Certificate verification problem (required client certificate)
Certificate verification problem (required client certificate)
am 05.08.2003 19:32:45 von Herbert Neugebauer
Hello,
I'm having a strange problem with Apache 2.0.45 / openssl 0.9.6 (and
possibly tomcat 4.1.27).
The web-server should run all applications only over SSL and with client
certificate verification enabled.
So I set up all the necessary configuration, including server and client
certificates (our company has it's own internal CA), and moved three
different applications from the non-SSL to the SSL virtual-host.
Everything works fine, the applications can access the "environment
variables", where the user-ID coming from the certificate is stored, in
order to authenticate the users and provide user-specific content.
However the 4th application doesn't work. One of the working applications
is PHP, another also working application is JSP based, so using Tomcat.
The fourth application is not JSP, but a Servlet/Applet combination.
What happens when accessing the page is that the "index.html" downloads to
the client, but then the applet should be retrieved by the browser (IE),
but the JAVA Plug-In just says "applet not found", and in the web-server
error file (put in INFO) I see the following errors.:
[Tue Aug 05 18:56:52 2003] [info] Connection to child 4 established
(server esds
v07.bbn.hp.com:443, client 15.191.1.8)
[Tue Aug 05 18:56:52 2003] [info] Seeding PRNG with 136 bytes of entropy
[Tue Aug 05 18:56:52 2003] [info] SSL library error 1 in handshake (server
esdsv
07.bbn.hp.com:443, client 15.191.1.8)
[Tue Aug 05 18:56:52 2003] [info] SSL Library Error: 336105671
error:140890C7:SS
L routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
No CAs
known to server for verification?
[Tue Aug 05 18:56:52 2003] [info] Connection to child 4 closed with
abortive shu
tdown(server esdsv07.bbn.hp.com:443, client 15.191.1.8)
[Tue Aug 05 18:56:52 2003] [info] Connection to child 69 established
(server esd
sv07.bbn.hp.com:443, client 15.136.126.30)
[Tue Aug 05 18:56:52 2003] [info] Seeding PRNG with 136 bytes of entropy
[Tue Aug 05 18:56:53 2003] [info] SSL library error 1 in handshake (server
esdsv
07.bbn.hp.com:443, client 15.136.126.30)
[Tue Aug 05 18:56:53 2003] [info] SSL Library Error: 336105671
error:140890C7:SS
L routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
No CAs
known to server for verification?
[Tue Aug 05 18:56:53 2003] [info] Connection to child 69 closed with
abortive sh
utdown(server esdsv07.bbn.hp.com:443, client 15.136.126.30)
I know, normally this "peer did not return a certificate" indicates that
either my browser does not have a certificate (which it has) or that the
certificate can not be verified by the server due to a missing CA
certificate (which it has). If one of these or both problems were there,
the other three applications would not work as well, but they do!
Now I was wondering if it could be an issue somewhere inbetween mod_ssl,
mod_jk, Tomcat??
In principal the connector between Apache and Tomcat works, otherwise the
JSP application would not work as well. That can be easily verified by
inserting a bug in this configuration and voila, the JSP app stops
working.
Any ideas?
thanks in advance
Herbert
PS: if I switch on debug level, I get even more info, which does not help
me, but it first says something about client certificate A (success) and
then something about a certificate B????? what is this about?
