gmane.comp.apache.mod-ssl.user

peer did not return a certificate No CAs known to server for verification?

Abhijit Bhate — 2010-12-20T05:59:18

Hello All,

 

We have opened a java web service & our clients are facing issues while
accessing it. They are consistently getting SSL / TLS connection failure
message. All these clients are using VeriSign class 1 certificates. In
apache error logs we see below message:

 

[Fri Oct 12 17:42:04 2007] [error] mod_ssl: Certificate Verification:
Error (20): unable to get local issuer certificate 
[Fri Oct 12 17:42:04 2007] [error] mod_ssl: Re-negotiation handshake
failed: Not accepted by client!? 
[Fri Oct 12 17:42:04 2007] [error] mod_ssl: Certificate Verification:
Error (20): unable to get local issuer certificate 
[Fri Oct 12 17:42:04 2007] [error] mod_ssl: SSL error on writing data
(OpenSSL library error follows) 
[Fri Oct 12 17:42:04 2007] [error] OpenSSL: error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned

 

This is happening only with class 1 certificates, class 3 certificates
are working fine. Earlier we were using IBM HTTP Server & our clients
were able to connect to our web service. But since we have moved to
Apache HTTP Server, they are facing this issue.

 

Is there any known fix for this? kindly advice. You suggestions are real
value for us.

 

Note: All these clients are either PHP / .NET clients. Java clients are
able to use class 1 certificates successfully.

 

Thanks,

Abhijit Mohan Bhate

+91-98-50-886360

App requires port 8081, gets errors using HTTPS

dreed2010 — 2010-11-17T20:31:36

I have a third-party XML application compiled into Apache as a module that
requires using port 8081.  I have run it successfully for years using HTTP
on Apache 1.3.27 (the version required by the vendor), but now I need to run
it using HTTPS.

So, I installed openssl-0.9.4 and mod_ssl-2.8.14-1.3.27 and the installation
seemed to go well except for the question "File to Patch:  ", which I had to
skip since I had no answer for it.

The application still runs fine when I browse to http://my.app.com:8081, but
when I try HTTPS using https://my.app.com:8081 I get a message that "Secure
Connection Failed - SSL received a record that exceeded the maximum
permissible length (Error code: ssl_error_rx_record_too_long)."  An error
codes reference says, "This generally indicates that the remote peer system
has a flawed implementation of SSL, and is violating the SSL specification."

The Apache error log says "Invalid method in request \x16\x03\x01"

Any thoughts on how to troubleshoot this?

Thanks,
Dave

Re: Certs work, one doesn't, cannot determine why

Jeff Blaine — 2010-11-01T18:27:56

I was originally seeing it work fine for everyone but 1 user
(Simpson Mary B, below).  Now it almost seems somewhat random
in failure.  People who used to succeed are now failing.
I can get in fine (Blaine Charles J.)

Granted, I am messing with all sorts of things trying to get
it work after all this time dead in the water.


Ah, you mean if I reorder them, does the success/failure
situation change as well?  I don't know, I can try that.

 > Why are you matching by the whole S_DN rather than based on
 > e.g. S_DN_CN alone?

Why not?  It seems like the more fully correct way to match
for security.  It's documented and supposedly legit/correct.
The cert-extracted DN (reported in log) matches the configured
DN in the ssl.conf file exactly.

I will try the httpd list.

Thanks Joe
Jeff

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users< at >modssl.org
Automated List Manager                            majordomo< at >modssl.org

Re: Certs work, one doesn't, cannot determine why

Joe Orton — 2010-11-01T11:14:55

Your verbose description of "something goes is not working" is hard to 
follow or condense down. Are you saying with the below configuration, 
you are seeing the SSLRequire work for all the users but that with the 
jblaine cert?

It could be an SSLRequire implementation bug but it is hard to tell.  Is 
the order of the users within the SSLRequire list significant?  Why are 
you matching by the whole S_DN rather than based on e.g. S_DN_CN alone?

You might be better off trying the httpd users' list:

http://httpd.apache.org/lists.html#http-users

Regards, Joe

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users< at >modssl.org
Automated List Manager                            majordomo< at >modssl.org

RE: Specifying the openssl version used with mod_ssl

Gunner Geller — 2010-10-28T15:53:22

Hello all,
Sorry for the delay. We found a work around and quit looking into
the below issue. Thanks to Peter for the static library suggestion and Lee
for the same and for getting me back on the topic. We were able to get
everything working how it should. A note, we are compiling modssl into
apache. We are not using it as a shared object. Here are the key config
options for openssl and apache:

Openssl:

./configure --prefix=/usr/local/ssl --shared

Apache:

./configure --with-included-apr --enable-ssl --with-ssl=/usr/local/ssl 


It is probably a good idea to run a sudo make clean for each installation.
At least it was for us since we re-installed about 50 times.


