Requesting help with Smart Card Client Certificate Authenticationissue.

--_000_0DB0A9658DAFEF4E80391E813663D73456EFA5D473GVW0670EXCa me_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Hello;
I'm hoping someone can help me with this.

Issue: On various systems using Internet Explorer 7 or 8, smart card creden=
tials are not being prompted. Firefox works providing the Security Device f=
or ActivClient is installed.

Environment:
Server: Windows Apache 2.2.14 with OpenSSL
Clients: Various (Windows platforms)
IE 8
Firefox 3.5.3
ActivClient Smart Card/Key reader.

The issue I am having is as follows.
I have a simple apache install running SSL with a server certificate from a=
trusted authority. If I use a self-signed, works just as well.
I have enabled SSLClientVerify on my cgi-bin folder
Here is my directive:

SSLVerifyClient require
SSLVerifyDepth 10
SSLOptions +StdEnvVars


This is in extra/httpd-ssl.conf, basically everything is out of the box 2.2=
..14 so I could eliminate any customizations we made. The only real changes =
are me pointing to the certificates and adding this directive.

What works:
Accessing https://servername (which is running on 443) works and the client=
trusts the server. I see the infamous apache: It Works!'
All client browsers IE, Firefox, Windows 7, Windows Vista, 32bit 64bit all =
work.

What doesn't work (completely)
https://servername/cgi-bin/printenv.tcl
Note: I have a tcl interpreter running a custom printenv.tcl, but the file =
doesn't matter, assume we are just trying to access cgi-bin directly, same =
issue exists there. Same issue exists if I set the directive on the whole w=
ebserver (e.g.
Now, here is where gets interesting. What should happen is the client shoul=
d prompt for a client certificate from the smart card reader and ask the us=
er for their pin.
On firefox 3.5.3 it prompts the user for their smartcard pin as long as the=
Security Device for ActivClient is installed. Works great!
IE 8.0 on Windows 7 didn't work, after rebuilding the system it works now.
All the other systems (tested 10) running IE will not work. This is where I=
am completely baffled. I've tried everything I could think of. But where I=
am stuck now is I can't seem to get IE 7 or 8 to (via ActivClient) prompt =
for a pin. Using the same client, same IE browser accessing some of our int=
ernal sites where we require a certificate it works fine. Just not to my si=
te on apache. The other two sites that do work are hosted by IIS 6 and Omni=
ture Dc/2.0.0 (at least states the HTTP header)

If anyone needs more information from me or has any advice here please let =
me know. I'm stumped and have been scouring google for hours with no luck.
Thanks

- Steve




--_000_0DB0A9658DAFEF4E80391E813663D73456EFA5D473GVW0670EXCa me_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:x=3D"urn:schemas-microsoft-com:office:excel" xmlns:p=3D"urn:schemas-m=
icrosoft-com:office:powerpoint" xmlns:a=3D"urn:schemas-microsoft-com:office=
:access" xmlns:dt=3D"uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:s=3D"=
uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" xmlns:rs=3D"urn:schemas-microsof=
t-com:rowset" xmlns:z=3D"#RowsetSchema" xmlns:b=3D"urn:schemas-microsoft-co=
m:office:publisher" xmlns:ss=3D"urn:schemas-microsoft-com:office:spreadshee=
t" xmlns:c=3D"urn:schemas-microsoft-com:office:component:spread sheet" xmlns=
:odc=3D"urn:schemas-microsoft-com:office:odc" xmlns:oa=3D"urn:schemas-micro=
soft-com:office:activation" xmlns:html=3D"http://www.w3.org/TR/REC-html40" =
xmlns:q=3D"http://schemas.xmlsoap.org/soap/envelope/" xmlns:rtc=3D"http://m=
icrosoft.com/officenet/conferencing" xmlns:D=3D"DAV:" xmlns:Repl=3D"http://=
schemas.microsoft.com/repl/" xmlns:mt=3D"http://schemas.microsoft.com/share=
point/soap/meetings/" xmlns:x2=3D"http://schemas.microsoft.com/office/excel=
/2003/xml" xmlns:ppda=3D"http://www.passport.com/NameSpace.xsd" xmlns:ois=
=3D"http://schemas.microsoft.com/sharepoint/soap/ois/" xmlns:dir=3D"http://=
schemas.microsoft.com/sharepoint/soap/directory/" xmlns:ds=3D"http://www.w3=
..org/2000/09/xmldsig#" xmlns:dsp=3D"http://schemas.microsoft.com/sharepoint=
/dsp" xmlns:udc=3D"http://schemas.microsoft.com/data/udc" xmlns:xsd=3D"http=
://www.w3.org/2001/XMLSchema" xmlns:sub=3D"http://schemas.microsoft.com/sha=
repoint/soap/2002/1/alerts/" xmlns:ec=3D"http://www.w3.org/2001/04/xmlenc#"=
xmlns:sp=3D"http://schemas.microsoft.com/sharepoint/" xmlns:sps=3D"http://=
schemas.microsoft.com/sharepoint/soap/" xmlns:xsi=3D"http://www.w3.org/2001=
/XMLSchema-instance" xmlns:udcs=3D"http://schemas.microsoft.com/data/udc/so=
ap" xmlns:udcxf=3D"http://schemas.microsoft.com/data/udc/xmlfile " xmlns:udc=
p2p=3D"http://schemas.microsoft.com/data/udc/parttopart" xmlns:wf=3D"http:/=
/schemas.microsoft.com/sharepoint/soap/workflow/" xmlns:dsss=3D"http://sche=
mas.microsoft.com/office/2006/digsig-setup" xmlns:dssi=3D"http://schemas.mi=
crosoft.com/office/2006/digsig" xmlns:mdssi=3D"http://schemas.openxmlformat=
s.org/package/2006/digital-signature" xmlns:mver=3D"http://schemas.openxmlf=
ormats.org/markup-compatibility/2006" xmlns:m=3D"http://schemas.microsoft.c=
om/office/2004/12/omml" xmlns:mrels=3D"http://schemas.openxmlformats.org/pa=
ckage/2006/relationships" xmlns:spwp=3D"http://microsoft.com/sharepoint/web=
partpages" xmlns:ex12t=3D"http://schemas.microsoft.com/exchange/service s/20=
06/types" xmlns:ex12m=3D"http://schemas.microsoft.com/exchange/service s/200=
6/messages" xmlns:pptsl=3D"http://schemas.microsoft.com/sharepoint/soap/ Sli=
deLibrary/" xmlns:spsl=3D"http://microsoft.com/webservices/SharePointPor tal=
Server/PublishedLinksService" xmlns:Z=3D"urn:schemas-microsoft-com:" xmlns:=
st=3D"
" xmlns=3D"http://www.w3.org/TR/REC-html40">

Re: Requesting help with Smart Card Client CertificateAuthentication issue.

Berube, Steve (HP Software) wrote:

> Now, here is where gets interesting. What should happen is the client
> should prompt for a client certificate from the smart card reader and
> ask the user for their pin.
>
> On firefox 3.5.3 it prompts the user for their smartcard pin as long as
> the Security Device for ActivClient is installed. Works great!
>
> IE 8.0 on Windows 7 didn’t work, after rebuilding the system it works now.
>
> All the other systems (tested 10) running IE will not work.

This may be a SSL handshake issue. Do you have something like this in your
SSL virtualhost:

BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

If not, try adding it.

It seems to me that something in this area was changed recently in Apache,
because after upgrading from 2.2.9 to 2.2.13 I had to add similar
directive even for Firefox, which worked fine before.

