gmane.comp.apache.mod-ssl.user

peer did not return a certificate No CAs known to server for verification?

Abhijit Bhate — 2010-12-20T05:59:18

Hello All,

 

We have opened a java web service & our clients are facing issues while
accessing it. They are consistently getting SSL / TLS connection failure
message. All these clients are using VeriSign class 1 certificates. In
apache error logs we see below message:

 

[Fri Oct 12 17:42:04 2007] [error] mod_ssl: Certificate Verification:
Error (20): unable to get local issuer certificate 
[Fri Oct 12 17:42:04 2007] [error] mod_ssl: Re-negotiation handshake
failed: Not accepted by client!? 
[Fri Oct 12 17:42:04 2007] [error] mod_ssl: Certificate Verification:
Error (20): unable to get local issuer certificate 
[Fri Oct 12 17:42:04 2007] [error] mod_ssl: SSL error on writing data
(OpenSSL library error follows) 
[Fri Oct 12 17:42:04 2007] [error] OpenSSL: error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned

 

This is happening only with class 1 certificates, class 3 certificates
are working fine. Earlier we were using IBM HTTP Server & our clients
were able to connect to our w

App requires port 8081, gets errors using HTTPS

dreed2010 — 2010-11-17T20:31:36

I have a third-party XML application compiled into Apache as a module that
requires using port 8081.  I have run it successfully for years using HTTP
on Apache 1.3.27 (the version required by the vendor), but now I need to run
it using HTTPS.

So, I installed openssl-0.9.4 and mod_ssl-2.8.14-1.3.27 and the installation
seemed to go well except for the question "File to Patch:  ", which I had to
skip since I had no answer for it.

The application still runs fine when I browse to http://my.app.com:8081, but
when I try HTTPS using https://my.app.com:8081 I get a message that "Secure
Connection Failed - SSL received a record that exceeded the maximum
permissible length (Error code: ssl_error_rx_record_too_long)."  An error
codes reference says, "This generally indicates that the remote peer system
has a flawed implementation of SSL, and is violating the SSL specification."

The Apache error log says "Invalid method in request \x16\x03\x01"

Any thoughts on how to troubleshoot this?

Thanks,
Dave

Client Authentication

rangeli nepal — 2010-10-17T00:19:02

Good Afternoon Everybody,

I am not sure if it is the right forum to ask this question. If not
please guide me.

mod_ssl provides fabulous mechanism of doing client authentication. It
does so by  issuing client certificates  signed by your own CA
certificate ca.crt.


 How we can use mod_ssl ( with client auth)  when we we do not have
control on whole community i.e people are using certificates that is
signed by different CA.?

 One way I was thinking was to accumulate public certs ( which may not
be CA cert)  at one place( directory) and give its path to mod_ssl.

However I am not sure if this a good practice or even doable practice.

Any input will be highly appreciated.
Thank you.
rn
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users< at >modssl.org
Automated List Manager                            majordomo< at >modssl.org

Certs work, one doesn't, cannot determine why

Jeff Blaine — 2010-10-15T21:49:33

Hi folks.  I'm *really* stumped here.  If anyone has any
ideas, I would love to hear them.  How can I debug this
further?  I need more information that Apache + mod_ssl
is giving me right now.

All version information and configuration detail is after
this next paragraph.

Works: SSL via my corporate cert, SSL via 3 other people's
        corporate certs
Fails: 1 person's cert so far, yet is logged as "SUCCESS"
        when logging SSL_CLIENT_VERIFY via CustomLog

Example:

[15/Oct/2010:09:53:38 -0400] 1xx.xx.160.92 on TLSv1 RC4-MD5 128 
/O=our.org/OU=People/UID=mbs/CN=Simpson Mary B SUCCESS 3 452E Simpson 
Mary B - "GET /index.html HTTP/1.1" 295

[Fri Oct 15 09:53:38 2010] [error] [client 1xx.xx.160.92] access to 
/apps/rtsrv1dev/share/html/index.html failed, reason: SSL requirement 
expression not fulfilled (see SSL logfile for more details)

Config Specifics:

OS: RHELv5
Apache: 2.2.3
mod_ssl: 2.2.3-43.el5

<VirtualHost 1xx.xx.9.85:443>
     ServerName rtdev1.our.org:443

     ErrorLog logs/ssl_error443_l

Client Authentication

rangeli nepal — 2010-10-17T00:19:02

Good Afternoon Everybody,

I am not sure if it is the right forum to ask this question. If not
please guide me.

mod_ssl provides fabulous mechanism of doing client authentication. It
does so by  issuing client certificates  signed by your own CA
certificate ca.crt.


