Am I using SSLCACertificateFile as intended?

Hi all --

I'm having some trouble configuring Apache/mod_ssl to do what I want.=20
Perhaps I have some misconceptions that need dispelled. Any help would b=
e
grealy appreciated.

OVERVIEW/GOAL:
I'm retrofitting some Apache servers to require client certificates. Not=
e
that these servers have certificates that are (temporarily) self-signed.=20
Our organization already has a PKI consisting of a self-signed RootCA and
two IssuingCAs. My goal here is to configure my Apache server to require
user certificates issued by IssuingCA2, and to refuse access to all
others.

Server version: Apache/2.2.3
Server built: Aug 10 2006 17:29:16
OpenSSL 0.9.8b 04 May 2006

THE PROBLEM:
The problem is that I've found only one configuration that will allow a
client to successfully load a page, and in this case, it will also allow
the use of user certificates issued by the other IssuingCA. I find this
baffling, since I haven't told Apache anything about this particular
IssuingCA.

I believe that my problems are centering around the SSLCACertificateFile
directive. See below for my SSL (scrubbed) conf file.

CASE 1:
If I use this invocation, Apache allows certificates from any issuing CA
that has been signed by our Root CA. Note that certchain.cer is a
concatenation of the PEM-encoded certificates for IssuingCA2 and the
RootCA (specifically, of IssuingCA2.cer and RootCA.cer mentioned in the
next two cases).
SSLCACertificateFile conf/ssl/certchain.cer

Here is the logfile exerpt for this case:

[Mon Apr 23 22:26:14 2007] [debug] ssl_engine_kernel.c(1190): Certificate
Verification: depth: 2, subject: [SNIP]Root CA, issuer: [SNIP]Root CA
[Mon Apr 23 22:26:14 2007] [debug] ssl_engine_kernel.c(1190): Certificate
Verification: depth: 1, subject: [SNIP]Issuing CA 1, issuer: [SNIP]Root C=
A
[Mon Apr 23 22:26:14 2007] [debug] ssl_engine_kernel.c(1190): Certificate
Verification: depth: 0, subject: /CN=3D[SNIP], issuer: [SNIP]Issuing CA 1

CASE 2:
If I use this invocation, Apache will run but will complain (whenever the
protected page is loaded) that it can't find the local issuer certificate=
..
I've tried setting SSLVerifyDepth to 1, but this didn't help anything.=20
The only good thing about this case is that the list of certificates
presented by the remote browser to the user only includes those directly
issued by IssuingCA2.
SSLCACertificateFile conf/ssl/IssuingCA2.cer

Here is the logfile exerpt for this case:

[Mon Apr 23 22:31:18 2007] [debug] ssl_engine_kernel.c(1190): Certificate
Verification: depth: 1, subject: [SNIP]Issuing CA 2, issuer: [SNIP]Root C=
A
[Mon Apr 23 22:31:18 2007] [error] Certificate Verification: Error (20):
unable to get local issuer certificate

CASE 3:
If I use this invocation, Apache won't even run. Note that the content o=
f
RootCA.cer is exactly the same content that makes up an essential part of
certchain.cer (see above). AFAIK, this certificate should have format an=
d
content readily useable by Apache. The only special thing about it, is
that it is a self-signed certificate (does that make a difference?)
SSLCACertificateFile conf/ssl/RootCA.cer

Here is the logfile exerpt for this case:

[Mon Apr 23 22:02:13 2007] [info] Loading certificate & private key of
SSL-aware server
[Mon Apr 23 22:02:13 2007] [debug] ssl_engine_pphrase.c(469): unencrypted
RSA private key - pass phrase not required
[Mon Apr 23 22:02:13 2007] [info] Configuring server for SSL protocol
[Mon Apr 23 22:02:13 2007] [debug] ssl_engine_init.c(405): Creating new
SSL context (protocols: SSLv2, TLSv1)
[Mon Apr 23 22:02:13 2007] [debug] ssl_engine_init.c(538): Configuring
client authentication
[Mon Apr 23 22:02:13 2007] [error] Unable to configure verify locations
for client authentication
[Mon Apr 23 22:02:13 2007] [error] SSL Library Error: 33558533
error:02001005:system library:fopen:Input/output error
[Mon Apr 23 22:02:13 2007] [error] SSL Library Error: 537317378
error:2006D002:BIO routines:BIO_new_file:system lib
[Mon Apr 23 22:02:13 2007] [error] SSL Library Error: 185090050
error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system
lib

HELP:
My expectation here was that I would need to provide the certificate chai=
n
(issuing and root CA) required to authenticate the user certificate, and
that a user certificate issued by any other IssuingCA would fail because =
I
haven't given Apache the IssuingCA's certificate.