--
Toomas Aas

.... The truth is out there. Does anyone know the URL?

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: Requesting help with Smart Card ClientCertificate Authentication issue.

Hi there, thank you for the reply. Yes I have that in there. In fact apache=
2.2 ships with that by default.=20
Here is mine directly from httpd-ssl.conf

I pasted a good portion of the file so you can see its context.


SSLRequire %{SSL_CLIENT_S_DN_O} eq "Hewlett-Packard Company"
SSLVerifyClient require
SSLVerifyDepth 10
SSLOptions +StdEnvVars +OptRenegotiate


# SSL Protocol Adjustments:
# The safe and default but still SSL/TLS standard compliant shutdown
# approach is that mod_ssl sends the close notify alert but doesn't wait =
for
# the close notify alert from client. When you need a different shutdown
# approach you can use one of the following variables:
# o ssl-unclean-shutdown:
# This forces an unclean shutdown when the connection is closed, i.e. n=
o
# SSL close notify alert is send or allowed to received. This violates
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
# this when you receive I/O errors because of the standard approach whe=
re
# mod_ssl sends the close notify alert.
# o ssl-accurate-shutdown:
# This forces an accurate shutdown when the connection is closed, i.e. =
a
# SSL close notify alert is send and mod_ssl waits for the close notify
# alert of the client. This is 100% SSL/TLS standard compliant, but in
# practice often causes hanging connections with brain-dead browsers. U=
se
# this only for browsers where you know that their SSL implementation
# works correctly.=20
# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
CustomLog "C:/Program Files/Apache Software Foundation/Apache2.2/logs/ssl_r=
equest.log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

=20

-----Original Message-----
From: Toomas Aas [mailto:toomas.aas@raad.tartu.ee]=20
Sent: Tuesday, October 27, 2009 1:44 AM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Requesting help with Smart Card Client Certifica=
te Authentication issue.

Berube, Steve (HP Software) wrote:

> Now, here is where gets interesting. What should happen is the client=20
> should prompt for a client certificate from the smart card reader and=20
> ask the user for their pin.
>=20
> On firefox 3.5.3 it prompts the user for their smartcard pin as long as=20
> the Security Device for ActivClient is installed. Works great!
>=20
> IE 8.0 on Windows 7 didn't work, after rebuilding the system it works now=
..
>=20
> All the other systems (tested 10) running IE will not work.=20

This may be a SSL handshake issue. Do you have something like this in your=
=20
SSL virtualhost:

BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

If not, try adding it.

It seems to me that something in this area was changed recently in Apache,=
=20
because after upgrading from 2.2.9 to 2.2.13 I had to add similar=20
directive even for Firefox, which worked fine before.

--
Toomas Aas

.... The truth is out there. Does anyone know the URL?

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Requesting help with Smart Card Client Certificate

On Mon, Oct 26, 2009 at 10:36 PM, Berube, Steve (HP Software)
wrote:
> ">
>
>   =A0 SSLVerifyClient require
>
>   =A0 SSLVerifyDepth 10
>
>   =A0 SSLOptions +StdEnvVars
>
>


Can you simplify your testing by setting this outside of per-directory
config? Have you used wireshark to see if Apache is sending the
proper list of trusted certificates that line up with whoever signed
your certs in your HW device?

Perhaps http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcertifi catecha=
infile
or http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcacerti ficatepath
might help?

--=20
Eric Covener
covener@gmail.com

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: Requesting help with Smart Card ClientCertificate Authentication issue.

My test originally was this

SSLVerifyClient require

SSLVerifyDepth 10

SSLOptions +StdEnvVars


Same issue whether based on a directory or using the root location.
I'm still trying to figure out why one and only IE works, but no others.
I've tried HTTP Analyzer plugin for IE which only shows a single error (not=
hing else)

ERROR_INTERNET_SECURITY_CHANNEL_ERROR

Nothing else at all in the trace.

If I go to the root url (which is SSL Enabled, but no client verify)

I will try your suggestion of wireshark.


-----Original Message-----
From: Eric Covener [mailto:covener@gmail.com]=20
Sent: Tuesday, October 27, 2009 10:17 AM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Requesting help with Smart Card Client Certifica=
te Authentication issue.

On Mon, Oct 26, 2009 at 10:36 PM, Berube, Steve (HP Software)
wrote:
> ">
>
>   =A0 SSLVerifyClient require
>
>   =A0 SSLVerifyDepth 10
>
>   =A0 SSLOptions +StdEnvVars
>
>


Can you simplify your testing by setting this outside of per-directory
config? Have you used wireshark to see if Apache is sending the
proper list of trusted certificates that line up with whoever signed
your certs in your HW device?

Perhaps http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcertifi catecha=
infile
or http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcacerti ficatepath
might help?

--=20
Eric Covener
covener@gmail.com

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Requesting help with Smart Card Client Certificate

On Tue, Oct 27, 2009 at 10:21 AM, Berube, Steve (HP Software)
wrote:
> My test originally was this
>
> =A0 =A0 SSLVerifyClient require
>
> =A0 =A0 SSLVerifyDepth 10
>
> =A0 =A0 SSLOptions +StdEnvVars
>
>
> Same issue whether based on a directory or using the root location.
> I'm still trying to figure out why one and only IE works, but no others.
> I've tried HTTP Analyzer plugin for IE which only shows a single error (n=
othing else)
>
> ERROR_INTERNET_SECURITY_CHANNEL_ERROR
>
> Nothing else at all in the trace.
>
> If I go to the root url (which is SSL Enabled, but no client verify)
>
> I will try your suggestion of wireshark.

Putting it in is still the more complicated case of:

handshake without request for client authentication
read request
server-driven renegotiation of the handshake with client authentication req=
uest
*hope IE prompts*

SSLVerifyClient is accepted in context, which should
cause the initial handshake to ask for a client cert.

>
>
> -----Original Message-----
> From: Eric Covener [mailto:covener@gmail.com]
> Sent: Tuesday, October 27, 2009 10:17 AM
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] Requesting help with Smart Card Client Certifi=
cate Authentication issue.
>
> On Mon, Oct 26, 2009 at 10:36 PM, Berube, Steve (HP Software)
> wrote:
>> n">
>>
>>   =A0 SSLVerifyClient require
>>
>>   =A0 SSLVerifyDepth 10
>>
>>   =A0 SSLOptions +StdEnvVars
>>
>>
>
>
> Can you simplify your testing by setting this outside of per-directory
> config? =A0Have you used wireshark to see if Apache is sending the
> proper list of trusted certificates that line up with whoever signed
> your certs in your HW device?
>
> Perhaps http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcertifi catec=
hainfile
> or =A0http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcace rtificatep=
ath
> might help?
>
> --
> Eric Covener
> covener@gmail.com
>
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP Server Project=
..
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> =A0 " =A0 from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP Server Project=
..
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> =A0 " =A0 from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>



--=20
Eric Covener
covener@gmail.com

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: Requesting help with Smart Card ClientCertificate Authentication issue.

So for testing, are you asking I move SSLVerifyClient + SSLVerifyDepth to t=
he entire virtual host directive?

e.g.