Thanks again,

Gunner Geller


-----Original Message-----
From: owner-modssl-users< at >modssl.org [mailto:owner-modssl-users< at >modssl.org]
On Behalf Of Gregg L. Smith
Sent: Monday, September 13, 2010 12:48 PM
To: modssl-users< at >modssl.org
Subject: Re: Specifying the openssl version used with mod_ssl

Hello Gunner,

Have you tried
--enable-ssl --with-ssl=/path/to/just/compiled/openssl ?

Regards,

Gregg

Gunner Geller wrote:

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users< at >modssl.org
Automated List Manager                            majordomo< at >modssl.org


______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users< at >modssl.org
Automated List Manager                            majordomo< at >modssl.org

Re: Certs work, one doesn't, cannot determine why

Jeff Blaine — 2010-10-19T20:35:49

Still trying to solve this, I stood up a separate
brand-spanking-new Apache 2.2.17 from source with builtin
SSL.  I am using the same Apache SSL config as quoted below.
I experience the following failure (further context is in
my quoted message below):

...
[Tue Oct 19 16:20:42 2010] [info] Subsequent (No.2) HTTPS request 
received for child 4 (server rtdev1.our.org:999)
[Tue Oct 19 16:20:42 2010] [error] [client 1xx.xx.9.45] client denied by 
server configuration: /apps/rtsrv1dev/share/html/favicon.ico
[19/Oct/2010:16:20:42 -0400] 1xx.xx.9.45 on TLSv1 AES128-SHA 128 
/O=our.org/OU=people/UID=jblaine/CN=Blaine Charles J. SUCCESS 3 369E 
Blaine Charles J. - "GET /favicon.ico HTTP/1.1" 213
[Tue Oct 19 16:20:47 2010] [debug] ssl_engine_io.c(1900): OpenSSL: I/O 
error, 5 bytes expected to read on BIO#1c2e8170 [mem: 1c2f98b0]
[Tue Oct 19 16:20:47 2010] [info] [client 1xx.xx.9.45] (70007)The 
timeout specified has expired: SSL input filter read failed.
[Tue Oct 19 16:20:47 2010] [debug] ssl_engine_kernel.c(1884): OpenSSL: 
Write: SSL negotiation finished successfully
[Tue Oct 19 16:20:47 2010] [info] [client 1xx.xx.9.45] Connection closed 
to child 4 with standard shutdown (server rtdev1.our.org:999)

NOTE: "SUCCESS"
NOTE: "SSL negotiation finished successfully"
NOTE: /apps/rtsrv1dev/share/html and all files in it are
       world-readable (644)

Browser shows "Forbidden"

IE 8
and Chrome 6

On 10/15/2010 5:49 PM, Jeff Blaine wrote:
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users< at >modssl.org
Automated List Manager                            majordomo< at >modssl.org

Client Authentication

rangeli nepal — 2010-10-17T00:19:02

Good Afternoon Everybody,

I am not sure if it is the right forum to ask this question. If not
please guide me.

mod_ssl provides fabulous mechanism of doing client authentication. It
does so by  issuing client certificates  signed by your own CA
certificate ca.crt.


 How we can use mod_ssl ( with client auth)  when we we do not have
control on whole community i.e people are using certificates that is
signed by different CA.?

 One way I was thinking was to accumulate public certs ( which may not
be CA cert)  at one place( directory) and give its path to mod_ssl.

However I am not sure if this a good practice or even doable practice.

Any input will be highly appreciated.
Thank you.
rn
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users< at >modssl.org
Automated List Manager                            majordomo< at >modssl.org

Certs work, one doesn't, cannot determine why

Jeff Blaine — 2010-10-15T21:49:33

Hi folks.  I'm *really* stumped here.  If anyone has any
ideas, I would love to hear them.  How can I debug this
further?  I need more information that Apache + mod_ssl
is giving me right now.

All version information and configuration detail is after
this next paragraph.