[Tue Aug 05 19:14:46 2003] [info] Loading certificate & private key of
SSL-aware
server
[Tue Aug 05 19:14:46 2003] [info] Init: Requesting pass phrase from dialog
filte
r program (/opt/hpws/apache/conf/passPhrase.dialog)
[Tue Aug 05 19:14:46 2003] [debug] ssl_engine_pphrase.c(499): encrypted
RSA priv
ate key - pass phrase requested
[Tue Aug 05 19:14:48 2003] [info] Configuring server for SSL protocol
[Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(436): Creating new
SSL cont
ext (protocols: SSLv2, SSLv3, TLSv1)
[Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(553): Configuring
client au
thentication
[Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(1096): CA
certificate: /O=my.com/OU=IT Infrastructure/C=US/O=MY Company/CN=MY
Primary Class 2 Certification Authority
[Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(611): Configuring
permitted
SSL ciphers [!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNUL L]
[Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(739): Configuring RSA
serve
r certificate
[Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(778): Configuring RSA
serve
r private key
[Tue Aug 05 19:14:49 2003] [info] Loading certificate & private key of
SSL-aware
server
[Tue Aug 05 19:14:49 2003] [info] esdsv07.my.com:443 reusing existing RSA pr
ivate key on restart
[Tue Aug 05 19:14:51 2003] [info] Configuring server for SSL protocol
[Tue Aug 05 19:14:51 2003] [debug] ssl_engine_init.c(436): Creating new
SSL cont
ext (protocols: SSLv2, SSLv3, TLSv1)
[Tue Aug 05 19:14:51 2003] [debug] ssl_engine_init.c(553): Configuring
client au
thentication
[Tue Aug 05 19:14:51 2003] [debug] ssl_engine_init.c(1096): CA
certificate: /O=my.com/OU=IT Infrastructure/C=US/O=MY Company/CN=MY
Primary Class 2 Certification Authority
[Tue Aug 05 19:14:51 2003] [debug] ssl_engine_init.c(611): Configuring
permitted
SSL ciphers [!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNUL L]
[Tue Aug 05 19:14:51 2003] [debug] ssl_engine_init.c(739): Configuring RSA
serve
r certificate
[Tue Aug 05 19:14:51 2003] [debug] ssl_engine_init.c(778): Configuring RSA
serve
r private key
[Tue Aug 05 19:15:02 2003] [info] Connection to child 64 established
(server esd
sv07.bbn.hp.com:443, client 15.136.126.30)
[Tue Aug 05 19:15:02 2003] [info] Seeding PRNG with 136 bytes of entropy
[Tue Aug 05 19:15:02 2003] [debug] ssl_engine_kernel.c(1764): OpenSSL:
Handshake
: start
[Tue Aug 05 19:15:02 2003] [debug] ssl_engine_kernel.c(1772): OpenSSL:
Loop: bef
ore/accept initialization
[---lots of stuff omitted, including the verificate of my certificate---]
[Tue Aug 05 19:15:06 2003] [debug] ssl_engine_kernel.c(1772): OpenSSL:
Loop: SSL
v3 read finished A
[Tue Aug 05 19:15:06 2003] [debug] ssl_engine_kernel.c(1772): OpenSSL:
Loop: SSL
v3 write change cipher spec A
[Tue Aug 05 19:15:06 2003] [debug] ssl_engine_kernel.c(1772): OpenSSL:
Loop: SSL
v3 write finished A
[Tue Aug 05 19:15:06 2003] [debug] ssl_engine_kernel.c(1772): OpenSSL:
Loop: SSL
v3 flush data
[Tue Aug 05 19:15:06 2003] [debug] ssl_scache_shmcb.c(708): inside
shmcb_store_s
ession
[Tue Aug 05 19:15:06 2003] [debug] ssl_scache_shmcb.c(714):
session_id[0]=106, m
asked index=10
[Tue Aug 05 19:15:06 2003] [debug] ssl_scache_shmcb.c(1089): entering
shmcb_inse
rt_encoded_session, *queue->pos_count = 0
[Tue Aug 05 19:15:06 2003] [debug] ssl_scache_shmcb.c(1013): entering
shmcb_expi
re_division
[Tue Aug 05 19:15:06 2003] [debug] ssl_scache_shmcb.c(1145): we have 14386
bytes
and 133 indexes free - enough
[Tue Aug 05 19:15:06 2003] [debug] ssl_scache_shmcb.c(1174): storing in
index 0,
at offset 0
[Tue Aug 05 19:15:06 2003] [debug] ssl_scache_shmcb.c(1189):
session_id[0]=106,
idx->s_id2=63
[Tue Aug 05 19:15:06 2003] [debug] ssl_scache_shmcb.c(1200): leaving now
with 11
28 bytes in the cache and 1 indexes
[Tue Aug 05 19:15:06 2003] [debug] ssl_scache_shmcb.c(1204): leaving
shmcb_inser
t_encoded_session
[Tue Aug 05 19:15:06 2003] [debug] ssl_scache_shmcb.c(742): leaving
shmcb_store
successfully
[Tue Aug 05 19:15:06 2003] [debug] ssl_scache_shmcb.c(437): shmcb_store
successf
ul
[Tue Aug 05 19:15:06 2003] [debug] ssl_engine_kernel.c(1610):
Inter-Process Sess
ion Cache: request=SET status=OK
id=6A3F782DD6F051D3FFBFDFC9AD3197731D1008BF6C16
089DB3EF2B1875772849 timeout=296s (session caching)
[Tue Aug 05 19:15:06 2003] [debug] ssl_engine_kernel.c(1768): OpenSSL:
Handshake
[--- another and another successful handshake following ---]