 How we can use mod_ssl ( with client auth)  when we we do not have
control on whole community i.e people are using certificates that is
signed by different CA.?

 One way I was thinking was to accumulate public certs ( which may not
be CA cert)  at one place( directory) and give its path to mod_ssl.

However I am not sure if this a good practice or even doable practice.

Any input will be highly appreciated.
Thank you.
rn
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users< at >modssl.org
Automated List Manager                            majordomo< at >modssl.org

Certs work, one doesn't, cannot determine why

Jeff Blaine — 2010-10-15T21:49:33

Hi folks.  I'm *really* stumped here.  If anyone has any
ideas, I would love to hear them.  How can I debug this
further?  I need more information that Apache + mod_ssl
is giving me right now.

All version information and configuration detail is after
this next paragraph.

Works: SSL via my corporate cert, SSL via 3 other people's
        corporate certs
Fails: 1 person's cert so far, yet is logged as "SUCCESS"
        when logging SSL_CLIENT_VERIFY via CustomLog

Example:

[15/Oct/2010:09:53:38 -0400] 1xx.xx.160.92 on TLSv1 RC4-MD5 128 
/O=our.org/OU=People/UID=mbs/CN=Simpson Mary B SUCCESS 3 452E Simpson 
Mary B - "GET /index.html HTTP/1.1" 295

[Fri Oct 15 09:53:38 2010] [error] [client 1xx.xx.160.92] access to 
/apps/rtsrv1dev/share/html/index.html failed, reason: SSL requirement 
expression not fulfilled (see SSL logfile for more details)

Config Specifics:

OS: RHELv5
Apache: 2.2.3
mod_ssl: 2.2.3-43.el5

<VirtualHost 1xx.xx.9.85:443>
     ServerName rtdev1.our.org:443

     ErrorLog logs/ssl_error443_l

SSLv3 alone (without TLSv1) does not work from client browser

Hintz, Dan — 2010-09-13T21:21:59

In our Apache conf file, we have the following directives:

SSLProtocol -all +SSLv3 +TLSv1
SSLCipherSuite ALL:!DH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXP:!eNULL:!aNULL

When we use a browser (Internet Explorer, or Firefox) to connect, it will work if we have both SSLv3 and TLSv1 configured within the browser.  But, when we remove the TLSv1, we cannot connect.

Does anyone know what could be the problem?

Thanks in advance,
Dan

Specifying the openssl version used with mod_ssl

Gunner Geller — 2010-09-09T16:13:48

 Hello,

    We are using mac Leopard OS. We have rolled our own Apache(2.2.16)
separate from the default install. We have also rolled our own OpenSSL to
the latest version. However when we compile Apache and enable mod_ssl it
still uses the old OpenSSL version. We can see it in our http headers:

 

Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/0.9.7l

 

When typing "openssl version" from my account and the root account I get:

OpenSSL 1.0.0a 1 Jun 2010

I've seen this in some apache configs:

--enable-ssl --with-ssl=/usr/local/ssl

I've tried the above with no success. According to the output I get when
configuring/making/installing apache it is finding openssl at the above
directory. The problem is though that the http header stays the same.

 

The problem is we can't upgrade the default openssl version on the OS
without apple providing the update. The outdated version is tripping our
security scans. Like I said we rolled our owned updated version but cannot
get apache/mod_ssl to use it. Any help is appre

OCSP-validation fails

Ulf Wahlqvist — 2010-07-27T14:43:02

Hi


I'm trying to get Apache to do Client certificate verification with OCSP-validation.
It works without OCSP, but OCSP-validation fails when I turn it on.

The error is "OCSP_check_validity:status too old", but that doesn't make sense because the clocks are within 2 seconds. 
The client (Apache) says "Mon Jul 26 15:50:06.488292 2010" and the response says "Mon, 26 Jul 2010 13:50:05 GMT" which is the same time.

//// Can there be a problem with comparing timestamps?

A more likely problem might be that the OCSP-responder require a SIGNED message, but I don't understand how to get Apache to sign it. Some European OCSP-responders seems to accept only signed requests and I'm trying to find out if this is one of them.

//// Will Apache be able to sign OCSP-requests ( In that case - How do I pass the cert/key) ? 