Works: SSL via my corporate cert, SSL via 3 other people's
        corporate certs
Fails: 1 person's cert so far, yet is logged as "SUCCESS"
        when logging SSL_CLIENT_VERIFY via CustomLog

Example:

[15/Oct/2010:09:53:38 -0400] 1xx.xx.160.92 on TLSv1 RC4-MD5 128 
/O=our.org/OU=People/UID=mbs/CN=Simpson Mary B SUCCESS 3 452E Simpson 
Mary B - "GET /index.html HTTP/1.1" 295

[Fri Oct 15 09:53:38 2010] [error] [client 1xx.xx.160.92] access to 
/apps/rtsrv1dev/share/html/index.html failed, reason: SSL requirement 
expression not fulfilled (see SSL logfile for more details)

Config Specifics:

OS: RHELv5
Apache: 2.2.3
mod_ssl: 2.2.3-43.el5

<VirtualHost 1xx.xx.9.85:443>
     ServerName rtdev1.our.org:443

     ErrorLog logs/ssl_error443_log
     TransferLog logs/ssl_access443_log
     LogLevel warn

     SSLEngine on
     SSLProtocol all -SSLv2
     SSLCipherSuite ALL:!ADH:!EXPORT:SSLv3:RC4+RSA:+HIGH:+MEDIUM:+LOW
     SSLCertificateFile /apps/rtsrv1dev/PKI/rtdev1-signed.cer
     SSLCertificateKeyFile /apps/rtsrv1dev/PKI/rtdev1.key
     SSLCertificateChainFile /apps/rtsrv1dev/PKI/rtdev1-signed.cer
     SSLCACertificateFile /apps/rtsrv1dev/PKI/MITRE-cert-bundle.cer
     SSLVerifyClient require
     SSLVerifyDepth  2

     SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire

     <Files ~ "\.(cgi|shtml|phtml|php3?)$">
         SSLOptions +StdEnvVars
     </Files>
     <Directory "/apps/rtsrv1dev/share/html">
         SSLOptions +StdEnvVars
     </Directory>

     SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

     CustomLog logs/ssl_access443_log \
         "%h - - %t \"%r\" %{HTTPS}x %{SSL_PROTOCOL}x"

     CustomLog logs/ssl_error443_log \
         "%t %h %{HTTPS}x %{SSL_PROTOCOL}x %{SSL_CIPHER}x 
%{SSL_CIPHER_USEKEYSIZE}x %{SSL_CLIENT_S_DN}x %{SSL_CLIENT_VERIFY}x 
%{SSL_CLIENT_M_VERSION}x %{SSL_CLIENT_M_SERIAL}x %{SSL_CLIENT_S_DN_CN}x 
%{SSL_CLIENT_S_DN_UID}x \"%r\" %b"

     DocumentRoot /apps/rtsrv1dev/share/html
     AddDefaultCharset UTF-8
     PerlRequire "/apps/rtsrv1dev/bin/webmux.pl"
         SetHandler default
     </Location>

     <Location />
         SetHandler perl-script
         PerlResponseHandler RT::Mason
         SSLVerifyClient require

         SSLRequire %{SSL_CLIENT_S_DN} in { \
              "/O=our.org/OU=people/UID=jblaine/CN=Blaine Charles J.", \
              "/O=our.org/OU=people/UID=mloveless/CN=Laveless Marc W.", \
              "/O=our.org/OU=people/UID=mbs/CN=Simpson Mary B", \
              "/O=our.org/OU=people/UID=bcietta/CN=Cietta Barbara A." \
         }
     </Location>
</VirtualHost>
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users< at >modssl.org
Automated List Manager                            majordomo< at >modssl.org

Re: Certs work, one doesn't, cannot determine why

Jeff Blaine — 2010-10-19T20:35:49

Still trying to solve this, I stood up a separate
brand-spanking-new Apache 2.2.17 from source with builtin
SSL.  I am using the same Apache SSL config as quoted below.
I experience the following failure (further context is in
my quoted message below):