Instead, it seems like the server has gained access to the IssuingCA1
certificate (does it do this directly, or does the client send it?), and
is validating that certificate against the RootCA. This seems to happen
when I provided the RootCA in the SSLCACertificateFile, which (as I
understand it) gets sent to the remote client so that it can filter its
list of applicable user certificates.

So, I'm looking for is a way to configure Apache to:
1. Instruct the remote browser to limit the applicable user certificates
to only those issued by IssuingCA2,
2. Avoid the "unable to get local issuer certificate" error
3. Never accept a user certificate issued by IssuingCA1

Could someone please tell me where I've gone wrong, and/or how to achieve
these goals?



CONFIGURATION:
Here's my SSL conf file. It's loaded from httpd.conf:


DocumentRoot [SNIP]
ServerName [SNIP]:443
ServerAdmin [SNIP]
CustomLog virtualhosts/secure/logs/access.log common
ErrorLog virtualhosts/secure/logs/error.log
TransferLog virtualhosts/secure/logs/access.log
LogLevel debug


SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+e NULL
SSLCertificateFile conf/ssl/[SNIP].crt
SSLCertificateKeyFile conf/ssl/[SNIP].key
SSLCACertificateFile conf/ssl/certchain.cer
SSLVerifyDepth 10

SSLOptions +StdEnvVars


SSLOptions +StdEnvVars

SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog virtualhosts/secure/logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

# Prevent clients from using SSLv3
SSLProtocol all -SSLv3


DocumentRoot [SNIP]/virtualhosts/secure/htdocs

Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all



Options FollowSymLinks
AllowOverride None

Order allow,deny
Allow from all



# Per-directory configuration for SSL
SSLRequireSSL
SSLRequire %{SSL_CIPHER_USEKEYSIZE} >=3D 128
SSLVerifyClient require



AllowOverride None
Options None
Order allow,deny
Allow from all





____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

SOLVED: Am I using SSLCACertificateFile as intended?

I don't know why I didn't find this in the dozens of Google searches that
I did *before* I posted my question, but these seem to be what I'm looking
for:

SSLCADNRequestFile / SSLCADNRequestPath

http://httpd.apache.org/docs/trunk/mod/mod_ssl.xml#sslcadnre questfile

http://issues.apache.org/bugzilla/show_bug.cgi?id=32848


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Am I using SSLCACertificateFile as intended?

I think all you need to do is tighten up your SSLRequire rules.

Something like this (all on one line, omitting the backslash at line-end):

SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128 \
and %{SSL_CLIENT_I_DN} eq "IssuingCA2"