[--- even more stuff omitted, then something strange: ---]
[Tue Aug 05 19:15:13 2003] [info] Connection to child 1 established
(server esds
v07.bbn.hp.com:443, client 15.191.1.8)
[Tue Aug 05 19:15:13 2003] [info] Seeding PRNG with 136 bytes of entropy
[Tue Aug 05 19:15:13 2003] [debug] ssl_engine_kernel.c(1764): OpenSSL:
Handshake
: start
[Tue Aug 05 19:15:13 2003] [debug] ssl_engine_kernel.c(1772): OpenSSL:
Loop: bef
ore/accept initialization
[Tue Aug 05 19:15:13 2003] [debug] ssl_engine_io.c(1478): OpenSSL: read
11/11 by
tes from BIO#40239088 [mem: 403f1568] (BIO dump follows)
[--bio dump left out--]
[Tue Aug 05 19:15:13 2003] [debug] ssl_engine_kernel.c(1772): OpenSSL:
Loop: SSL
v3 read client hello A
[Tue Aug 05 19:15:13 2003] [debug] ssl_engine_kernel.c(1772): OpenSSL:
Loop: SSL
v3 write server hello A
[Tue Aug 05 19:15:13 2003] [debug] ssl_engine_kernel.c(1772): OpenSSL:
Loop: SSL
v3 write certificate A
[Tue Aug 05 19:15:13 2003] [debug] ssl_engine_kernel.c(1772): OpenSSL:
Loop: SSL
v3 write certificate request A
[Tue Aug 05 19:15:13 2003] [debug] ssl_engine_kernel.c(1772): OpenSSL:
Loop: SSL
v3 flush data
[Tue Aug 05 19:15:14 2003] [debug] ssl_engine_io.c(1478): OpenSSL: read
5/5 byte
s from BIO#40239088 [mem: 403f1568] (BIO dump follows)
[--another bio dump left out--]
[Tue Aug 05 19:15:14 2003] [debug] ssl_engine_kernel.c(1782): OpenSSL:
Write: SS
Lv3 read client certificate B
[Tue Aug 05 19:15:14 2003] [debug] ssl_engine_kernel.c(1801): OpenSSL:
Exit: err
or in SSLv3 read client certificate B
[Tue Aug 05 19:15:14 2003] [debug] ssl_engine_kernel.c(1801): OpenSSL:
Exit: err
or in SSLv3 read client certificate B
[Tue Aug 05 19:15:14 2003] [info] SSL library error 1 in handshake (server
esdsv07.my.com:443, client 115.191.1.8)
[Tue Aug 05 19:15:14 2003] [info] SSL Library Error: 336105671
error:140890C7:SS
L routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
No CAs
known to server for verification?
[Tue Aug 05 19:15:14 2003] [info] Connection to child 1 closed with
abortive shu
tdown(server esdsv07.my.com:443, client 115.191.1.8)
[Tue Aug 05 19:15:14 2003] [info] Connection to child 66 established
(server esdsv07.my.com:443, client 115.136.126.30)
It started with read/writen client certificate A, no error, then suddenly
says something about client certificate B, which fails. What is client
certificate B?
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
RE: Certificate verification problem (required client certificate)
am 13.08.2003 13:39:32 von Herbert Neugebauer
Hello,
I posted this question already some days ago, but did not yet receive any
hint. Does really no-one have any idea what could be the problem?
-----------------------
I'm having a strange problem with Apache 2.0.45, mod_ssl with openssl
0.9.6i (and possibly a factor also tomcat 4.1.27 server, client IE6 with
Java 1.4 plugin from Sun).
The web-server should run all applications only over SSL and with client
certificate verification enabled.
So I set up all the necessary configuration, including server and client
certificates (our company has it's own internal CA), and moved three
different applications from the non-SSL to the SSL virtual-host.
Everything works fine, the applications can access the "environment
variables", where the user-ID coming from the certificate is stored, in
order to authenticate the users and provide user-specific content. One of
the working applications is PHP based, another one is JSP based, so via
Tomcat. (only explaining this so that it is clear the whole server
combination including the SSL setup seems to be right in principal).
However the 4th application doesn't work.
The fourth application is not JSP, but a Servlet/Applet combination.
What happens when accessing the page is that the "index.html" downloads to
the client, but then the applet should be retrieved by the browser
(IE/Java plug-in), but the JAVA Plug-In just says "applet not found", and
in the web-server error file (put in INFO) I see the following:
[Tue Aug 05 18:56:52 2003] [info] Connection to child 4 established
(server esdsv07.my.com:443, client 115.191.1.8)
[Tue Aug 05 18:56:52 2003] [info] Seeding PRNG with 136 bytes of entropy
[Tue Aug 05 18:56:52 2003] [info] SSL library error 1 in handshake (server
esdsv07.my.com:443, client 115.191.1.8)
[Tue Aug 05 18:56:52 2003] [info] SSL Library Error: 336105671
error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not
return a certificate No CAs known to server for verification?