...
[Tue Oct 19 16:20:42 2010] [info] Subsequent (No.2) HTTPS request 
received for child 4 (server rtdev1.our.org:999)
[Tue Oct 19 16:20:42 2010] [error] [client 1xx.xx.9.45] client denied by 
server configuration: /apps/rtsrv1dev/share/html/favicon.ico
[19/Oct/2010:16:20:42 -0400] 1xx.xx.9.45 on TLSv1 AES128-SHA 128 
/O=our.org/OU=people/UID=jblaine/CN=Blaine Charles J. SUCCESS 3 369E 
Blaine Charles J. - "GET /favicon.ico HTTP/1.1" 213
[Tue Oct 19 16:20:47 2010] [debug] ssl_engine_io.c(1900): OpenSSL: I/O 
error, 5 bytes expected to read on BIO#1c2e8170 [mem: 1c2f98b0]
[Tue Oct 19 16:20:47 2010] [info] [client 1xx.xx.9.45] (70007)The 
timeout specified has expired: SSL input filter read failed.
[Tue Oct 19 16:20:47 2010] [debug] ssl_engine_kernel.c(1884): OpenSSL: 
Write: SSL negotiation finished successfully
[Tue Oct 19 16:20:47 2010] [info] [client 1xx.xx.9.45] Connection closed 
to child 4 with standard shutdown (server rtdev1.our.org:999)

NOTE: "SUCCESS"
NOTE: "SSL negotiation finished successfully"
NOTE: /apps/rtsrv1dev/share/html and all files in it are
       world-readable (644)

Browser shows "Forbidden"

IE 8
and Chrome 6

On 10/15/2010 5:49 PM, Jeff Blaine wrote:
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users< at >modssl.org
Automated List Manager                            majordomo< at >modssl.org

Client Authentication

rangeli nepal — 2010-10-17T00:19:02

Good Afternoon Everybody,

I am not sure if it is the right forum to ask this question. If not
please guide me.

mod_ssl provides fabulous mechanism of doing client authentication. It
does so by  issuing client certificates  signed by your own CA
certificate ca.crt.


 How we can use mod_ssl ( with client auth)  when we we do not have
control on whole community i.e people are using certificates that is
signed by different CA.?

 One way I was thinking was to accumulate public certs ( which may not
be CA cert)  at one place( directory) and give its path to mod_ssl.

However I am not sure if this a good practice or even doable practice.

Any input will be highly appreciated.
Thank you.
rn
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users< at >modssl.org
Automated List Manager                            majordomo< at >modssl.org

Certs work, one doesn't, cannot determine why

Jeff Blaine — 2010-10-15T21:49:33

Hi folks.  I'm *really* stumped here.  If anyone has any
ideas, I would love to hear them.  How can I debug this
further?  I need more information that Apache + mod_ssl
is giving me right now.

All version information and configuration detail is after
this next paragraph.

Works: SSL via my corporate cert, SSL via 3 other people's
        corporate certs
Fails: 1 person's cert so far, yet is logged as "SUCCESS"
        when logging SSL_CLIENT_VERIFY via CustomLog

Example:

[15/Oct/2010:09:53:38 -0400] 1xx.xx.160.92 on TLSv1 RC4-MD5 128 
/O=our.org/OU=People/UID=mbs/CN=Simpson Mary B SUCCESS 3 452E Simpson 
Mary B - "GET /index.html HTTP/1.1" 295

[Fri Oct 15 09:53:38 2010] [error] [client 1xx.xx.160.92] access to 
/apps/rtsrv1dev/share/html/index.html failed, reason: SSL requirement 
expression not fulfilled (see SSL logfile for more details)

Config Specifics:

OS: RHELv5
Apache: 2.2.3
mod_ssl: 2.2.3-43.el5

<VirtualHost 1xx.xx.9.85:443>
     ServerName rtdev1.our.org:443

     ErrorLog logs/ssl_error443_log
     TransferLog logs/ssl_access443_log
     LogLevel warn

     SSLEngine on
     SSLProtocol all -SSLv2
     SSLCipherSuite ALL:!ADH:!EXPORT:SSLv3:RC4+RSA:+HIGH:+MEDIUM:+LOW
     SSLCertificateFile /apps/rtsrv1dev/PKI/rtdev1-signed.cer
     SSLCertificateKeyFile /apps/rtsrv1dev/PKI/rtdev1.key
     SSLCertificateChainFile /apps/rtsrv1dev/PKI/rtdev1-signed.cer
     SSLCACertificateFile /apps/rtsrv1dev/PKI/MITRE-cert-bundle.cer
     SSLVerifyClient require
     SSLVerifyDepth  2

     SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire

     <Files ~ "\.(cgi|shtml|phtml|php3?)$">
         SSLOptions +StdEnvVars
     </Files>
     <Directory "/apps/rtsrv1dev/share/html">
         SSLOptions +StdEnvVars
     </Directory>

     SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

     CustomLog logs/ssl_access443_log \
         "%h - - %t \"%r\" %{HTTPS}x %{SSL_PROTOCOL}x"