http://www.modssl.org/docs/2.8/ssl_reference.html#ToC23


Omar

dpmott@sep.com wrote:
> Hi all --
>
> I'm having some trouble configuring Apache/mod_ssl to do what I want.
> Perhaps I have some misconceptions that need dispelled. Any help would be
> grealy appreciated.
>
> OVERVIEW/GOAL:
> I'm retrofitting some Apache servers to require client certificates. Note
> that these servers have certificates that are (temporarily) self-signed.
> Our organization already has a PKI consisting of a self-signed RootCA and
> two IssuingCAs. My goal here is to configure my Apache server to require
> user certificates issued by IssuingCA2, and to refuse access to all
> others.
>
> Server version: Apache/2.2.3
> Server built: Aug 10 2006 17:29:16
> OpenSSL 0.9.8b 04 May 2006
>
> THE PROBLEM:
> The problem is that I've found only one configuration that will allow a
> client to successfully load a page, and in this case, it will also allow
> the use of user certificates issued by the other IssuingCA. I find this
> baffling, since I haven't told Apache anything about this particular
> IssuingCA.
>
> I believe that my problems are centering around the SSLCACertificateFile
> directive. See below for my SSL (scrubbed) conf file.
>
> CASE 1:
> If I use this invocation, Apache allows certificates from any issuing CA
> that has been signed by our Root CA. Note that certchain.cer is a
> concatenation of the PEM-encoded certificates for IssuingCA2 and the
> RootCA (specifically, of IssuingCA2.cer and RootCA.cer mentioned in the
> next two cases).
> SSLCACertificateFile conf/ssl/certchain.cer
>
> Here is the logfile exerpt for this case:
>
> [Mon Apr 23 22:26:14 2007] [debug] ssl_engine_kernel.c(1190): Certificate
> Verification: depth: 2, subject: [SNIP]Root CA, issuer: [SNIP]Root CA
> [Mon Apr 23 22:26:14 2007] [debug] ssl_engine_kernel.c(1190): Certificate
> Verification: depth: 1, subject: [SNIP]Issuing CA 1, issuer: [SNIP]Root CA
> [Mon Apr 23 22:26:14 2007] [debug] ssl_engine_kernel.c(1190): Certificate
> Verification: depth: 0, subject: /CN=[SNIP], issuer: [SNIP]Issuing CA 1
>
> CASE 2:
> If I use this invocation, Apache will run but will complain (whenever the
> protected page is loaded) that it can't find the local issuer certificate.
> I've tried setting SSLVerifyDepth to 1, but this didn't help anything.
> The only good thing about this case is that the list of certificates
> presented by the remote browser to the user only includes those directly
> issued by IssuingCA2.
> SSLCACertificateFile conf/ssl/IssuingCA2.cer
>
> Here is the logfile exerpt for this case:
>
> [Mon Apr 23 22:31:18 2007] [debug] ssl_engine_kernel.c(1190): Certificate
> Verification: depth: 1, subject: [SNIP]Issuing CA 2, issuer: [SNIP]Root CA
> [Mon Apr 23 22:31:18 2007] [error] Certificate Verification: Error (20):
> unable to get local issuer certificate
>
> CASE 3:
> If I use this invocation, Apache won't even run. Note that the content of
> RootCA.cer is exactly the same content that makes up an essential part of
> certchain.cer (see above). AFAIK, this certificate should have format and
> content readily useable by Apache. The only special thing about it, is
> that it is a self-signed certificate (does that make a difference?)
> SSLCACertificateFile conf/ssl/RootCA.cer
>
> Here is the logfile exerpt for this case:
>
> [Mon Apr 23 22:02:13 2007] [info] Loading certificate & private key of
> SSL-aware server
> [Mon Apr 23 22:02:13 2007] [debug] ssl_engine_pphrase.c(469): unencrypted
> RSA private key - pass phrase not required
> [Mon Apr 23 22:02:13 2007] [info] Configuring server for SSL protocol
> [Mon Apr 23 22:02:13 2007] [debug] ssl_engine_init.c(405): Creating new
> SSL context (protocols: SSLv2, TLSv1)
> [Mon Apr 23 22:02:13 2007] [debug] ssl_engine_init.c(538): Configuring
> client authentication
> [Mon Apr 23 22:02:13 2007] [error] Unable to configure verify locations
> for client authentication
> [Mon Apr 23 22:02:13 2007] [error] SSL Library Error: 33558533
> error:02001005:system library:fopen:Input/output error
> [Mon Apr 23 22:02:13 2007] [error] SSL Library Error: 537317378
> error:2006D002:BIO routines:BIO_new_file:system lib
> [Mon Apr 23 22:02:13 2007] [error] SSL Library Error: 185090050
> error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system
> lib
>
> HELP:
> My expectation here was that I would need to provide the certificate chain
> (issuing and root CA) required to authenticate the user certificate, and
> that a user certificate issued by any other IssuingCA would fail because I
> haven't given Apache the IssuingCA's certificate.
>
> Instead, it seems like the server has gained access to the IssuingCA1
> certificate (does it do this directly, or does the client send it?), and
> is validating that certificate against the RootCA. This seems to happen
> when I provided the RootCA in the SSLCACertificateFile, which (as I
> understand it) gets sent to the remote client so that it can filter its
> list of applicable user certificates.
>
> So, I'm looking for is a way to configure Apache to:
> 1. Instruct the remote browser to limit the applicable user certificates
> to only those issued by IssuingCA2,
> 2. Avoid the "unable to get local issuer certificate" error
> 3. Never accept a user certificate issued by IssuingCA1
>
> Could someone please tell me where I've gone wrong, and/or how to achieve
> these goals?
>
>
>
> CONFIGURATION:
> Here's my SSL conf file. It's loaded from httpd.conf:
>
>
> DocumentRoot [SNIP]
> ServerName [SNIP]:443
> ServerAdmin [SNIP]
> CustomLog virtualhosts/secure/logs/access.log common
> ErrorLog virtualhosts/secure/logs/error.log
> TransferLog virtualhosts/secure/logs/access.log
> LogLevel debug
>
>
> SSLEngine on
> SSLCipherSuite
> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+e NULL
> SSLCertificateFile conf/ssl/[SNIP].crt
> SSLCertificateKeyFile conf/ssl/[SNIP].key
> SSLCACertificateFile conf/ssl/certchain.cer
> SSLVerifyDepth 10
>
> SSLOptions +StdEnvVars
>
>
> SSLOptions +StdEnvVars
>
> SetEnvIf User-Agent ".*MSIE.*" \
> nokeepalive ssl-unclean-shutdown \
> downgrade-1.0 force-response-1.0
> CustomLog virtualhosts/secure/logs/ssl_request_log \
> "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
>
> # Prevent clients from using SSLv3
> SSLProtocol all -SSLv3
>
>
> DocumentRoot [SNIP]/virtualhosts/secure/htdocs
>
> Options Indexes FollowSymLinks
> AllowOverride None
> Order allow,deny
> Allow from all
>
>
>
> Options FollowSymLinks
> AllowOverride None
>
> Order allow,deny
> Allow from all
>
>
>
> # Per-directory configuration for SSL
> SSLRequireSSL
> SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
> SSLVerifyClient require
>
>
>
> AllowOverride None
> Options None
> Order allow,deny
> Allow from all
>
>
>
>
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SOLVED: Am I using SSLCACertificateFile as intended?