** my config ************************************************************************************************************************************* 

[root< at >fedoragui logs]# httpd -v
Server version: Apa

SSLCACertificateFile getting ignored when I use a Location directive

John Carpenter — 2010-07-22T16:07:06


Hello,

Adding <Location> around SSLVerifyClient and SSLVerifyDepth is causing my mutual 
authentication to fail with a ssl_error_handshake_failure_alert message.    I 
can't seem to determine what might be causing this.   I'll just jump right to 
the code below:


[WORKS]

Excerpting my httpd.conf: 

<VirtualHost _default_:443>
 DocumentRoot "<path edited>/htdocs"
 SSLEngine on
 SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP:+eNULL
 SSLCertificateFile "<path edited>/Cert/ssl.crt/server.crt"
 SSLCertificateKeyFile "<path edited>/Cert/ssl.key/server.key"
 SSLCACertificateFile "<path edited> Cert/ca.cer"
  SSLVerifyClient required
  SSLVerifyDepth 1
 <truncated> 

The above works like a charm.    The only problem is it works EVERYWHERE I use 
443 ... which is as expected.    So when I add my <Location> directive as below 
I get the Error code: ssl_error_handshake_failure_alert.     Though it properly 
triggers this error on requests to the specified locatio

FTP and HTTP Mirror

Andreas Worbs — 2010-06-01T09:40:11

Hello,
here are the facts about our mirror:

* URL of mirror: http://artfiles.org/modssl.org
* URL of mirror: ftp://artfiles.org/modssl.org
* Hosting institution, country and city where the mirror is located:
Artfiles New Media GmbH, Hamburg, Germany
* Contact email address: mirror< at >artfiles.org
* Update frequency:  daily
* Speed: 1000MBit/s
Please add us to your list.

With best regards

Artfiles New Media GmbH

Andreas Worbs

SSLRequire on OID extension DER encoded field value

Lionel Falise — 2010-05-10T15:02:12

hey guys,
I hope you're all doing fine. I need a little support here on ssl client
verification, tell me please if this is not the right place. 

I need to check for specific extensions field value from x509 client
certificates to grant access to defined users. 

I read this could be possible using oid() or peerextlist() functions. 

I had to determine the field oid using openssl java package, and I'm
trying to debug the sslrequire check using setenfiv module SSI+perl
printenv.pl (maybe there is a better way to do this?). 

So, my problem is I can't seem to find a way to validate my client based
on this field. 

I was wondering if first: this should work? second: if extension value
is der encoded would apache be able to handle this check and how would I
store the granted values. 

I'm using apache 2.2.9. Let me know if you need some more detailed info
on this, I can handle the certificate or my entire configuration file if
needed.

This is what I ended up trying and results:

SSLEngine on
SSLOptions +FakeBas

Jean-Pierre Guilloteau est absent.

2010-05-10T14:01:32

I will be out of the office starting Sat 08/05/10 and will not return until
Mon 17/05/10.

I will respond to your message when I return.

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users< at >modssl.org
Automated List Manager                            majordomo< at >modssl.org

SSL_SESSION_ID on RHEL 5.5

Michael Ströder — 2010-05-10T13:51:09

HI!

For security reasons I'm using env var SSL_SESSION_ID to cross-check the
application's session ID with the SSL session ID in my web application. This
works without any issues on my openSUSE boxes. Browser is Seamonkey 2.0.4.

But I have problems with Apache 2.2.3 shipped with
Red Hat Enterprise Linux Server release 5.5 (Tikanga)
Cery soon the SSL session seems to be renegotiated resulting in a new value in
SSL_SESSION_ID

Relevant settings for SSL session resumptions:

SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  7200

Any hint? Were there relevant fixes to mod_ssl after release 2.2.3? Or maybe
Red Hat backported patches against renegotiation attacks which cause the issue?

Ciao, Michael.
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users< at >modssl.org
Automated List Manager                            majordomo< at >mods

???? Skipping generating temporary 512 bit RSA private key in FIPS mode

Ed snooper — 2010-04-30T17:50:30

 
 
   

 How do I get rid of these errors? 