     CustomLog logs/ssl_error443_log \
         "%t %h %{HTTPS}x %{SSL_PROTOCOL}x %{SSL_CIPHER}x 
%{SSL_CIPHER_USEKEYSIZE}x %{SSL_CLIENT_S_DN}x %{SSL_CLIENT_VERIFY}x 
%{SSL_CLIENT_M_VERSION}x %{SSL_CLIENT_M_SERIAL}x %{SSL_CLIENT_S_DN_CN}x 
%{SSL_CLIENT_S_DN_UID}x \"%r\" %b"

     DocumentRoot /apps/rtsrv1dev/share/html
     AddDefaultCharset UTF-8
     PerlRequire "/apps/rtsrv1dev/bin/webmux.pl"
         SetHandler default
     </Location>

     <Location />
         SetHandler perl-script
         PerlResponseHandler RT::Mason
         SSLVerifyClient require

         SSLRequire %{SSL_CLIENT_S_DN} in { \
              "/O=our.org/OU=people/UID=jblaine/CN=Blaine Charles J.", \
              "/O=our.org/OU=people/UID=mloveless/CN=Laveless Marc W.", \
              "/O=our.org/OU=people/UID=mbs/CN=Simpson Mary B", \
              "/O=our.org/OU=people/UID=bcietta/CN=Cietta Barbara A." \
         }
     </Location>
</VirtualHost>
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users< at >modssl.org
Automated List Manager                            majordomo< at >modssl.org

SSLv3 alone (without TLSv1) does not work from client browser

Hintz, Dan — 2010-09-13T21:21:59

In our Apache conf file, we have the following directives:

SSLProtocol -all +SSLv3 +TLSv1
SSLCipherSuite ALL:!DH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXP:!eNULL:!aNULL

When we use a browser (Internet Explorer, or Firefox) to connect, it will work if we have both SSLv3 and TLSv1 configured within the browser.  But, when we remove the TLSv1, we cannot connect.

Does anyone know what could be the problem?

Thanks in advance,
Dan

Re: Specifying the openssl version used with mod_ssl

Gregg L. Smith — 2010-09-13T17:48:13

Hello Gunner,

Have you tried
--enable-ssl --with-ssl=/path/to/just/compiled/openssl ?

Regards,

Gregg

Gunner Geller wrote:

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users< at >modssl.org
Automated List Manager                            majordomo< at >modssl.org

Specifying the openssl version used with mod_ssl

Gunner Geller — 2010-09-09T16:13:48

 Hello,

    We are using mac Leopard OS. We have rolled our own Apache(2.2.16)
separate from the default install. We have also rolled our own OpenSSL to
the latest version. However when we compile Apache and enable mod_ssl it
still uses the old OpenSSL version. We can see it in our http headers:

 

Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/0.9.7l

 

When typing "openssl version" from my account and the root account I get:

OpenSSL 1.0.0a 1 Jun 2010

I've seen this in some apache configs:

--enable-ssl --with-ssl=/usr/local/ssl

I've tried the above with no success. According to the output I get when
configuring/making/installing apache it is finding openssl at the above
directory. The problem is though that the http header stays the same.

 

The problem is we can't upgrade the default openssl version on the OS
without apple providing the update. The outdated version is tripping our
security scans. Like I said we rolled our owned updated version but cannot
get apache/mod_ssl to use it. Any help is appreciated.

Thanks,

 

Gunner Geller

RE: OCSP-validation fails - Wrong cert passed to OCSP by Apache

Ulf Wahlqvist — 2010-08-18T06:03:44

Thanks,

Why didn't I check that? Well, I made it validate correctly by doing a very strange and not usable workaround. I believe something is broken.
I followed your suggestion and posted a more complete entry to the users< at >httpd.apache.org list. I will file a bug report if no one can point out any errors I have made.

/ulfW


-----Original Message-----
From: Joe Orton [mailto:jorton< at >redhat.com]
Sent: den 17 augusti 2010 16:01
To: Ulf Wahlqvist
Cc: modssl-users< at >modssl.org
Subject: Re: OCSP-validation fails - Wrong cert passed to OCSP by Apache

On Tue, Aug 17, 2010 at 12:47:26PM +0200, Ulf Wahlqvist wrote:

The code tries to verify each cert in the client cert chain from issuing CA down to the end-entity client cert with the OCSP responder - this is expected behaviour.