# General setup for the virtual host
DocumentRoot "C:/Program Files/Apache Software Foundation/Apache2.2/htdocs"
ServerName rd-db.cnd.hp.com:443
ServerAdmin admin@rd-db.hp.com
ErrorLog "C:/Program Files/Apache Software Foundation/Apache2.2/logs/error.=
log"
TransferLog "C:/Program Files/Apache Software Foundation/Apache2.2/logs/acc=
ess.log"

# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
SSLVerifyClient require
SSLVerifyDepth 10


SSLOptions +StdEnvVars


-----Original Message-----
From: Eric Covener [mailto:covener@gmail.com]=20
Sent: Tuesday, October 27, 2009 10:26 AM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Requesting help with Smart Card Client Certifica=
te Authentication issue.

On Tue, Oct 27, 2009 at 10:21 AM, Berube, Steve (HP Software)
wrote:
> My test originally was this
>
> =A0 =A0 SSLVerifyClient require
>
> =A0 =A0 SSLVerifyDepth 10
>
> =A0 =A0 SSLOptions +StdEnvVars
>
>
> Same issue whether based on a directory or using the root location.
> I'm still trying to figure out why one and only IE works, but no others.
> I've tried HTTP Analyzer plugin for IE which only shows a single error (n=
othing else)
>
> ERROR_INTERNET_SECURITY_CHANNEL_ERROR
>
> Nothing else at all in the trace.
>
> If I go to the root url (which is SSL Enabled, but no client verify)
>
> I will try your suggestion of wireshark.

Putting it in is still the more complicated case of:

handshake without request for client authentication
read request
server-driven renegotiation of the handshake with client authentication req=
uest
*hope IE prompts*

SSLVerifyClient is accepted in context, which should
cause the initial handshake to ask for a client cert.

>
>
> -----Original Message-----
> From: Eric Covener [mailto:covener@gmail.com]
> Sent: Tuesday, October 27, 2009 10:17 AM
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] Requesting help with Smart Card Client Certifi=
cate Authentication issue.
>
> On Mon, Oct 26, 2009 at 10:36 PM, Berube, Steve (HP Software)
> wrote:
>> n">
>>
>>   =A0 SSLVerifyClient require
>>
>>   =A0 SSLVerifyDepth 10
>>
>>   =A0 SSLOptions +StdEnvVars
>>
>>
>
>
> Can you simplify your testing by setting this outside of per-directory
> config? =A0Have you used wireshark to see if Apache is sending the
> proper list of trusted certificates that line up with whoever signed
> your certs in your HW device?
>
> Perhaps http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcertifi catec=
hainfile
> or =A0http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcace rtificatep=
ath
> might help?
>
> --
> Eric Covener
> covener@gmail.com
>
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP Server Project=
..
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> =A0 " =A0 from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP Server Project=
..
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> =A0 " =A0 from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>



--=20
Eric Covener
covener@gmail.com

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: Requesting help with Smart Card ClientCertificate Authentication issue.

Ok quick update, I did that test and unfortunately no change in behavior. I=
can't access / now (as expected) but still no prompt for certificate. Othe=
r systems that work continue to work. Firefox no issue, one windows 7 IE sy=
stem, no issue.

I am installing wireshark now.


-----Original Message-----
From: Berube, Steve (HP Software)=20
Sent: Tuesday, October 27, 2009 10:28 AM
To: users@httpd.apache.org
Subject: RE: [users@httpd] Requesting help with Smart Card Client Certifica=
te Authentication issue.

So for testing, are you asking I move SSLVerifyClient + SSLVerifyDepth to t=
he entire virtual host directive?

e.g.


# General setup for the virtual host
DocumentRoot "C:/Program Files/Apache Software Foundation/Apache2.2/htdocs"
ServerName rd-db.cnd.hp.com:443
ServerAdmin admin@rd-db.hp.com
ErrorLog "C:/Program Files/Apache Software Foundation/Apache2.2/logs/error.=
log"
TransferLog "C:/Program Files/Apache Software Foundation/Apache2.2/logs/acc=
ess.log"

# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
SSLVerifyClient require
SSLVerifyDepth 10


SSLOptions +StdEnvVars


-----Original Message-----
From: Eric Covener [mailto:covener@gmail.com]=20
Sent: Tuesday, October 27, 2009 10:26 AM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Requesting help with Smart Card Client Certifica=
te Authentication issue.

On Tue, Oct 27, 2009 at 10:21 AM, Berube, Steve (HP Software)
wrote:
> My test originally was this
>
> =A0 =A0 SSLVerifyClient require
>
> =A0 =A0 SSLVerifyDepth 10
>
> =A0 =A0 SSLOptions +StdEnvVars
>
>
> Same issue whether based on a directory or using the root location.
> I'm still trying to figure out why one and only IE works, but no others.
> I've tried HTTP Analyzer plugin for IE which only shows a single error (n=
othing else)
>
> ERROR_INTERNET_SECURITY_CHANNEL_ERROR
>
> Nothing else at all in the trace.
>
> If I go to the root url (which is SSL Enabled, but no client verify)
>
> I will try your suggestion of wireshark.

Putting it in is still the more complicated case of:

handshake without request for client authentication
read request
server-driven renegotiation of the handshake with client authentication req=
uest
*hope IE prompts*

SSLVerifyClient is accepted in context, which should
cause the initial handshake to ask for a client cert.

>
>
> -----Original Message-----
> From: Eric Covener [mailto:covener@gmail.com]
> Sent: Tuesday, October 27, 2009 10:17 AM
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] Requesting help with Smart Card Client Certifi=
cate Authentication issue.
>
> On Mon, Oct 26, 2009 at 10:36 PM, Berube, Steve (HP Software)
> wrote:
>> n">
>>
>>   =A0 SSLVerifyClient require
>>
>>   =A0 SSLVerifyDepth 10
>>
>>   =A0 SSLOptions +StdEnvVars
>>
>>
>
>
> Can you simplify your testing by setting this outside of per-directory
> config? =A0Have you used wireshark to see if Apache is sending the
> proper list of trusted certificates that line up with whoever signed
> your certs in your HW device?
>
> Perhaps http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcertifi catec=
hainfile
> or =A0http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcace rtificatep=
ath
> might help?
>
> --
> Eric Covener
> covener@gmail.com
>
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP Server Project=
..
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> =A0 " =A0 from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP Server Project=
..
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> =A0 " =A0 from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>



--=20
Eric Covener
covener@gmail.com

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: Requesting help with Smart Card ClientCertificate Authentication issue.

Was wondering if anyone else had ideas here. I have a strace (Microsoft too=
l) of the trace, but my expertise in analyzing that is lacking.


-----Original Message-----
From: Berube, Steve (HP Software)=20
Sent: Tuesday, October 27, 2009 10:31 AM
To: users@httpd.apache.org
Subject: RE: [users@httpd] Requesting help with Smart Card Client Certifica=
te Authentication issue.

Ok quick update, I did that test and unfortunately no change in behavior. I=
can't access / now (as expected) but still no prompt for certificate. Othe=
r systems that work continue to work. Firefox no issue, one windows 7 IE sy=
stem, no issue.

I am installing wireshark now.


-----Original Message-----
From: Berube, Steve (HP Software)=20
Sent: Tuesday, October 27, 2009 10:28 AM
To: users@httpd.apache.org
Subject: RE: [users@httpd] Requesting help with Smart Card Client Certifica=
te Authentication issue.

So for testing, are you asking I move SSLVerifyClient + SSLVerifyDepth to t=
he entire virtual host directive?

e.g.