[Tue Aug 05 18:56:52 2003] [info] Connection to child 4 closed with
abortive shutdown(server esdsv07.my.com:443, client 115.191.1.8)
[Tue Aug 05 18:56:52 2003] [info] Connection to child 69 established
(server esdsv07.my.com:443, client 115.136.126.30)
[Tue Aug 05 18:56:52 2003] [info] Seeding PRNG with 136 bytes of entropy
[Tue Aug 05 18:56:53 2003] [info] SSL library error 1 in handshake (server
esdsv07.my.com:443, client 115.136.126.30)
[Tue Aug 05 18:56:53 2003] [info] SSL Library Error: 336105671
error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not
return a certificate No CAs known to server for verification?
[Tue Aug 05 18:56:53 2003] [info] Connection to child 69 closed with
abortive shutdown(server esdsv07.my.com:443, client 115.136.126.30)
I know, normally this "peer did not return a certificate" indicates that
either my browser does not have a certificate (which it has) or that the
certificate can not be verified by the server due to a missing CA
certificate (which it has). If one of these or both problems were there,
the other three applications would not work as well, right? But they do!
Any ideas?
If I switch on debug level, I get even more info (which does not tell me a
lot more). First there is a verification/handshake on client certificate A
(successful) and then there is something about a certificate B????? what
is this about? What is certificate A and B?
Thanks in advance
Herbert
Debugging info:
[Tue Aug 05 19:14:46 2003] [info] Loading certificate & private key of
SSL-aware server
[Tue Aug 05 19:14:46 2003] [info] Init: Requesting pass phrase from dialog
filter program (/opt/hpws/apache/conf/passPhrase.dialog)
[Tue Aug 05 19:14:46 2003] [debug] ssl_engine_pphrase.c(499): encrypted
RSA private key - pass phrase requested
[Tue Aug 05 19:14:48 2003] [info] Configuring server for SSL protocol [Tue
Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(436): Creating new SSL
context (protocols: SSLv2, SSLv3, TLSv1)
[Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(553): Configuring
client authentication
[Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(1096): CA
certificate: /O=my.com/OU=IT Infrastructure/C=US/O=MY Company/CN=MY
Primary Class 2 Certification Authority
[Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(611): Configuring
permitted SSL ciphers
[!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNUL L]
[Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(739): Configuring RSA
server certificate
[Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(778): Configuring RSA
server private key
[Tue Aug 05 19:14:49 2003] [info] Loading certificate & private key of
SSL-aware server
[Tue Aug 05 19:14:49 2003] [info] esdsv07.my.com:443 reusing existing RSA
private key on restart
[Tue Aug 05 19:14:51 2003] [info] Configuring server for SSL protocol [Tue
Aug 05 19:14:51 2003] [debug] ssl_engine_init.c(436): Creating new SSL
context (protocols: SSLv2, SSLv3, TLSv1)
[Tue Aug 05 19:14:51 2003] [debug] ssl_engine_init.c(553): Configuring
client authentication
[Tue Aug 05 19:14:51 2003] [debug] ssl_engine_init.c(1096): CA
certificate: /O=my.com/OU=IT Infrastructure/C=US/O=MY Company/CN=MY
Primary Class 2 Certification Authority
[Tue Aug 05 19:14:51 2003] [debug] ssl_engine_init.c(611): Configuring
permitted SSL ciphers
[!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNUL L]
[Tue Aug 05 19:14:51 2003] [debug] ssl_engine_init.c(739): Configuring RSA
server certificate
[Tue Aug 05 19:14:51 2003] [debug] ssl_engine_init.c(778): Configuring RSA
server private key
[Tue Aug 05 19:15:02 2003] [info] Connection to child 64 established
(server esdsv07.my.com:443, client 115.136.126.30)
[Tue Aug 05 19:15:02 2003] [info] Seeding PRNG with 136 bytes of entropy
[Tue Aug 05 19:15:02 2003] [debug] ssl_engine_kernel.c(1764):
OpenSSL:Handshake: start
[Tue Aug 05 19:15:02 2003] [debug] ssl_engine_kernel.c(1772): OpenSSL:
Loop: before/accept initialization
[---lots of stuff/binary dump omitted---]
[Tue Aug 05 19:15:06 2003] [debug] ssl_engine_kernel.c(1772): OpenSSL:
Loop: SSLv3 read finished A
[Tue Aug 05 19:15:06 2003] [debug] ssl_engine_kernel.c(1772): OpenSSL:
Loop: SSLv3 write change cipher spec A
[Tue Aug 05 19:15:06 2003] [debug] ssl_engine_kernel.c(1772): OpenSSL:
Loop: SSLv3 write finished A
[Tue Aug 05 19:15:06 2003] [debug] ssl_engine_kernel.c(1772): OpenSSL:
Loop: SSLv3 flush data
[Tue Aug 05 19:15:06 2003] [debug] ssl_scache_shmcb.c(708): inside
shmcb_store_session
[Tue Aug 05 19:15:06 2003] [debug] ssl_scache_shmcb.c(714):
session_id[0]=106, masked index=10
[Tue Aug 05 19:15:06 2003] [debug] ssl_scache_shmcb.c(1089): entering
shmcb_insert_encoded_session, *queue->pos_count = 0
[Tue Aug 05 19:15:06 2003] [debug] ssl_scache_shmcb.c(1013): entering
shmcb_expire_division
[Tue Aug 05 19:15:06 2003] [debug] ssl_scache_shmcb.c(1145): we have 14386
bytes and 133 indexes free - enough
[Tue Aug 05 19:15:06 2003] [debug] ssl_scache_shmcb.c(1174): storing in
index 0, at offset 0
[Tue Aug 05 19:15:06 2003] [debug] ssl_scache_shmcb.c(1189):
session_id[0]=106, idx->s_id2=63
[Tue Aug 05 19:15:06 2003] [debug] ssl_scache_shmcb.c(1200): leaving now
with 11 28 bytes in the cache and 1 indexes
[Tue Aug 05 19:15:06 2003] [debug] ssl_scache_shmcb.c(1204): leaving
shmcb_insert_encoded_session
[Tue Aug 05 19:15:06 2003] [debug] ssl_scache_shmcb.c(742): leaving
shmcb_store successfully
[Tue Aug 05 19:15:06 2003] [debug] ssl_scache_shmcb.c(437): shmcb_store
successful
[Tue Aug 05 19:15:06 2003] [debug] ssl_engine_kernel.c(1610):
Inter-Process Session Cache: request=SET status=OK
id=6A3F782DD6F051D3FFBFDFC9AD3197731D1008BF6C16089DB3EF2B187 5772849
timeout=296s (session caching)
[Tue Aug 05 19:15:06 2003] [debug] ssl_engine_kernel.c(1768): OpenSSL:
Handshake
[--- another and another successful handshake following ---]
[--- even more stuff omitted, then something strange: ---]
[Tue Aug 05 19:15:13 2003] [info] Connection to child 1 established
(server esdsv07.my.com:443, client 15.191.1.8)
[Tue Aug 05 19:15:13 2003] [info] Seeding PRNG with 136 bytes of entropy
[Tue Aug 05 19:15:13 2003] [debug] ssl_engine_kernel.c(1764): OpenSSL:
Handshake : start
[Tue Aug 05 19:15:13 2003] [debug] ssl_engine_kernel.c(1772): OpenSSL:
Loop: before/accept initialization
[Tue Aug 05 19:15:13 2003] [debug] ssl_engine_io.c(1478): OpenSSL: read
11/11 by tes from BIO#40239088 [mem: 403f1568] (BIO dump follows)
[--bio dump left out--]
[Tue Aug 05 19:15:13 2003] [debug] ssl_engine_kernel.c(1772): OpenSSL:
Loop: SSLv3 read client hello A
[Tue Aug 05 19:15:13 2003] [debug] ssl_engine_kernel.c(1772): OpenSSL:
Loop: SSLv3 write server hello A
[Tue Aug 05 19:15:13 2003] [debug] ssl_engine_kernel.c(1772): OpenSSL:
Loop: SSLv3 write certificate A
[Tue Aug 05 19:15:13 2003] [debug] ssl_engine_kernel.c(1772): OpenSSL:
Loop: SSLv3 write certificate request A
[Tue Aug 05 19:15:13 2003] [debug] ssl_engine_kernel.c(1772): OpenSSL:
Loop: SSLv3 flush data
[Tue Aug 05 19:15:14 2003] [debug] ssl_engine_io.c(1478): OpenSSL: read
5/5 bytes from BIO#40239088 [mem: 403f1568] (BIO dump follows)
[--another bio dump left out-- so far the usuall success, but now....]
[Tue Aug 05 19:15:14 2003] [debug] ssl_engine_kernel.c(1782): OpenSSL:
Write: SSLv3 read client certificate B
[Tue Aug 05 19:15:14 2003] [debug] ssl_engine_kernel.c(1801): OpenSSL:
Exit: error in SSLv3 read client certificate B
[Tue Aug 05 19:15:14 2003] [debug] ssl_engine_kernel.c(1801): OpenSSL:
Exit: error in SSLv3 read client certificate B
[Tue Aug 05 19:15:14 2003] [info] SSL library error 1 in handshake (server
esdsv07.my.com:443, client 115.191.1.8)
[Tue Aug 05 19:15:14 2003] [info] SSL Library Error: 336105671
error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not
return a certificate No CAs known to server for verification?