David P. Mott wrote:
>
> I don't know why I didn't find this in the dozens of Google searches
> that I did *before* I posted my question, but these seem to be what I'm
> looking for:
>
> SSLCADNRequestFile / SSLCADNRequestPath

Please be aware that Apache/ModSSL uses den SSLCADNRequest-
File / SSLCADNRequestPath only for submitting a list of
accepted CAs to the client. It does not use this for
verification. So: Usually a client will send the certificate
of the requested subCA (even if he has client certificates
from both CAs), but this does not mean that a malicious
client could not send a client certificate of the other
CA. This certificate would be accepted then (because
evaluation of the chain is still done against the certificates
from SSLCACertificateFile. There is no check against the
certificates from SSLCADNRequestFile...

Regards, Olaf

--

Dipl.Inform. Olaf Gellert INTRUSION-LAB.NET
Senior Researcher, www.intrusion-lab.net
PKI - and IDS - Services olaf.gellert@intrusion-lab.net

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SOLVED: Am I using SSLCACertificateFile as intended?

Oh, good call!

So, now I'm looking at:

* SSLCACertificateFile, to hold all of the certificates that I would
authenticate against;
* SSLCADNRequestFile, to send an acceptable list of certificates to the
client;
* SSLRequire, to prevent malicious clients from sending me a certificate
that would validate against a CA higher up the chain than what I want.

I'd probably have researched the SSLRequire part of it anway; all of our
production Apache servers are 2.0.x, which don't support the
SSLCADNRequestFile directive. Until they can be upgraded, I'll want to
prevent the use of an inappropriate certificate.

Thanks for taking the time to respond to this issue.

-dpmott

On Tue, 24 Apr 2007, Olaf Gellert wrote:

> David P. Mott wrote:
>>
>> I don't know why I didn't find this in the dozens of Google searches
>> that I did *before* I posted my question, but these seem to be what I'm
>> looking for:
>>
>> SSLCADNRequestFile / SSLCADNRequestPath
>
> Please be aware that Apache/ModSSL uses den SSLCADNRequest-
> File / SSLCADNRequestPath only for submitting a list of
> accepted CAs to the client. It does not use this for
> verification. So: Usually a client will send the certificate
> of the requested subCA (even if he has client certificates
> from both CAs), but this does not mean that a malicious
> client could not send a client certificate of the other
> CA. This certificate would be accepted then (because
> evaluation of the chain is still done against the certificates
> from SSLCACertificateFile. There is no check against the
> certificates from SSLCADNRequestFile...
>
> Regards, Olaf
>
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org