# General setup for the virtual host
DocumentRoot "C:/Program Files/Apache Software Foundation/Apache2.2/htdocs"
ServerName rd-db.cnd.hp.com:443
ServerAdmin admin@rd-db.hp.com
ErrorLog "C:/Program Files/Apache Software Foundation/Apache2.2/logs/error.=
log"
TransferLog "C:/Program Files/Apache Software Foundation/Apache2.2/logs/acc=
ess.log"

# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
SSLVerifyClient require
SSLVerifyDepth 10


SSLOptions +StdEnvVars


-----Original Message-----
From: Eric Covener [mailto:covener@gmail.com]=20
Sent: Tuesday, October 27, 2009 10:26 AM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Requesting help with Smart Card Client Certifica=
te Authentication issue.

On Tue, Oct 27, 2009 at 10:21 AM, Berube, Steve (HP Software)
wrote:
> My test originally was this
>
> =A0 =A0 SSLVerifyClient require
>
> =A0 =A0 SSLVerifyDepth 10
>
> =A0 =A0 SSLOptions +StdEnvVars
>
>
> Same issue whether based on a directory or using the root location.
> I'm still trying to figure out why one and only IE works, but no others.
> I've tried HTTP Analyzer plugin for IE which only shows a single error (n=
othing else)
>
> ERROR_INTERNET_SECURITY_CHANNEL_ERROR
>
> Nothing else at all in the trace.
>
> If I go to the root url (which is SSL Enabled, but no client verify)
>
> I will try your suggestion of wireshark.

Putting it in is still the more complicated case of:

handshake without request for client authentication
read request
server-driven renegotiation of the handshake with client authentication req=
uest
*hope IE prompts*

SSLVerifyClient is accepted in context, which should
cause the initial handshake to ask for a client cert.

>
>
> -----Original Message-----
> From: Eric Covener [mailto:covener@gmail.com]
> Sent: Tuesday, October 27, 2009 10:17 AM
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] Requesting help with Smart Card Client Certifi=
cate Authentication issue.
>
> On Mon, Oct 26, 2009 at 10:36 PM, Berube, Steve (HP Software)
> wrote:
>> n">
>>
>>   =A0 SSLVerifyClient require
>>
>>   =A0 SSLVerifyDepth 10
>>
>>   =A0 SSLOptions +StdEnvVars
>>
>>
>
>
> Can you simplify your testing by setting this outside of per-directory
> config? =A0Have you used wireshark to see if Apache is sending the
> proper list of trusted certificates that line up with whoever signed
> your certs in your HW device?
>
> Perhaps http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcertifi catec=
hainfile
> or =A0http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcace rtificatep=
ath
> might help?
>
> --
> Eric Covener
> covener@gmail.com
>
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP Server Project=
..
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> =A0 " =A0 from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP Server Project=
..
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> =A0 " =A0 from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>



--=20
Eric Covener
covener@gmail.com

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: Requesting help with Smart Card ClientCertificate Authentication issue.

For what it is worth:
Here are the apache logs relating to this issue:

I've XX'ed out IP + YY host name info


Thu Oct 29 11:25:03 2009] [debug] ssl_engine_kernel.c(1875): OpenSSL: Hands=
hake: start
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_kernel.c(1883): OpenSSL: Loop=
: before/accept initialization
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1858): OpenSSL: read 11/=
11 bytes from BIO#fd56b0 [mem: fdcc60] (BIO dump follows)
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1791): +----------------=
---------------------------------------------------------+
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0000: 16 03 01 =
00 99 01 00 00-95 03 01 ........... |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1836): +----------------=
---------------------------------------------------------+
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1858): OpenSSL: read 147=
/147 bytes from BIO#fd56b0 [mem: fdcc6b] (BIO dump follows)
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1791): +----------------=
---------------------------------------------------------+
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0000: 4a e9 b2 =
a0 04 fb f1 8e-a3 9c 02 80 3a bc 75 7f J...........:.u. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0010: 49 18 c8 =
c9 40 f6 44 1c-e6 fc cb 68 52 33 95 ec I...@.D....hR3.. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0020: 20 1c ed =
fc 78 e4 2d dd-9c 30 e6 4e b0 7f c2 5b ...x.-..0.N...[ |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0030: be b2 57 =
e5 0d f2 3b 11-b5 c0 1f f0 a6 5b b1 b5 ..W...;......[.. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0040: fb 00 18 =
00 2f 00 35 00-05 00 0a c0 09 c0 0a c0 ..../.5......... |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0050: 13 c0 14 =
00 32 00 38 00-13 00 04 01 00 00 34 00 ....2.8.......4. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0060: 00 00 15 =
00 13 00 00 10-72 64 2d 64 62 2e 63 6e ........rd-db.cn |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0070: 64 2e XX =
XX 2e 63 6f 6d-00 05 00 05 01 00 00 00 d.XX.com........ |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0080: 00 00 0a =
00 08 00 06 00-17 00 18 00 19 00 0b 00 ................ |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0090: 02 01 =
.. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1834): | 0147 - NULS>
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1836): +----------------=
---------------------------------------------------------+
[Thu Oct 29 11:25:03 2009] [debug] ssl_scache_shmcb.c(393): ssl_scache_shmc=
b_retrieve (0x1c -> subcache 28)
[Thu Oct 29 11:25:03 2009] [debug] ssl_scache_shmcb.c(708): shmcb_subcache_=
retrieve found no match
[Thu Oct 29 11:25:03 2009] [debug] ssl_scache_shmcb.c(408): leaving ssl_sca=
che_shmcb_retrieve successfully
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_kernel.c(1721): Inter-Process=
Session Cache: request=3DGET status=3DMISSED id=3D1CEDFC78E42DDD9C30E64EB0=
7FC25BBEB257E50DF23B11B5C01FF0A65BB1B5FB (session renewal)
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_kernel.c(1951): [client XX.XX=
..11.89] SSL virtual host for servername rd-db.cnd.YY.com found
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_kernel.c(1883): OpenSSL: Loop=
: SSLv3 read client hello A
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_kernel.c(1883): OpenSSL: Loop=
: SSLv3 write server hello A
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_kernel.c(1883): OpenSSL: Loop=
: SSLv3 write certificate A
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_kernel.c(1883): OpenSSL: Loop=
: SSLv3 write server done A
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_kernel.c(1883): OpenSSL: Loop=
: SSLv3 flush data
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1858): OpenSSL: read 5/5=
bytes from BIO#fd56b0 [mem: fdcc60] (BIO dump follows)
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1791): +----------------=
---------------------------------------------------------+
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0000: 16 03 01 =
00 86 ..... |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1836): +----------------=
---------------------------------------------------------+
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1858): OpenSSL: read 134=
/134 bytes from BIO#fd56b0 [mem: fdcc65] (BIO dump follows)
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1791): +----------------=
---------------------------------------------------------+
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0000: 10 00 00 =
82 00 80 00 c3-88 5e 6d c0 7e cd 4c b7 .........^m.~.L. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0010: 32 11 13 =
05 4c 11 92 b6-84 ce 1d 43 08 ff bf 63 2...L......C...c |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0020: dd 99 89 =
a8 86 5e e5 6f-d2 a7 f4 5a 83 c6 7d 5f .....^.o...Z..}_ |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0030: bc 93 f8 =
bc 11 2e ff fd-79 89 fa a1 70 1d 13 ef ........y...p... |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0040: 88 c5 34 =
62 a3 c5 f3 35-91 0b bf f4 00 0a 25 46 ..4b...5......%F |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0050: f3 01 f0 =
79 ca 67 9f 13-ef 7c 3d 2a 18 b0 3e b1 ...y.g...|=3D*..>. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0060: a2 2c 98 =
b7 c5 d6 07 d1-cf 64 f4 cb a2 81 4f f6 .,.......d....O. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0070: 48 2f d6 =
e6 a0 93 b0 36-46 21 4d 0d cd 7e 89 8b H/.....6F!M..~.. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0080: f2 d0 a8 =
63 fb bf ...c.. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1836): +----------------=
---------------------------------------------------------+
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_kernel.c(1883): OpenSSL: Loop=
: SSLv3 read client key exchange A
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1858): OpenSSL: read 5/5=
bytes from BIO#fd56b0 [mem: fdcc60] (BIO dump follows)
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1791): +----------------=
---------------------------------------------------------+
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0000: 14 03 01 =
00 01 ..... |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1836): +----------------=
---------------------------------------------------------+
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1858): OpenSSL: read 1/1=
bytes from BIO#fd56b0 [mem: fdcc65] (BIO dump follows)
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1791): +----------------=
---------------------------------------------------------+
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0000: 01 =
. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1836): +----------------=
---------------------------------------------------------+
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1858): OpenSSL: read 5/5=
bytes from BIO#fd56b0 [mem: fdcc60] (BIO dump follows)
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1791): +----------------=
---------------------------------------------------------+
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0000: 16 03 01 =
00 30 ....0 |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1836): +----------------=
---------------------------------------------------------+
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1858): OpenSSL: read 48/=
48 bytes from BIO#fd56b0 [mem: fdcc65] (BIO dump follows)
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1791): +----------------=
---------------------------------------------------------+
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0000: ff 25 ef =
55 d3 31 51 f0-0e 6a 9e e4 0e f6 3b 7f .%.U.1Q..j....;. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0010: fb ec 90 =
52 7a 05 5d 3f-ea a8 72 42 de 2f 9a e7 ...Rz.]?..rB./.. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0020: 6c e4 d9 =
8f 8f 63 fc b6-e1 35 b6 e5 14 93 7c ba l....c...5....|. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1836): +----------------=
---------------------------------------------------------+
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_kernel.c(1883): OpenSSL: Loop=
: SSLv3 read finished A
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_kernel.c(1883): OpenSSL: Loop=
: SSLv3 write change cipher spec A
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_kernel.c(1883): OpenSSL: Loop=
: SSLv3 write finished A
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_kernel.c(1883): OpenSSL: Loop=
: SSLv3 flush data
[Thu Oct 29 11:25:03 2009] [debug] ssl_scache_shmcb.c(353): ssl_scache_shmc=
b_store (0xac -> subcache 12)
[Thu Oct 29 11:25:03 2009] [debug] ssl_scache_shmcb.c(645): insert happened=
at idx=3D0, data=3D0
[Thu Oct 29 11:25:03 2009] [debug] ssl_scache_shmcb.c(647): finished insert=
, subcache: idx_pos/idx_used=3D0/1, data_pos/data_used=3D0/168
[Thu Oct 29 11:25:03 2009] [debug] ssl_scache_shmcb.c(378): leaving ssl_sca=
che_shmcb_store successfully
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_kernel.c(1721): Inter-Process=
Session Cache: request=3DSET status=3DOK id=3DAC94F2DD376455B7FD542C6606D4=
