a SuSE 9.3 64-bit=
=20
system)

Thanks for any helpfull hint

Harry
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSL client authentication

Am Samstag, 11. Juni 2005 10:34 schrieb Harry Knitter:
> I=B4m trying to setup a system where the client authentication for a spec=
ial
> directory should be done via client certificates. I have set up a CA (usi=
ng=20
> OpenSSL) and the according certificate and key files for the CA the serve=
r=20
> and a client.
> The client browser (Mozilla Firefox) has all certificates necessary.
> My vhost-ssl.conf (based on the standard template file) contains the
> following directory entry
>=20
>
>         SSLVerifyClient=A0require
>         SSLVerifyDepth  1
>         SSLRequireSSL
>         SSLOptions        =A 0  +FakeB=
asicAuth
>         SSLCACertificateFile=A0/etc/apache2/ ssl.crt/ca.crt
>         SSLCipherSuite=A0HIGH:MEDIUM
>         SSLRequire      %{SSL_CL IENT_S_DN_O}=
=A0eq=A0"My=A0Organisation"=A0\
>                      and=A0%{SSL_C=
LIENT_S_DN_OU}=A0eq=A0"My=A0Department"
>
>=20
> However the browser cannot access the directory. The client is waiting fo=
r=20
my=20
> server until server timeout.
> Apaches errror.log (level=3Dinfo) shows
>=20
> Creating new config (0x5cbfc8) for (null)
> [Thu Jun 09 17:28:45 2005] [info] Init: Initializing OpenSSL library
> [Thu Jun 09 17:28:45 2005] [info] Init: Seeding PRNG with 144 bytes of
> entropy
> [Thu Jun 09 17:28:45 2005] [info] Loading certificate & private key of
> SSL-aware server
> [Thu Jun 09 17:28:45 2005] [info] Init: Generating temporary RSA private
> keys (512/1024 bits)
> [Thu Jun 09 17:28:45 2005] [info] Init: Generating temporary DH parameters
> (512/1024 bits)
> [Thu Jun 09 17:28:45 2005] [info] Shared memory session cache initialised
> [Thu Jun 09 17:28:45 2005] [info] Init: Initializing (virtual) servers for
> SSL
> [Thu Jun 09 17:28:45 2005] [info] Configuring server for SSL protocol
> [Thu Jun 09 17:28:45 2005] [info] Server: Apache/2.0.53, Interface:
> mod_ssl/2.0.53, Library: OpenSSL/0.9.7e
> [Thu Jun 09 17:28:46 2005] [notice] Apache/2.0.53 (Linux/SUSE) configured=
--
> resuming normal operations
> [Thu Jun 09 17:28:46 2005] [info] Server built: Mar 19 2005 22:42:07
> [Thu Jun 09 17:33:46 2005] [info] Connection to child 0 established (serv=
er
> www.myserver.com:443, client 192.168.0.253)
> [Thu Jun 09 17:33:46 2005] [info] Seeding PRNG with 144 bytes of entropy
> [Thu Jun 09 17:33:46 2005] [info] Initial (No.1) HTTPS request received f=
or
> child 0 (server www.myserver.com:443)
> [Thu Jun 09 17:33:46 2005] [info] Requesting connection re-negotiation
> [Thu Jun 09 17:33:46 2005] [info] Awaiting re-negotiation handshake
> [Thu Jun 09 17:38:46 2005] [error] Re-negotiation handshake failed: Not
> accepted by client!?
>=20
> The other directories of the server can be accessed with SSL without any
> problems.
> Also the SSLRequireSSL directive doesn=B4t work as expected. I still can=
=20
access=20
> that directory without using SSL.
>=20
> What=B4s wrong?
> (I=B4m using a version 2.0.53 apache (mod_ssl builtin) on a SuSE 9.3 64-b=
it=20
> system)
>=20
> Thanks for any helpfull hint
>=20
> Harry

I=B4ve found the solution!=20
As being always a little paranoid I had created certificates and keys with =
a=20
4096 bit length. This was too much.
After creating new certificates and keys with 2048 bit length. Almost=20
everything works fine.
The only problem remaining is that ordinary http-access to my directory is=
=20
still possible, even if SSLRequireSSL is set.
How can I solve this?