The modssl-users< at > was used for discussion of mod_ssl for Apache httpd 1.3.  For discussion of OCSP in httpd 2.3 I'd recommend users< at >httpd.apache.org - file bugs if you think the code is buggy.

http://issues.apache.org/bugzilla/

Regards, Joe

Re: OCSP-validation fails - Wrong cert passed to OCSP by Apache

Joe Orton — 2010-08-17T14:00:38

The code tries to verify each cert in the client cert chain from issuing 
CA down to the end-entity client cert with the OCSP responder - this is 
expected behaviour.

The modssl-users< at > was used for discussion of mod_ssl for Apache httpd 
1.3.  For discussion of OCSP in httpd 2.3 I'd recommend 
users< at >httpd.apache.org - file bugs if you think the code is buggy.

http://issues.apache.org/bugzilla/

Regards, Joe
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users< at >modssl.org
Automated List Manager                            majordomo< at >modssl.org

RE: OCSP-validation fails - Wrong cert passed to OCSP by Apache

Ulf Wahlqvist — 2010-08-17T10:47:26

I still don't get it. I used Wireshark and found out that the certificate sent to the OCSP-responder is the CA-cert, not the client-cert to be validated! I am clueless.


Online Certificate Status Protocol
    tbsRequest
        requestList: 1 item
            Request
                reqCert
                    hashAlgorithm (SHA-1)
                        Algorithm Id: 1.3.14.3.2.26 (SHA-1)
                    issuerNameHash: 3183A656588CA87A8D663E5721EF4BC860D9EC86
                    issuerKeyHash: 7C2E39233244E80F4E66F20D28FE40BEC2B6E2A0
                    serialNumber : 0x1bd40ed434d1da15a6003015024da46c <- THIS IS THE SERIALNUMBER FOR THE CA-CERT

/ulfW

PS Is this mailing list active? 
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users< at >modssl.org
Automated List Manager                            majordomo< at >modssl.org

RE: OCSP-validation fails - UPDATE

Ulf Wahlqvist — 2010-07-29T10:56:45

I have now verified that if I use openssl directly from command line it will verify OK. Apparently there is no need for signing the request.  

.
.
.
.
Response verify OK
/mnt/download/uwcert.cer: good
This Update: Jul 29 10:43:41 2010 GMT
Next Update: Jul 30 10:43:45 2010 GMT

/ulfW



-----Original Message-----
From: owner-modssl-users< at >modssl.org [mailto:owner-modssl-users< at >modssl.org] On Behalf Of Ulf Wahlqvist
Sent: den 27 juli 2010 16:43
To: modssl-users< at >modssl.org
Subject: OCSP-validation fails

Hi


I'm trying to get Apache to do Client certificate verification with OCSP-validation.
It works without OCSP, but OCSP-validation fails when I turn it on.

The error is "OCSP_check_validity:status too old", but that doesn't make sense because the clocks are within 2 seconds. 
The client (Apache) says "Mon Jul 26 15:50:06.488292 2010" and the response says "Mon, 26 Jul 2010 13:50:05 GMT" which is the same time.

//// Can there be a problem with comparing timestamps?

A more likely problem might be that the OCSP-responder require a SIGNED message, but I don't understand how to get Apache to sign it. Some European OCSP-responders seems to accept only signed requests and I'm trying to find out if this is one of them.

//// Will Apache be able to sign OCSP-requests ( In that case - How do I pass the cert/key) ? 

** my config ************************************************************************************************************************************* 

[root< at >fedoragui logs]# httpd -v
Server version: Apache/2.3.6 (Unix)
Server built:   Jul 16 2010 15:31:39

[root< at >fedoragui logs]# openssl version
OpenSSL 1.0.0a-fips 1 Jun 2010

./configure --enable-ssl


** error_log *************************************************************************************************************************************