CA30149CFCA32DE4A663D43F63CDA064AB91 timeout=3D300s (session caching)
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_kernel.c(1879): OpenSSL: Hand=
shake: done
[Thu Oct 29 11:25:03 2009] [info] Connection: Client IP: XX.XX.11.89, Proto=
col: TLSv1, Cipher: AES128-SHA (128/128 bits)
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1858): OpenSSL: read 5/5=
bytes from BIO#fd56b0 [mem: fdcc60] (BIO dump follows)
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1791): +----------------=
---------------------------------------------------------+
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0000: 17 03 01 =
06 40 ....@ |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1836): +----------------=
---------------------------------------------------------+
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1858): OpenSSL: read 160=
0/1600 bytes from BIO#fd56b0 [mem: fdcc65] (BIO dump follows)
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1791): +----------------=
---------------------------------------------------------+
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0000: 84 6e 1b =
bb b1 ce 5d 44-d8 bb 36 8f 96 c4 62 d6 .n....]D..6...b. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0010: 15 90 35 =
2f 17 82 3e 9c-20 c5 a6 0d 8e 6f d1 22 ..5/..>. ....o." |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0020: bf da 0f =
43 ef 19 2b 98-66 d5 ec ca 03 9b a9 98 ...C..+.f....... |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0030: 45 cc 30 =
49 f3 37 51 d1-98 ab 45 62 12 0e a8 26 E.0I.7Q...Eb...& |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0040: 5b 98 8b =
80 ee 62 b1 f2-19 24 21 51 1a 02 b0 e1 [....b...$!Q.... |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0050: e4 00 c1 =
e2 53 32 4a 3d-5d ca a2 38 7d a6 e7 36 ....S2J=3D]..8}..6 |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0060: f8 f2 6d =
8c fa 2c 9a 78-84 33 0f 3c 6e 29 d1 34 ..m..,.x.3. [Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0070: a5 ff 63 =
76 78 49 5a 4a-14 43 c6 53 f1 fc ad 76 ..cvxIZJ.C.S...v |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0080: 4c de 99 =
85 8a 5b 2e 52-f0 9e 8b b6 d1 9f ca 1b L....[.R........ |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0090: ec 0a c6 =
82 43 fa 1f 04-79 a3 67 54 38 b2 81 e1 ....C...y.gT8... |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 00a0: 5e 4b 1f =
24 8c db 49 23-9b bf cb 76 46 62 d3 f7 ^K.$..I#...vFb.. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 00b0: c6 fc 7a =
14 c7 c0 10 e8-15 8e 24 d2 ce 19 b6 df ..z.......$..... |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 00c0: bb 9f 00 =
03 23 4d b9 ea-60 02 55 b0 75 99 6e 92 ....#M..`.U.u.n. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 00d0: 1c 34 a7 =
5a cf f3 65 59-91 23 ae fa ac 58 8d 34 .4.Z..eY.#...X.4 |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 00e0: 6d c2 ab =
14 26 fe 20 84-65 4f 56 f4 97 c6 d6 61 m...&. .eOV....a |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 00f0: 31 c6 26 =
da 2d ac f8 72-81 6d 0c c2 76 33 b2 5d 1.&.-..r.m..v3.] |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0100: 6f f6 5e =
79 57 7f 35 a2-a3 4a ef f8 85 74 6a ae o.^yW.5..J...tj. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0110: c6 f7 75 =
c5 91 85 84 9b-95 6d 3c 53 87 ff f2 40 ..u......m [Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0120: ae 87 99 =
1d 67 c9 74 04-9f a7 6f cb e2 ea 27 94 ....g.t...o...'. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0130: 26 f9 bf =
76 f5 c2 16 b4-0e 5c 2b 11 9a 77 8e a8 &..v.....\\+..w.. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0140: 33 a9 1a =
b7 75 cb 26 ae-ea fb df a2 d6 06 69 ed 3...u.&.......i. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0150: 8e 6e 7b =
8a 8d 2f 67 d0-a6 2d 34 88 a1 d1 c7 4e .n{../g..-4....N |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0160: 30 e3 10 =
64 0d ab ec e8-db 26 c0 cd 90 6e c2 d1 0..d.....&...n.. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0170: 30 f2 f8 =
5e 27 3a 56 86-f7 92 26 16 29 ae a9 49 0..^':V...&.)..I |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0180: c2 37 54 =
2a 40 e8 c3 a5-f9 db f3 0d 9d 4e bf b2 .7T*@........N.. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0190: 8b e1 4f =
f8 17 97 20 7d-a5 8b 7a 74 3f fa d5 7a ..O... }..zt?..z |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 01a0: 87 7d a8 =
91 dc 84 5e 72-be a7 b0 e0 7e 9d 33 c1 .}....^r....~.3. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 01b0: 0f d5 f7 =
01 62 2d a0 98-77 d2 6e 95 d8 1c ef 4f ....b-..w.n....O |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 01c0: 75 e3 7a =
86 4e 6e fa d5-de f4 54 66 ff db 71 51 u.z.Nn....Tf..qQ |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 01d0: 7a ed 29 =
cd c2 55 bc a9-53 98 bb 66 35 e6 c5 8d z.)..U..S..f5... |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 01e0: 89 51 90 =
95 8c a9 b9 4c-18 44 d0 bf 69 7c 3e ea .Q.....L.D..i|>. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 01f0: b8 47 17 =
ef ff 0c 77 51-92 9a 24 5d b4 38 ea 87 .G....wQ..$].8.. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0200: 81 44 b9 =
0a c4 c9 da 17-c9 7f 55 04 e4 ae 84 e5 .D........U..... |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0210: 47 81 ff =
a1 94 aa c1 13-fc 00 8e c4 17 f7 5c c5 G.............\\. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0220: 9f da ac =
00 67 c8 55 93-28 9e 8c 7e b6 4f bc 1b ....g.U.(..~.O.. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0230: c2 a5 97 =
27 c6 9c bd 52-90 31 20 09 86 48 11 98 ...'...R.1 ..H.. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0240: 2c ce fb =
96 8c 2d 89 fd-41 9b ad fb fe fa 61 04 ,....-..A.....a. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0250: cb be 86 =
b5 35 31 fc 91-42 14 48 9f 36 5e f2 69 ....51..B.H.6^.i |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0260: f4 c2 6a =
8d f0 b7 d5 14-e4 ab 17 06 d2 89 e0 6d ..j............m |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0270: 49 fc 22 =
76 18 82 89 18-ac ff 9f 10 50 98 9f a7 I."v........P... |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0280: 1d 30 fd =
c6 f0 1b 50 e7-ba f9 31 23 de 96 ff 63 .0....P...1#...c |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0290: 3d 1f b0 =
4a d3 9b 20 53-c3 dd ab 58 19 07 56 cb =3D..J.. S...X..V. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 02a0: 65 b7 f7 =
1c da e4 64 a0-5f 92 b0 a2 a5 07 de 23 e.....d._......# |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 02b0: 0e fc 1a =
48 98 d4 f5 74-fa c7 18 b4 65 82 0f 31 ...H...t....e..1 |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 02c0: 68 ce 54 =
c0 23 eb ef bc-ac ad f5 b9 36 19 b9 d6 h.T.#.......6... |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 02d0: ff 8c 02 =
d1 23 90 ce 63-2d 3d 64 63 40 96 8a e0 ....#..c-=3Ddc@... |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 02e0: f4 70 fa =
b0 dd ef 8a 77-7b ce 3e 32 65 13 c4 5d .p.....w{.>2e..] |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 02f0: bc a8 33 =
0e 80 5c 76 f8-2e ca 67 62 ab f2 86 ee ..3..\\v...gb.... |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0300: f7 86 15 =
d3 86 d9 58 35-06 eb 54 4a 28 e2 55 c3 ......X5..TJ(.U. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0310: f6 81 91 =
00 ab 21 bc 75-1d bb 99 a8 9d 90 61 38 .....!.u......a8 |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0320: 76 8d 62 =
df 92 cb 27 5b-22 51 9a 98 6f 8e 99 7b v.b...'["Q..o..{ |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0330: f7 6f b6 =
2e 28 ac 7b 74-67 a4 bc 60 a6 18 41 a2 .o..(.{tg..`..A. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0340: 51 78 c2 =
a4 3b 7e 27 9c-28 a0 da 3a b2 02 53 76 Qx..;~'.(..:..Sv |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0350: 36 8f 3d =
34 ec 2f 79 6b-a7 17 d2 ee a7 47 8a 64 6.=3D4./yk.....G.d |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0360: df b5 1a =
90 5e 30 1e d6-64 79 5b 18 d7 99 71 73 ....^0..dy[...qs |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0370: d1 ad e7 =
b6 c0 c0 aa c7-1a 35 9a 54 4b 40 ee 0c .........5.TK@.. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0380: e9 c2 e7 =
9c 1e cc 22 81-ae ae 73 4c 57 32 2d 05 ......"...sLW2-. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0390: e6 c8 34 =
33 11 36 fa 5b-03 c6 28 5f 12 a4 f3 59 ..43.6.[..(_...Y |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 03a0: 68 f8 43 =
81 c4 19 d6 0b-9e a9 03 a1 24 c7 b4 b9 h.C.........$... |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 03b0: 65 35 a1 =
55 13 6f 06 15-6a 8b ed f6 4e a0 28 74 e5.U.o..j...N.(t |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 03c0: 93 36 f6 =
9e cb 78 e8 40-e0 93 cc 24 92 7c 30 a2 .6...x.@...$.|0. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 03d0: 51 03 c6 =
fa 5b b0 70 34-ef 8e 6d 54 a6 96 d0 b9 Q...[.p4..mT.... |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 03e0: cd bc dd =
41 e2 17 0e d0-c7 3e f7 c9 58 98 23 ec ...A.....>..X.#. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 03f0: 70 b1 76 =
