SSLVerifyClient require

SSLVerifyClient require

am 12.01.2004 16:54:53 von Hector Vass

This is a multi-part message in MIME format.

------=_NextPart_000_005B_01C3D924.6AEDB840
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

I am having a problem with client authentication getting client certificates
to work -

Have installed the client certificate in internet explorer, this also
installs the server certificate as a 'trusted root certificate'.
When access basic https area of website all works correctly, when attempt to
go into the area where SSLVerifyClient is required, the certificate is
prompted for. But when chosen get "The page cannot be displayed" error.

The error in the ssl_error_log is: [Fri Jan 09 11:37:48 2004] [error]
Re-negotiation handshake failed: Not accepted by client!?

If certificates are viewed IE says that they are valid etc.

I was after references to good HowTo's or any views on whether this is a IE,
modssl, Apache or just a certificates problem.

Thanks in advance


Our server is
Apache-AdvancedExtranetServer/2.0.47 (Mandrake Linux/6mdk) mod_perl/1.99_09
Perl/v5.8.1 mod_ssl/2.0.47 OpenSSL/0.9.7b PHP/4.3.2!

And clients are Internet Explorer IE6 and Opera 7.2

*****
SETUP CERTIFICATES AS FOLLOWS in directory /home/test/CA/:
*****
CERTIFICATION AUTHORITY
Generate New Certification Authority
perl CA.pl -newca (when prompted I set the CN name to the servers ip
address)

SERVER CERTIFICATE
Generate new certificate request for SERVER (newreq.pem)
perl CA.pl -newreq (when prompted I set the CN name to the servers ip
address)
Sign it (generates newcert.pem)
perl CA.pl -sign
Get Key from it
openssl rsa < newreq.pem > newkey.pem

CLIENT CERTIFICATE
Generate Unencrypted Key for CLIENT
openssl genrsa -out client_unsecure.key 1024
Generate new certificate request for CLIENT
openssl req -new -key client_unsecure.key -out client_unsecure.csr (when
prompted I set the CN name to the client ip address)
Sign it
openssl ca -config //openssl.cnf -policy policy_anything -out
client_unsecure.crt -infiles client_unsecure.csr
Create format for Internet Explorer
openssl pkcs12 -export -in client_unsecure.crt -inkey
client_unsecure.key -name "Client Cert" -certfile ./demoCA/cacert.pem -out
clientcert.p12


41_MOD_SSL.DEFAULT-VHOST.CONF SETTINGS AS FOLLOWS:
DocumentRoot "/var/www/html/secure"
ErrorLog logs/ssl_error_log

TransferLog logs/ssl_access_log

# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on

# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLProtocol all
SSLCipherSuite HIGH:MEDIUM

# Server Certificate:
SSLCertificateFile /home/test/CA/newcert.pem

# Server Private Key:
SSLCertificateKeyFile /home/test/CA/newkey.pem

# Server Certificate Chain:

# Certificate Authority (CA):
SSLCACertificateFile /home/test/CA/demoCA/cacert.pem

# Certificate Revocation Lists (CRL):

# Client Authentication (Type):
#SSLVerifyClient require
#SSLVerifyDepth 10


SSLVerifyClient require
SSLVerifyDepth 1




------=_NextPart_000_005B_01C3D924.6AEDB840
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns=3D"http://www.w3.org/TR/REC-html40">


charset=3Diso-8859-1">












color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'>I am having a problem with client authentication getting client
certificates to work -



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'> !supportEmptyParas]> 



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'>Have installed the client certificate in internet explorer, this =
also
installs the server certificate as a 'trusted root certificate'. style=3D"mso-spacerun: yes">  =



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'>When access basic https area of website all works correctly, when
attempt to go into the area where SSLVerifyClient is required, the =
certificate
is prompted for. But when chosen get "The page cannot be =
displayed"
error.



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'> !supportEmptyParas]> 



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'>The error in the ssl_error_log is: [Fri Jan 09 11:37:48 2004] =
[error]
Re-negotiation handshake failed: Not accepted by client!? =



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'> !supportEmptyParas]> 



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'>If certificates are viewed IE says that they are valid =
etc.