[Tue Aug 05 19:15:14 2003] [info] Connection to child 1 closed with
abortive shutdown(server esdsv07.my.com:443, client 115.191.1.8)
[Tue Aug 05 19:15:14 2003] [info] Connection to child 66 established
(server esdsv07.my.com:443, client 115.136.126.30)
It started with read/writen client certificate A, no error, then suddenly
says something about client certificate B, which fails. What is client
certificate B?
--
Herbert Neugebauer
hnbw1@veces.bb.bawue.de
71088 Holzgerlingen Germany
*****
War does not decide who's right, only who's left
-- unknown quote
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
Re: Certificate verification problem (required client certificate)
am 14.08.2003 07:45:47 von Kiyoshi Watanabe
Hello,
I have seen the similar questions posted on the openssl mailing list
before, but I have not seen much discussion. One thing that you may
want to try to upgrade the version of the openssl itself, but I have
no clue that applies to your problem.
Why don't you post this question on the openssl mailing list?, hopoing
to get that somebody solves the question since then.
-Kiyoshi
Kiyoshi Watanabe
> Hello,
>
> I posted this question already some days ago, but did not yet receive any
> hint. Does really no-one have any idea what could be the problem?
>
> -----------------------
>
> I'm having a strange problem with Apache 2.0.45, mod_ssl with openssl
> 0.9.6i (and possibly a factor also tomcat 4.1.27 server, client IE6 with
> Java 1.4 plugin from Sun).
>
> The web-server should run all applications only over SSL and with client
> certificate verification enabled.
>
> So I set up all the necessary configuration, including server and client
> certificates (our company has it's own internal CA), and moved three
> different applications from the non-SSL to the SSL virtual-host.
> Everything works fine, the applications can access the "environment
> variables", where the user-ID coming from the certificate is stored, in
> order to authenticate the users and provide user-specific content. One of
> the working applications is PHP based, another one is JSP based, so via
> Tomcat. (only explaining this so that it is clear the whole server
> combination including the SSL setup seems to be right in principal).
>
> However the 4th application doesn't work.
>
> The fourth application is not JSP, but a Servlet/Applet combination.
>
> What happens when accessing the page is that the "index.html" downloads to
> the client, but then the applet should be retrieved by the browser
> (IE/Java plug-in), but the JAVA Plug-In just says "applet not found", and
> in the web-server error file (put in INFO) I see the following:
>
> [Tue Aug 05 18:56:52 2003] [info] Connection to child 4 established
> (server esdsv07.my.com:443, client 115.191.1.8)
> [Tue Aug 05 18:56:52 2003] [info] Seeding PRNG with 136 bytes of entropy
> [Tue Aug 05 18:56:52 2003] [info] SSL library error 1 in handshake (server
> esdsv07.my.com:443, client 115.191.1.8)
> [Tue Aug 05 18:56:52 2003] [info] SSL Library Error: 336105671
> error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not
> return a certificate No CAs known to server for verification?
> [Tue Aug 05 18:56:52 2003] [info] Connection to child 4 closed with
> abortive shutdown(server esdsv07.my.com:443, client 115.191.1.8)
> [Tue Aug 05 18:56:52 2003] [info] Connection to child 69 established
> (server esdsv07.my.com:443, client 115.136.126.30)
> [Tue Aug 05 18:56:52 2003] [info] Seeding PRNG with 136 bytes of entropy
> [Tue Aug 05 18:56:53 2003] [info] SSL library error 1 in handshake (server
> esdsv07.my.com:443, client 115.136.126.30)
> [Tue Aug 05 18:56:53 2003] [info] SSL Library Error: 336105671
> error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not
> return a certificate No CAs known to server for verification?
> [Tue Aug 05 18:56:53 2003] [info] Connection to child 69 closed with
> abortive shutdown(server esdsv07.my.com:443, client 115.136.126.30)
>
>
> I know, normally this "peer did not return a certificate" indicates that
> either my browser does not have a certificate (which it has) or that the
> certificate can not be verified by the server due to a missing CA
> certificate (which it has). If one of these or both problems were there,
> the other three applications would not work as well, right? But they do!
>
> Any ideas?
>
> If I switch on debug level, I get even more info (which does not tell me a
> lot more). First there is a verification/handshake on client certificate A
> (successful) and then there is something about a certificate B????? what
> is this about? What is certificate A and B?