31 b8 02 0d ab-93 0a 79 db 07 d1 f4 a3 p.v1......y..... |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0400: e1 b7 00 =
e8 a2 62 68 f7-ce b0 f5 21 18 d3 53 48 .....bh....!..SH |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0410: 42 d2 a6 =
4e ce 63 ff bc-dc 83 1f c0 04 5b bd cb B..N.c.......[.. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0420: 93 97 ca =
c2 72 6e 90 c0-9a 07 c3 e2 3c 58 d3 1a ....rn...... [Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0430: 40 f6 bc =
9b 4c 6c 60 a3-e4 ba 1c 31 c7 8d 84 84 @...Ll`....1.... |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0440: 99 b6 3f =
7b b2 3c 44 91-7e 51 f3 2b af 41 34 af ..?{. [Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0450: a8 97 8e =
9c 1d e2 38 07-6b dd 79 11 16 de a6 b3 ......8.k.y..... |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0460: e1 a2 f4 =
7f 80 eb 11 74-ff 1e 23 50 8b bf 9c f2 .......t..#P.... |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0470: 2d 3e a9 =
04 f2 45 96 77-36 93 d1 14 e7 9c 71 f3 ->...E.w6.....q. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0480: 5f d1 7a =
62 19 5b 3b 39-42 46 0e 4d 9f dc a7 dd _.zb.[;9BF.M.... |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0490: d1 69 47 =
f3 19 d1 af f4-89 56 b3 30 d3 d7 95 24 .iG......V.0...$ |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 04a0: b2 7d fc =
5e bf 1b b8 51-86 2e 6e 34 c9 8c 28 a9 .}.^...Q..n4..(. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 04b0: 9e 24 75 =
58 35 f5 60 69-fd fd f1 9b bb 68 6c cd .$uX5.`i.....hl. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 04c0: b1 4c 15 =
5f f5 4c fb 7a-47 44 bd 06 4e 19 8a 8e .L._.L.zGD..N... |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 04d0: 68 d4 58 =
e4 48 90 47 b8-a5 17 c5 8e 98 ee 07 25 h.X.H.G........% |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 04e0: f3 4d c9 =
7e 5f f6 43 1c-4f 3b 9e 28 d7 13 3f 66 .M.~_.C.O;.(..?f |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 04f0: b5 fd 89 =
35 6d d6 90 f8-54 cd ea 81 92 de ad 40 ...5m...T......@ |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0500: e4 e7 58 =
c9 69 70 be 4f-4c 68 1b de d6 1d e9 f7 ..X.ip.OLh...... |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0510: 2b e5 47 =
e3 01 c8 84 4e-44 31 d3 ad 75 92 39 c6 +.G....ND1..u.9. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0520: 05 da 10 =
86 b7 5b 8f e9-b9 93 e7 a8 d2 19 39 84 .....[........9. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0530: 34 50 01 =
21 52 9e f1 b4-94 9b dd cb e6 50 c6 d9 4P.!R........P.. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0540: 37 64 01 =
f1 25 cb 81 53-c5 82 a0 0f ec f2 34 01 7d..%..S......4. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0550: cb 32 be =
44 d2 4e 3f 43-81 3c aa 17 2c f5 c4 8c .2.D.N?C.<..,... |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0560: 39 32 e9 =
37 3d c3 11 06-53 f7 31 2e b0 0e 56 5d 92.7=3D...S.1...V] |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0570: e7 e3 88 =
a2 f9 d0 5f 4e-8f 98 c0 39 64 1f 98 6f ......_N...9d..o |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0580: 95 1e 44 =
ed 20 36 8e cf-b5 69 ee 36 b9 47 cf 13 ..D. 6...i.6.G.. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0590: fd 84 82 =
28 08 af 91 ce-95 8e 23 eb 62 72 3f 3d ...(......#.br?=3D |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 05a0: 0b 93 fa =
d9 5e 7d ab c4-b5 2a 7d 29 c8 d5 ce 54 ....^}...*})...T |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 05b0: ae 2e 35 =
27 ef 5b 6b 12-3f 09 d9 9b 06 cc 76 72 ..5'.[k.?.....vr |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 05c0: ce c8 94 =
ce 7a 8f ae 6a-c6 2c 79 2f a0 3b 7d f9 ....z..j.,y/.;}. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 05d0: be 0a 99 =
77 d1 ba e5 e7-16 6c 47 89 c7 c3 b0 aa ...w.....lG..... |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 05e0: 49 07 f4 =
7c 43 fa cb 42-2e 4d e7 45 26 67 bc 91 I..|C..B.M.E&g.. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 05f0: 4c 9d 25 =
b7 bb f9 e0 6a-eb 53 eb ae 93 05 33 79 L.%....j.S....3y |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0600: 1b 03 61 =
98 46 84 cc 1b-ed 6e 21 11 2a 8c 4d 99 ..a.F....n!.*.M. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0610: 95 ed ae =
77 be b8 41 46-52 58 2f cc 7a b7 d8 eb ...w..AFRX/.z... |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0620: 9f 1b a6 =
21 c6 79 bf bf-55 2a 11 f5 1d cf 30 9e ...!.y..U*....0. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0630: 6f e5 4e =
7d 32 0d 16 27-fc 72 cc f2 b2 aa 0d 98 o.N}2..'.r...... |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1836): +----------------=
---------------------------------------------------------+
[Thu Oct 29 11:25:03 2009] [info] Initial (No.1) HTTPS request received for=
child 63 (server rd-db.cnd.YY.com:8443)
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_kernel.c(487): [client XX.XX.=
11.89] Changed client verification type will force renegotiation
[Thu Oct 29 11:25:03 2009] [info] [client XX.XX.11.89] Requesting connectio=
n re-negotiation
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_kernel.c(724): [client XX.XX.=
11.89] Performing full renegotiation: complete handshake protocol
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_kernel.c(1875): OpenSSL: Hand=
shake: start
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_kernel.c(1883): OpenSSL: Loop=
: SSL renegotiate ciphers
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_kernel.c(1883): OpenSSL: Loop=
: SSLv3 write hello request A
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_kernel.c(1883): OpenSSL: Loop=
: SSLv3 flush data
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_kernel.c(1883): OpenSSL: Loop=
: SSLv3 write hello request C
[Thu Oct 29 11:25:03 2009] [info] [client XX.XX.11.89] Awaiting re-negotiat=
ion handshake
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_kernel.c(1875): OpenSSL: Hand=
shake: start
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_kernel.c(1883): OpenSSL: Loop=
: before accept initialization
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1858): OpenSSL: read 5/5=
bytes from BIO#fd56b0 [mem: fdcc60] (BIO dump follows)
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1791): +----------------=
---------------------------------------------------------+
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0000: 16 03 01 =
00 90 ..... |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1836): +----------------=
---------------------------------------------------------+
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1858): OpenSSL: read 144=
/144 bytes from BIO#fd56b0 [mem: fdcc65] (BIO dump follows)
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1791): +----------------=
---------------------------------------------------------+
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0000: fa 50 f4 =
a0 17 63 11 f6-62 3b bb d8 08 22 93 2c .P...c..b;..."., |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0010: 9d de 9d =
37 8c df 22 7b-40 62 c1 8b db 63 be c1 ...7.."{@b...c.. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0020: f3 6b 2b =
6e 72 34 84 0e-da 6c 55 d8 fe 39 69 35 .k+nr4...lU..9i5 |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0030: e3 b6 7a =
ff 1c 59 a2 03-aa 5c d1 44 e0 fc f7 b0 ..z..Y...\\.D.... |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0040: 52 17 cc =
d6 24 2e af 9e-de 6a 83 38 ae ea 5e d8 R...$....j.8..^. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0050: f0 e4 ce =
4b a8 79 c4 a0-9d c0 77 af 7c cb 5c a6 ...K.y....w.|.\\. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0060: 83 16 3c =
61 18 6c 56 ff-88 90 6a f1 c7 93 9b 08 .. [Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0070: c1 a8 ef =
32 26 2b b7 20-b2 d8 4c 00 cd 53 d2 df ...2&+. ..L..S.. |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1830): | 0080: 99 71 d7 =
c2 bc a7 19 72-fd ce 72 b9 d4 10 9f 51 .q.....r..r....Q |
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_io.c(1836): +----------------=
---------------------------------------------------------+
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_kernel.c(1951): [client XX.XX=
..11.89] SSL virtual host for servername rd-db.cnd.YY.com found
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_kernel.c(1883): OpenSSL: Loop=
: SSLv3 read client hello A
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_kernel.c(1883): OpenSSL: Loop=
: SSLv3 write server hello A
[Thu Oct 29 11:25:03 2009] [debug] ssl_engine_kernel.c(1883): OpenSSL: Loop=
: SSLv3 write certificate A
[Thu Oct 29 11:25:04 2009] [debug] ssl_engine_kernel.c(1883): OpenSSL: Loop=
: SSLv3 write certificate request A
[Thu Oct 29 11:25:04 2009] [debug] ssl_engine_kernel.c(1883): OpenSSL: Loop=
: SSLv3 flush data
[Thu Oct 29 11:25:04 2009] [debug] ssl_engine_io.c(1869): OpenSSL: I/O erro=
r, 5 bytes expected to read on BIO#fd56b0 [mem: fdcc60]
[Thu Oct 29 11:25:04 2009] [debug] ssl_engine_kernel.c(1912): OpenSSL: Exit=
: error in SSLv3 read client certificate A
[Thu Oct 29 11:25:04 2009] [error] [client XX.XX.11.89] Re-negotiation hand=
shake failed: Not accepted by client!?

