Client SSL authentication on Apache + mod_ssl
am 01.07.2006 02:05:51 von modsslI am required to have our apache server using PKI client authentication
by the end of July.
I have set up a test server with the latest and greatest
Apache/2.2.2 (Unix)
mod_ssl/2.2.2
OpenSSL/0.9.7
I have set up a ssl.conf using
SSLVerifyClient require
SSLVerifyDepth 10
and populated a CA certification file and enabled
SSLCACertificateFile /usr/local/apache2/conf/dod_ca_bundle.crt
On start the logs (set to debug) show the dod_ca_bundle.crt file being
read in properly
---------------------- log output begin ---------------------
ssl_engine_init.c(405): Creating new SSL context (protocols: SSLv2,
SSLv3, TLSv1)
ssl_engine_init.c(538): Configuring client authentication
ssl_engine_init.c(1113): CA certificate: /C=3DUS/O=3DU.S.
Government/OU=3DDoD/OU=3DPKI/CN=3DDOD CLASS 3 CA-10
ssl_engine_init.c(1113): CA certificate: /C=3DUS/O=3DU.S.
Government/OU=3DDoD/OU=3DPKI/CN=3DDoD CLASS 3 Root CA
ssl_engine_init.c(601): Configuring permitted SSL ciphers
[ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+ eNULL]
-------------------------- log output end -----------------------------
However, when attempting to connect with IE nothing is returned. The
pertinent log out looks like
---------------------- log output begin ---------------------
ssl_engine_kernel.c(1752): OpenSSL: Handshake: start
ssl_engine_kernel.c(1760): OpenSSL: Loop: before/accept initialization
ssl_engine_io.c(1775): OpenSSL: read 11/11 bytes from BIO#918b100 [mem:
9192780] (BIO dump follows)
:
:
ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 read client hello A
ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 write server hello A
ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 write certificate A
ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 write certificate
request A
ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 flush data
-------------------------- log output end -----------------------------
Looks like the next line indicates a problem:
---------------------- log output begin ---------------------
ssl_engine_io.c(1786): OpenSSL: I/O error, 5 bytes expected to read on
BIO #918b100 [mem: 9192780]
ssl_engine_kernel.c(1789): OpenSSL: Exit: error in SSLv3 read client
certificate A
ssl_engine_kernel.c(1789): OpenSSL: Exit: error in SSLv3 read client
certificate A
[client 157.187.160.114] (70014)End of file found: SSL handshake
interrupted by system [Hint: Stop button pressed in browser?!]
-------------------------- log output end -----------------------------
Any help with this problem would be greatly appreciated.
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org