[Mon Jul 26 15:50:05.782378 2010] [info] [pid 9164:tid 3053448048] [client 10.0.2.2:2112] Connection to child 193 established (server fedoragui.mydomain.com:443) [Mon Jul 26 15:50:06.461652 2010] [debug] [pid 9164:tid 3053448048] ssl_util_ocsp.c(79): [client 10.0.2.2:2112] connecting to OCSP responder 'ocsp.trust.telia.com'
[Mon Jul 26 15:50:06.466167 2010] [debug] [pid 9164:tid 3053448048] ssl_util_ocsp.c(105): [client 10.0.2.2:2112] sending request to OCSP responder [Mon Jul 26 15:50:06.488292 2010] [debug] [pid 9164:tid 3053448048] ssl_util_ocsp.c(209): [client 10.0.2.2:2112] OCSP response header: Date: Mon, 26 Jul 2010 13:50:05 GMT [Mon Jul 26 15:50:06.493946 2010] [debug] [pid 9164:tid 3053448048] ssl_util_ocsp.c(209): [client 10.0.2.2:2112] OCSP response header: Server: Apache [Mon Jul 26 15:50:06.494352 2010] [debug] [pid 9164:tid 3053448048] ssl_util_ocsp.c(209): [client 10.0.2.2:2112] OCSP response header: Content-Length: 1264 [Mon Jul 26 15:50:06.494828 2010] [debug] [pid 9164:tid 3053448048] ssl_util_ocsp.c(209): [client 10.0.2.2:2112] OCSP response header: Connection: close [Mon Jul 26 15:50:06.495071 2010] [debug] [pid 9164:tid 3053448048] ssl_util_ocsp.c(209): [client 10.0.2.2:2112] OCSP response header: Content-Type: application/ocsp-response [Mon Jul 26 15:50:06.495303 2010] [debug] [pid 9164:tid 3053448048] ssl_util_ocsp.c(252): [client 10.0.2.2:2112] OCSP response: got 1264 bytes, 1264 total [Mon Jul 26 15:50:06.498272 2010] [debug] [pid 9164:tid 3053448048] ssl_util_ocsp.c(235): [client 10.0.2.2:2112] OCSP response: got EOF [Mon Jul 26 15:50:06.500184 2010] [error] [pid 9164:tid 3053448048] SSL Library Error: error:2707307F:OCSP routines:OCSP_check_validity:status too old [Mon Jul 26 15:50:06.504012 2010] [error] [pid 9164:tid 3053448048] [client 10.0.2.2:2112] Certificate Verification: Error (50): application verification failure [Mon Jul 26 15:50:06.504430 2010] [info] [pid 9164:tid 3053448048] [client 10.0.2.2:2112] SSL library error 1 in handshake (server fedoragui.mydomain.com:443)

/ulfW

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users< at >modssl.org
Automated List Manager                            majordomo< at >modssl.org
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users< at >modssl.org
Automated List Manager                            majordomo< at >modssl.org

OCSP-validation fails

Ulf Wahlqvist — 2010-07-27T14:43:02

Hi


I'm trying to get Apache to do Client certificate verification with OCSP-validation.
It works without OCSP, but OCSP-validation fails when I turn it on.

The error is "OCSP_check_validity:status too old", but that doesn't make sense because the clocks are within 2 seconds. 
The client (Apache) says "Mon Jul 26 15:50:06.488292 2010" and the response says "Mon, 26 Jul 2010 13:50:05 GMT" which is the same time.

//// Can there be a problem with comparing timestamps?

A more likely problem might be that the OCSP-responder require a SIGNED message, but I don't understand how to get Apache to sign it. Some European OCSP-responders seems to accept only signed requests and I'm trying to find out if this is one of them.

//// Will Apache be able to sign OCSP-requests ( In that case - How do I pass the cert/key) ? 

** my config ************************************************************************************************************************************* 

[root< at >fedoragui logs]# httpd -v
Server version: Apache/2.3.6 (Unix)
Server built:   Jul 16 2010 15:31:39

[root< at >fedoragui logs]# openssl version
OpenSSL 1.0.0a-fips 1 Jun 2010

./configure --enable-ssl


** error_log *************************************************************************************************************************************