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'> !supportEmptyParas]> 



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'>I was after references to good HowTo's or any views on whether =
this is a
IE, modssl, Apache or just a certificates problem. style=3D"mso-spacerun:
yes"> 



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'> !supportEmptyParas]> 



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'>Thanks in advance



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'> !supportEmptyParas]> 



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'> !supportEmptyParas]> 



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'>Our server is



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'>Apache-AdvancedExtranetServer/2.0.47 (Mandrake Linux/6mdk)
mod_perl/1.99_09 Perl/v5.8.1 mod_ssl/2.0.47 OpenSSL/0.9.7b =
PHP/4.3.2!



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'> !supportEmptyParas]> 



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'>And clients are Internet Explorer IE6 and Opera =
7.2



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'> !supportEmptyParas]> 



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'>*****



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'>SETUP CERTIFICATES AS FOLLOWS in directory =
/home/test/CA/:



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'>*****



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'>CERTIFICATION AUTHORITY



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'>Generate New Certification =
Authority



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'>    perl =
CA.pl
-newca (when prompted I set the CN name to the servers ip =
address)



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'> !supportEmptyParas]> 



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'>SERVER CERTIFICATE



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'>Generate new certificate request for SERVER =
(newreq.pem)



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'>    perl =
CA.pl
-newreq (when prompted I set the CN name to the servers ip =
address)



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'>Sign it (generates =
newcert.pem)



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'>    perl =
CA.pl
-sign



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'>Get Key from it



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'>    =
openssl rsa
< newreq.pem > newkey.pem



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'> !supportEmptyParas]> 



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'>CLIENT CERTIFICATE



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'>Generate Unencrypted Key for =
CLIENT



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'>    =
openssl genrsa
-out client_unsecure.key 1024



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'>Generate new certificate request for =
CLIENT



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'>    =
openssl req
-new -key client_unsecure.key -out client_unsecure.csr (when prompted I =
set the
CN name to the client ip address)



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'>Sign it



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'>    =
openssl ca
-config /<somepath>/openssl.cnf -policy policy_anything -out
client_unsecure.crt -infiles =
client_unsecure.csr



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'>Create format for Internet =
Explorer



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'>    =
openssl pkcs12
-export -in client_unsecure.crt -inkey client_unsecure.key -name =
"Client
Cert" -certfile ./demoCA/cacert.pem -out =
clientcert.p12



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'> !supportEmptyParas]> 



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'> !supportEmptyParas]> 



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'>41_MOD_SSL.DEFAULT-VHOST.CONF SETTINGS AS =
FOLLOWS:



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'>DocumentRoot =
"/var/www/html/secure"



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'>ErrorLog logs/ssl_error_log



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'><IfModule =
mod_log_config.c>



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'>TransferLog =
logs/ssl_access_log



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'></IfModule>



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'>#   SSL Engine =
Switch:



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'>#   =
Enable/Disable SSL
for this virtual host.



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'>SSLEngine on



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'> !supportEmptyParas]> 



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'>#   SSL Cipher =
Suite:



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'>#   List the =
ciphers
that the client is permitted to =
negotiate.



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'>#   See the =
mod_ssl
documentation for a complete list.



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'>SSLProtocol all



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'>SSLCipherSuite HIGH:MEDIUM



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'> !supportEmptyParas]> 



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'>#   Server =
Certificate:



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'>SSLCertificateFile =
/home/test/CA/newcert.pem



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'> !supportEmptyParas]> 



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'>#   Server =
Private Key:



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'>SSLCertificateKeyFile =
/home/test/CA/newkey.pem



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'> !supportEmptyParas]> 



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'>#   Server =
Certificate
Chain:



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'> !supportEmptyParas]> 



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'>#   =
Certificate
Authority (CA):



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'>SSLCACertificateFile =
/home/test/CA/demoCA/cacert.pem



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'> !supportEmptyParas]> 



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'>#   =
Certificate
Revocation Lists (CRL):



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'> !supportEmptyParas]> 



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'>#   Client
Authentication (Type):



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'>#SSLVerifyClient require



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'>#SSLVerifyDepth  =
10



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'> !supportEmptyParas]> 



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'><Location /audit>



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'>   
SSLVerifyClient require



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'>   
SSLVerifyDepth  =
1



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'></Location>



color=3Dblack
face=3DArial> style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-fam ily:
Arial'> !supportEmptyParas]> 



Roman"> style=3D'font-size:12.0pt;color:black'> !supportEmptyParas]>  color=3Dblack> style=3D'color:black;mso-color-alt:windowtext'><=
/p>







------=_NextPart_000_005B_01C3D924.6AEDB840--

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org