FIPS Openssl 1.2

[Thu 
Apr 29 15:41:22 2010] [notice] Operating in SSL FIPS mode
[Thu Apr 29 15:41:22 2010] [error] Init: Skipping generating temporary 512 bit RSA 
private key in FIPS mode
[Thu Apr 29 15:41:22 2010] [error] Init: 
Skipping generating temporary 512 bit DH parameters in FIPS mode
[Thu Apr 29 15:41:22 2010] [error] Init: Skipping generating temporary 512 
bit RSA private key in FIPS mode
[Thu Apr 29 15:41:22 2010] [error] 
Init: Skipping generating temporary 512 bit DH parameters in FIPS mode
[Thu Apr 29 15:41:22 2010] [notice] Apache/2.2.15 (Unix) mod_ssl/2.2.15 
OpenSSL/FIPS DAV/2 SVN/1.6.11 configured -- resuming normal operations

Skipping generating temporary 512 bit RSA private key in FIPS mode

Keith Theman — 2010-04-29T20:09:25

How do I get rid of these errors? 

FIPS Openssl 1.2

[Thu Apr 29 15:41:22 2010] [notice] Operating in SSL FIPS mode
[Thu Apr 29 15:41:22 2010] [error] Init: Skipping generating temporary 512 bit RSA private key in FIPS mode
[Thu Apr 29 15:41:22 2010] [error] Init: Skipping generating temporary 512 bit DH parameters in FIPS mode
[Thu Apr 29 15:41:22 2010] [error] Init: Skipping generating temporary 512 bit RSA private key in FIPS mode
[Thu Apr 29 15:41:22 2010] [error] Init: Skipping generating temporary 512 bit DH parameters in FIPS mode
[Thu Apr 29 15:41:22 2010] [notice] Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/FIPS DAV/2 SVN/1.6.11 configured -- resuming normal operations

       
_________________________________________________________________
The New Busy is not the old busy. Search, chat and e-mail from your inbox.
http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_3

Client certificate do not work / renegociate

Developer — 2010-03-29T18:14:13

Hello,
In a host where client certificate is optional and in some directories
requirement. Server is SNI, and this configuration works fine before
SNI.

<Location "/certrequirement">
</Location>
...

I use SNI client (firefox) with client certificate that works on optional locations but do not in certrequirement location.






Anyone knows where is the problem?
Why do not work in required, and do the job in optional?

mod_ssl and ephemeral keying

Thomas — 2010-03-29T15:58:20

Hello,
regarding http://httpd.apache.org/docs/2.2/mod/mod_ssl.html
there seem to be different ways to enable ephemeral keying by using
SSLCipherSuite in the mod_ssl config.

If I specify kEDH for the kex algorithm, does it mean that the key
exchange is not integrity protected by using RSA/DSA (b/c the
description states "no cert.")?

So, if I want ephemeral keying with integrity protection, do I have
to use:
a.) SSLCipherSuite kDHr:kDHd:...
or
b.) SSLCipherSuite kEDH:EDH
or something else?


Thanks for your help.

Thomas



______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users< at >modssl.org
Automated List Manager                            majordomo< at >modssl.org

Apache 1.3.42 support

2010-03-25T18:54:08

Hi, there was a previous post about an update to mod_ssl for Apache
1.3.42.  The reply was that not until OpenSSL 0.9.8m was released would
this happen (possibly happen).  0.9.8m has been out since February 25th. 
0.9.8n came out yesterday actually.  Is there any word on a new version of
mod_ssl for Apache 1.3.42?

Also, since there's no new version of mod_ssl just yet, can I use mod_ssl
2.8.31 with Apache 1.3.42?  Or is each release of mod_ssl only for a
specific version of Apache?

Thanks!  Rob.



______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users< at >modssl.org
Automated List Manager                            majordomo< at >modssl.org

Jean-Pierre Guilloteau est absent.

2010-03-17T09:01:57

I will be out of the office starting Sat 13/03/10 and will not return until
Mon 22/03/10.

I will respond to your message when I return.

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users< at >modssl.org
Automated List Manager                            majordomo< at >modssl.org

modssl mirror

Andreas Worbs — 2010-03-01T15:04:43

Hello,
here are the facts about our mirror:

* URL of mirror: http://artfiles.org/modssl.org
* URL of mirror: ftp://artfiles.org/modssl.org
* Hosting institution, country and city where the mirror is located:
Artfiles New Media GmbH, Hamburg, Germany
* Contact email address: mirror< at >artfiles.org
* Update frequency:  daily
* IP: 80.252.110.38
* Speed: 1000MBit/s
Please add us to your list.

With best regards

Artfiles New Media GmbH

Andreas Worbs