[Mon Jul 26 15:50:05.782378 2010] [info] [pid 9164:tid 3053448048] [client 10.0.2.2:2112] Connection to child 193 established (server fedoragui.mydomain.com:443)
[Mon Jul 26 15:50:06.461652 2010] [debug] [pid 9164:tid 3053448048] ssl_util_ocsp.c(79): [client 10.0.2.2:2112] connecting to OCSP responder 'ocsp.trust.telia.com'
[Mon Jul 26 15:50:06.466167 2010] [debug] [pid 9164:tid 3053448048] ssl_util_ocsp.c(105): [client 10.0.2.2:2112] sending request to OCSP responder
[Mon Jul 26 15:50:06.488292 2010] [debug] [pid 9164:tid 3053448048] ssl_util_ocsp.c(209): [client 10.0.2.2:2112] OCSP response header: Date: Mon, 26 Jul 2010 13:50:05 GMT
[Mon Jul 26 15:50:06.493946 2010] [debug] [pid 9164:tid 3053448048] ssl_util_ocsp.c(209): [client 10.0.2.2:2112] OCSP response header: Server: Apache
[Mon Jul 26 15:50:06.494352 2010] [debug] [pid 9164:tid 3053448048] ssl_util_ocsp.c(209): [client 10.0.2.2:2112] OCSP response header: Content-Length: 1264
[Mon Jul 26 15:50:06.494828 2010] [debug] [pid 9164:tid 3053448048] ssl_util_ocsp.c(209): [client 10.0.2.2:2112] OCSP response header: Connection: close
[Mon Jul 26 15:50:06.495071 2010] [debug] [pid 9164:tid 3053448048] ssl_util_ocsp.c(209): [client 10.0.2.2:2112] OCSP response header: Content-Type: application/ocsp-response
[Mon Jul 26 15:50:06.495303 2010] [debug] [pid 9164:tid 3053448048] ssl_util_ocsp.c(252): [client 10.0.2.2:2112] OCSP response: got 1264 bytes, 1264 total
[Mon Jul 26 15:50:06.498272 2010] [debug] [pid 9164:tid 3053448048] ssl_util_ocsp.c(235): [client 10.0.2.2:2112] OCSP response: got EOF
[Mon Jul 26 15:50:06.500184 2010] [error] [pid 9164:tid 3053448048] SSL Library Error: error:2707307F:OCSP routines:OCSP_check_validity:status too old
[Mon Jul 26 15:50:06.504012 2010] [error] [pid 9164:tid 3053448048] [client 10.0.2.2:2112] Certificate Verification: Error (50): application verification failure
[Mon Jul 26 15:50:06.504430 2010] [info] [pid 9164:tid 3053448048] [client 10.0.2.2:2112] SSL library error 1 in handshake (server fedoragui.mydomain.com:443)

/ulfW

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users< at >modssl.org
Automated List Manager                            majordomo< at >modssl.org

SSLCACertificateFile getting ignored when I use a Location directive

John Carpenter — 2010-07-22T16:07:06


Hello,

Adding <Location> around SSLVerifyClient and SSLVerifyDepth is causing my mutual 
authentication to fail with a ssl_error_handshake_failure_alert message.    I 
can't seem to determine what might be causing this.   I'll just jump right to 
the code below:


[WORKS]

Excerpting my httpd.conf: 

<VirtualHost _default_:443>
 DocumentRoot "<path edited>/htdocs"
 SSLEngine on
 SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP:+eNULL
 SSLCertificateFile "<path edited>/Cert/ssl.crt/server.crt"
 SSLCertificateKeyFile "<path edited>/Cert/ssl.key/server.key"
 SSLCACertificateFile "<path edited> Cert/ca.cer"
  SSLVerifyClient required
  SSLVerifyDepth 1
 <truncated> 

The above works like a charm.    The only problem is it works EVERYWHERE I use 
443 ... which is as expected.    So when I add my <Location> directive as below 
I get the Error code: ssl_error_handshake_failure_alert.     Though it properly 
triggers this error on requests to the specified location.    So I know that 
part is being picked up properly.    Does anybody know what can be causing 
this?      This seems to be how it was behaving before I added in the 
SSLCACertificateFile information.    Could the Location tag be causing the 
server to somehow ignore my SSLCACertificateFile?    



[DOESN'T WORK] :   Error code: ssl_error_handshake_failure_alert
 
<VirtualHost _default_:443>
 DocumentRoot "<path edited>/htdocs"
 SSLEngine on
 SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP:+eNULL
 SSLCertificateFile "<path edited>/Cert/ssl.crt/server.crt"
 SSLCertificateKeyFile "<path edited>/Cert/ssl.key/server.key"
 SSLCACertificateFile "<path edited> Cert/ca.cer"
 <Location /logonWithCertificate> 
  SSLVerifyClient required
  SSLVerifyDepth 1
 </Location>
 
<truncated> 

Thanks in advance for any insight. 

-John

FTP and HTTP Mirror

Andreas Worbs — 2010-06-01T09:40:11

Hello,
here are the facts about our mirror:

* URL of mirror: http://artfiles.org/modssl.org
* URL of mirror: ftp://artfiles.org/modssl.org
* Hosting institution, country and city where the mirror is located:
Artfiles New Media GmbH, Hamburg, Germany
* Contact email address: mirror< at >artfiles.org
* Update frequency:  daily
* Speed: 1000MBit/s
Please add us to your list.

With best regards

Artfiles New Media GmbH

Andreas Worbs