>
> Thanks in advance
>
> Herbert
>
> Debugging info:
>
> [Tue Aug 05 19:14:46 2003] [info] Loading certificate & private key of
> SSL-aware server
> [Tue Aug 05 19:14:46 2003] [info] Init: Requesting pass phrase from dialog
> filter program (/opt/hpws/apache/conf/passPhrase.dialog)
> [Tue Aug 05 19:14:46 2003] [debug] ssl_engine_pphrase.c(499): encrypted
> RSA private key - pass phrase requested
> [Tue Aug 05 19:14:48 2003] [info] Configuring server for SSL protocol [Tue
> Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(436): Creating new SSL
> context (protocols: SSLv2, SSLv3, TLSv1)
> [Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(553): Configuring
> client authentication
> [Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(1096): CA
> certificate: /O=my.com/OU=IT Infrastructure/C=US/O=MY Company/CN=MY
> Primary Class 2 Certification Authority
> [Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(611): Configuring
> permitted SSL ciphers
> [!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNUL L]
> [Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(739): Configuring RSA
> server certificate
> [Tue Aug 05 19:14:48 2003] [debug] ssl_engine_init.c(778): Configuring RSA
> server private key
> [Tue Aug 05 19:14:49 2003] [info] Loading certificate & private key of
> SSL-aware server
> [Tue Aug 05 19:14:49 2003] [info] esdsv07.my.com:443 reusing existing RSA
> private key on restart
> [Tue Aug 05 19:14:51 2003] [info] Configuring server for SSL protocol [Tue
> Aug 05 19:14:51 2003] [debug] ssl_engine_init.c(436): Creating new SSL
> context (protocols: SSLv2, SSLv3, TLSv1)
> [Tue Aug 05 19:14:51 2003] [debug] ssl_engine_init.c(553): Configuring
> client authentication
> [Tue Aug 05 19:14:51 2003] [debug] ssl_engine_init.c(1096): CA
> certificate: /O=my.com/OU=IT Infrastructure/C=US/O=MY Company/CN=MY
> Primary Class 2 Certification Authority
> [Tue Aug 05 19:14:51 2003] [debug] ssl_engine_init.c(611): Configuring
> permitted SSL ciphers
> [!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNUL L]
> [Tue Aug 05 19:14:51 2003] [debug] ssl_engine_init.c(739): Configuring RSA
> server certificate
> [Tue Aug 05 19:14:51 2003] [debug] ssl_engine_init.c(778): Configuring RSA
> server private key
> [Tue Aug 05 19:15:02 2003] [info] Connection to child 64 established
> (server esdsv07.my.com:443, client 115.136.126.30)
> [Tue Aug 05 19:15:02 2003] [info] Seeding PRNG with 136 bytes of entropy
> [Tue Aug 05 19:15:02 2003] [debug] ssl_engine_kernel.c(1764):
> OpenSSL:Handshake: start
> [Tue Aug 05 19:15:02 2003] [debug] ssl_engine_kernel.c(1772): OpenSSL:
> Loop: before/accept initialization
>
>
> [---lots of stuff/binary dump omitted---]
>
>
> [Tue Aug 05 19:15:06 2003] [debug] ssl_engine_kernel.c(1772): OpenSSL:
> Loop: SSLv3 read finished A
> [Tue Aug 05 19:15:06 2003] [debug] ssl_engine_kernel.c(1772): OpenSSL:
> Loop: SSLv3 write change cipher spec A
> [Tue Aug 05 19:15:06 2003] [debug] ssl_engine_kernel.c(1772): OpenSSL:
> Loop: SSLv3 write finished A
> [Tue Aug 05 19:15:06 2003] [debug] ssl_engine_kernel.c(1772): OpenSSL:
> Loop: SSLv3 flush data
> [Tue Aug 05 19:15:06 2003] [debug] ssl_scache_shmcb.c(708): inside
> shmcb_store_session
> [Tue Aug 05 19:15:06 2003] [debug] ssl_scache_shmcb.c(714):
> session_id[0]=106, masked index=10
> [Tue Aug 05 19:15:06 2003] [debug] ssl_scache_shmcb.c(1089): entering
> shmcb_insert_encoded_session, *queue->pos_count = 0
> [Tue Aug 05 19:15:06 2003] [debug] ssl_scache_shmcb.c(1013): entering
> shmcb_expire_division
> [Tue Aug 05 19:15:06 2003] [debug] ssl_scache_shmcb.c(1145): we have 14386
> bytes and 133 indexes free - enough