-----Original Message-----
From: Berube, Steve (HP Software)
Sent: Thursday, October 29, 2009 11:12 AM
To: users@httpd.apache.org
Subject: RE: [users@httpd] Requesting help with Smart Card Client Certifica=
te Authentication issue.

Was wondering if anyone else had ideas here. I have a strace (Microsoft too=
l) of the trace, but my expertise in analyzing that is lacking.


-----Original Message-----
From: Berube, Steve (HP Software)
Sent: Tuesday, October 27, 2009 10:31 AM
To: users@httpd.apache.org
Subject: RE: [users@httpd] Requesting help with Smart Card Client Certifica=
te Authentication issue.

Ok quick update, I did that test and unfortunately no change in behavior. I=
can't access / now (as expected) but still no prompt for certificate. Othe=
r systems that work continue to work. Firefox no issue, one windows 7 IE sy=
stem, no issue.

I am installing wireshark now.


-----Original Message-----
From: Berube, Steve (HP Software)
Sent: Tuesday, October 27, 2009 10:28 AM
To: users@httpd.apache.org
Subject: RE: [users@httpd] Requesting help with Smart Card Client Certifica=
te Authentication issue.

So for testing, are you asking I move SSLVerifyClient + SSLVerifyDepth to t=
he entire virtual host directive?

e.g.


# General setup for the virtual host
DocumentRoot "C:/Program Files/Apache Software Foundation/Apache2.2/htdocs"
ServerName rd-db.cnd.hp.com:443
ServerAdmin admin@rd-db.hp.com
ErrorLog "C:/Program Files/Apache Software Foundation/Apache2.2/logs/error.=
log"
TransferLog "C:/Program Files/Apache Software Foundation/Apache2.2/logs/acc=
ess.log"

# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
SSLVerifyClient require
SSLVerifyDepth 10


SSLOptions +StdEnvVars


-----Original Message-----
From: Eric Covener [mailto:covener@gmail.com]
Sent: Tuesday, October 27, 2009 10:26 AM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Requesting help with Smart Card Client Certifica=
te Authentication issue.

On Tue, Oct 27, 2009 at 10:21 AM, Berube, Steve (HP Software)
wrote:
> My test originally was this
>
> SSLVerifyClient require
>
> SSLVerifyDepth 10
>
> SSLOptions +StdEnvVars
>
>
> Same issue whether based on a directory or using the root location.
> I'm still trying to figure out why one and only IE works, but no others.
> I've tried HTTP Analyzer plugin for IE which only shows a single error (n=
othing else)
>
> ERROR_INTERNET_SECURITY_CHANNEL_ERROR
>
> Nothing else at all in the trace.
>
> If I go to the root url (which is SSL Enabled, but no client verify)
>
> I will try your suggestion of wireshark.

Putting it in is still the more complicated case of:

handshake without request for client authentication
read request
server-driven renegotiation of the handshake with client authentication req=
uest
*hope IE prompts*

SSLVerifyClient is accepted in context, which should
cause the initial handshake to ask for a client cert.

>
>
> -----Original Message-----
> From: Eric Covener [mailto:covener@gmail.com]
> Sent: Tuesday, October 27, 2009 10:17 AM
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] Requesting help with Smart Card Client Certifi=
cate Authentication issue.
>
> On Mon, Oct 26, 2009 at 10:36 PM, Berube, Steve (HP Software)
> wrote:
>> n">
>>
>> SSLVerifyClient require
>>
>> SSLVerifyDepth 10
>>
>> SSLOptions +StdEnvVars
>>
>>
>
>
> Can you simplify your testing by setting this outside of per-directory
> config? Have you used wireshark to see if Apache is sending the
> proper list of trusted certificates that line up with whoever signed
> your certs in your HW device?
>
> Perhaps http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcertifi catec=
hainfile
> or http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcacerti ficatepat=
h
> might help?
>
> --
> Eric Covener
> covener@gmail.com
>
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP Server Project=
..
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP Server Project=
..
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>



--
Eric Covener
covener@gmail.com

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: Requesting help with Smart Card ClientCertificate Authentication issue.

Hi all;
I was able to resolve this.
The issue apparently was in the CAstore on the apache server. I'm not sure =
if there was a corrupt entry in there, or a duplicate. But something was ca=
using the issue. I created a fresh CA store with one cert, the one matching=
the root of the client cert and all worked!


-----Original Message-----
From: Berube, Steve (HP Software)=20
Sent: Tuesday, October 27, 2009 7:27 AM
To: users@httpd.apache.org
Subject: RE: [users@httpd] Requesting help with Smart Card Client Certifica=
te Authentication issue.

Hi there, thank you for the reply. Yes I have that in there. In fact apache=
2.2 ships with that by default.=20
Here is mine directly from httpd-ssl.conf

I pasted a good portion of the file so you can see its context.


SSLRequire %{SSL_CLIENT_S_DN_O} eq "Hewlett-Packard Company"
SSLVerifyClient require
SSLVerifyDepth 10
SSLOptions +StdEnvVars +OptRenegotiate


# SSL Protocol Adjustments:
# The safe and default but still SSL/TLS standard compliant shutdown
# approach is that mod_ssl sends the close notify alert but doesn't wait =
for
# the close notify alert from client. When you need a different shutdown
# approach you can use one of the following variables:
# o ssl-unclean-shutdown:
# This forces an unclean shutdown when the connection is closed, i.e. n=
o
# SSL close notify alert is send or allowed to received. This violates
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
# this when you receive I/O errors because of the standard approach whe=
re
# mod_ssl sends the close notify alert.
# o ssl-accurate-shutdown:
# This forces an accurate shutdown when the connection is closed, i.e. =
a
# SSL close notify alert is send and mod_ssl waits for the close notify
# alert of the client. This is 100% SSL/TLS standard compliant, but in
# practice often causes hanging connections with brain-dead browsers. U=
se
# this only for browsers where you know that their SSL implementation
# works correctly.=20
# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
CustomLog "C:/Program Files/Apache Software Foundation/Apache2.2/logs/ssl_r=
equest.log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

=20

-----Original Message-----
From: Toomas Aas [mailto:toomas.aas@raad.tartu.ee]=20
Sent: Tuesday, October 27, 2009 1:44 AM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Requesting help with Smart Card Client Certifica=
te Authentication issue.

Berube, Steve (HP Software) wrote:

> Now, here is where gets interesting. What should happen is the client=20
> should prompt for a client certificate from the smart card reader and=20
> ask the user for their pin.
>=20
> On firefox 3.5.3 it prompts the user for their smartcard pin as long as=20
> the Security Device for ActivClient is installed. Works great!
>=20
> IE 8.0 on Windows 7 didn't work, after rebuilding the system it works now=
..
>=20
> All the other systems (tested 10) running IE will not work.=20

This may be a SSL handshake issue. Do you have something like this in your=
=20
SSL virtualhost:

BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

If not, try adding it.

It seems to me that something in this area was changed recently in Apache,=
=20
because after upgrading from 2.2.9 to 2.2.13 I had to add similar=20
directive even for Firefox, which worked fine before.

--
Toomas Aas

.... The truth is out there. Does anyone know the URL?

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org