Harry
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSL client authentication

Harry Knitter wrote:

>Am Samstag, 11. Juni 2005 10:34 schrieb Harry Knitter:
> =20
>
>>I=B4m trying to setup a system where the client authentication for a sp=
ecial
>>directory should be done via client certificates. I have set up a CA (u=
sing=20
>>OpenSSL) and the according certificate and key files for the CA the ser=
ver=20
>>and a client.
>>The client browser (Mozilla Firefox) has all certificates necessary.
>>My vhost-ssl.conf (based on the standard template file) contains the
>>following directory entry
>>
>>
>> SSLVerifyClient require
>> SSLVerifyDepth 1
>> SSLRequireSSL
>> SSLOptions +FakeBasicAuth
>> SSLCACertificateFile /etc/apache2/ssl.crt/ca.crt
>> SSLCipherSuite HIGH:MEDIUM
>> SSLRequire %{SSL_CLIENT_S_DN_O} eq "My Organisation" \
>> and %{SSL_CLIENT_S_DN_OU} eq "My Department"
>>
>>
>>However the browser cannot access the directory. The client is waiting =
for=20
>> =20
>>
>my=20
> =20
>
>>server until server timeout.
>>Apaches errror.log (level=3Dinfo) shows
>>
>>Creating new config (0x5cbfc8) for (null)
>>[Thu Jun 09 17:28:45 2005] [info] Init: Initializing OpenSSL library
>>[Thu Jun 09 17:28:45 2005] [info] Init: Seeding PRNG with 144 bytes of
>>entropy
>>[Thu Jun 09 17:28:45 2005] [info] Loading certificate & private key of
>>SSL-aware server
>>[Thu Jun 09 17:28:45 2005] [info] Init: Generating temporary RSA privat=
e
>>keys (512/1024 bits)
>>[Thu Jun 09 17:28:45 2005] [info] Init: Generating temporary DH paramet=
ers
>>(512/1024 bits)
>>[Thu Jun 09 17:28:45 2005] [info] Shared memory session cache initialis=
ed
>>[Thu Jun 09 17:28:45 2005] [info] Init: Initializing (virtual) servers =
for
>>SSL
>>[Thu Jun 09 17:28:45 2005] [info] Configuring server for SSL protocol
>>[Thu Jun 09 17:28:45 2005] [info] Server: Apache/2.0.53, Interface:
>>mod_ssl/2.0.53, Library: OpenSSL/0.9.7e
>>[Thu Jun 09 17:28:46 2005] [notice] Apache/2.0.53 (Linux/SUSE) configur=
ed --
>>resuming normal operations
>>[Thu Jun 09 17:28:46 2005] [info] Server built: Mar 19 2005 22:42:07
>>[Thu Jun 09 17:33:46 2005] [info] Connection to child 0 established (se=
rver
>>www.myserver.com:443, client 192.168.0.253)
>>[Thu Jun 09 17:33:46 2005] [info] Seeding PRNG with 144 bytes of entrop=
y
>>[Thu Jun 09 17:33:46 2005] [info] Initial (No.1) HTTPS request received=
for
>>child 0 (server www.myserver.com:443)
>>[Thu Jun 09 17:33:46 2005] [info] Requesting connection re-negotiation
>>[Thu Jun 09 17:33:46 2005] [info] Awaiting re-negotiation handshake
>>[Thu Jun 09 17:38:46 2005] [error] Re-negotiation handshake failed: Not
>>accepted by client!?
>>
>>The other directories of the server can be accessed with SSL without an=
y
>>problems.
>>Also the SSLRequireSSL directive doesn=B4t work as expected. I still ca=
n=20
>> =20
>>
>access=20
> =20
>
>>that directory without using SSL.
>>
>>What=B4s wrong?
>>(I=B4m using a version 2.0.53 apache (mod_ssl builtin) on a SuSE 9.3 64=
-bit=20
>>system)
>>
>>Thanks for any helpfull hint
>>
>>Harry
>> =20
>>
>
>I=B4ve found the solution!=20
>As being always a little paranoid I had created certificates and keys wi=
th a=20
>4096 bit length. This was too much.
>After creating new certificates and keys with 2048 bit length. Almost=20
>everything works fine.
>The only problem remaining is that ordinary http-access to my directory =
is=20
>still possible, even if SSLRequireSSL is set.
>How can I solve this?
> =20
>
Well to prevent access in http you should place a deny directive in the
http related part of your config file.

deny from all


>Harry
>___________________________________________________________ ___________
>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>User Support Mailing List modssl-users@modssl.org
>Automated List Manager majordomo@modssl.org
> =20
>


--=20
Charles-Edouard Ruault
Idtect SA
115 rue Reaumur - 75002, Paris, France
Tel: +33-1-55-34-76-65
Fax: +33-1-55-34-76-75
Web: http://www.idtect.com
GPG key Id C97EDD59

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSL client authentication

Am Montag, 13. Juni 2005 09:49 schrieb Charles-Edouard Ruault:
> Well to prevent access in http you should place a deny directive in the
> http related part of your config file.
>
> deny from all
>
>

I think this will be the only solution. However the documentation says:



This directive forbids access unless HTTP over SSL (i.e. HTTPS) is enabled for
the current connection. This is very handy inside the SSL-enabled virtual
host or directories for defending against configuration errors that expose
stuff that should be protected. When this directive is present all requests
are denied which are not using SSL.


Theredore I believed it would work without any "deny from" entry

Regards

Harry
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org