> [Tue Aug 05 19:15:06 2003] [debug] ssl_scache_shmcb.c(1174): storing in
> index 0, at offset 0
> [Tue Aug 05 19:15:06 2003] [debug] ssl_scache_shmcb.c(1189):
> session_id[0]=106, idx->s_id2=63
> [Tue Aug 05 19:15:06 2003] [debug] ssl_scache_shmcb.c(1200): leaving now
> with 11 28 bytes in the cache and 1 indexes
> [Tue Aug 05 19:15:06 2003] [debug] ssl_scache_shmcb.c(1204): leaving
> shmcb_insert_encoded_session
> [Tue Aug 05 19:15:06 2003] [debug] ssl_scache_shmcb.c(742): leaving
> shmcb_store successfully
> [Tue Aug 05 19:15:06 2003] [debug] ssl_scache_shmcb.c(437): shmcb_store
> successful
> [Tue Aug 05 19:15:06 2003] [debug] ssl_engine_kernel.c(1610):
> Inter-Process Session Cache: request=SET status=OK
> id=6A3F782DD6F051D3FFBFDFC9AD3197731D1008BF6C16089DB3EF2B187 5772849
> timeout=296s (session caching)
> [Tue Aug 05 19:15:06 2003] [debug] ssl_engine_kernel.c(1768): OpenSSL:
> Handshake
>
>
> [--- another and another successful handshake following ---]
>
> [--- even more stuff omitted, then something strange: ---]
>
> [Tue Aug 05 19:15:13 2003] [info] Connection to child 1 established
> (server esdsv07.my.com:443, client 15.191.1.8)
> [Tue Aug 05 19:15:13 2003] [info] Seeding PRNG with 136 bytes of entropy
> [Tue Aug 05 19:15:13 2003] [debug] ssl_engine_kernel.c(1764): OpenSSL:
> Handshake : start
> [Tue Aug 05 19:15:13 2003] [debug] ssl_engine_kernel.c(1772): OpenSSL:
> Loop: before/accept initialization
> [Tue Aug 05 19:15:13 2003] [debug] ssl_engine_io.c(1478): OpenSSL: read
> 11/11 by tes from BIO#40239088 [mem: 403f1568] (BIO dump follows)
>
> [--bio dump left out--]
>
> [Tue Aug 05 19:15:13 2003] [debug] ssl_engine_kernel.c(1772): OpenSSL:
> Loop: SSLv3 read client hello A
> [Tue Aug 05 19:15:13 2003] [debug] ssl_engine_kernel.c(1772): OpenSSL:
> Loop: SSLv3 write server hello A
> [Tue Aug 05 19:15:13 2003] [debug] ssl_engine_kernel.c(1772): OpenSSL:
> Loop: SSLv3 write certificate A
> [Tue Aug 05 19:15:13 2003] [debug] ssl_engine_kernel.c(1772): OpenSSL:
> Loop: SSLv3 write certificate request A
> [Tue Aug 05 19:15:13 2003] [debug] ssl_engine_kernel.c(1772): OpenSSL:
> Loop: SSLv3 flush data
> [Tue Aug 05 19:15:14 2003] [debug] ssl_engine_io.c(1478): OpenSSL: read
> 5/5 bytes from BIO#40239088 [mem: 403f1568] (BIO dump follows)
>
> [--another bio dump left out-- so far the usuall success, but now....]
>
> [Tue Aug 05 19:15:14 2003] [debug] ssl_engine_kernel.c(1782): OpenSSL:
> Write: SSLv3 read client certificate B
> [Tue Aug 05 19:15:14 2003] [debug] ssl_engine_kernel.c(1801): OpenSSL:
> Exit: error in SSLv3 read client certificate B
> [Tue Aug 05 19:15:14 2003] [debug] ssl_engine_kernel.c(1801): OpenSSL:
> Exit: error in SSLv3 read client certificate B
> [Tue Aug 05 19:15:14 2003] [info] SSL library error 1 in handshake (server
> esdsv07.my.com:443, client 115.191.1.8)
> [Tue Aug 05 19:15:14 2003] [info] SSL Library Error: 336105671
> error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not
> return a certificate No CAs known to server for verification?
> [Tue Aug 05 19:15:14 2003] [info] Connection to child 1 closed with
> abortive shutdown(server esdsv07.my.com:443, client 115.191.1.8)
> [Tue Aug 05 19:15:14 2003] [info] Connection to child 66 established
> (server esdsv07.my.com:443, client 115.136.126.30)
>
>
>
> It started with read/writen client certificate A, no error, then suddenly
> says something about client certificate B, which fails. What is client
> certificate B?
>
>
>
> --
> Herbert Neugebauer
> hnbw1@veces.bb.bawue.de
> 71088 Holzgerlingen Germany
> *****
> War does not decide who's right, only who's left
> -- unknown quote
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org