httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Wadham <>
Subject [users@httpd] Client-side SSL certificate authentication
Date Thu, 09 Sep 2010 08:10:07 GMT

I'm slowly going insane trying to get clientside SSL auth to work with
Apache 2.2.  I think it's mostly related to the recent openssl bug
which caused ssl renegotiation to be completely disabled.  Initial
configuration steps were:

1. Created ca crt/key pair
2. Created apache key/crt pair
3. Signed apache key/crt pair with the new ca
4. Created client crt/key pair
5. Signed client cert with ca
6. Exported client crt/key pair to .p12 format\
7. Installed client crt/key pair .p12 bundle into the browser

My vhost looks like this (slightly redacted for privacy reasons):


  CustomLog /var/log/apache2/CLIENT.mark-alogs combined
  ErrorLog /var/log/apache2/CLIENT.mark-elogs

  SSLEngine on
  SSLCertificateFile /etc/ssl/private/apache.crt
  SSLCertificateKeyFile /etc/ssl/private/apache.key

  DocumentRoot "/var/www/CLIENT/htdocs"
  ServerName mark
  DirectoryIndex     index.php

  SSLCACertificateFile /etc/ssl/private/ca.crt
  SSLOptions +FakeBasicAuth +ExportCertData

  RewriteEngine On

  # rewrite rules and aliases redacted

  <IfModule authn_dbd_module>
    DBDriver pgsql
    DBDParams "dbname=CLIENT user=mark"
    DBDPersist Off
    DBDMin  0
    DBDKeep 1
    DBDMax 1
    DBDExptime 5

  <Directory /var/www/CLIENT">
    SSLVerifyClient optional
    SSLVerifyDepth 1

    # core authentication and mod_auth_basic configuration
    # for mod_authn_dbd
    AuthType Basic
    AuthName "mark"
    AuthBasicProvider dbd

    # core authorization configuration
    Require valid-user

    # mod_authn_dbd SQL query to authenticate a user
    AuthDBDUserPWQuery \
    "SELECT password FROM user WHERE username = %s"


This works in the sense that it forces the browser to select a
certificate when connecting, however the auth fails and in the logs I

[Thu Sep 09 08:45:41 2010] [info] Initial (No.1) HTTPS request
received for child 1 (server mark:443)
[Thu Sep 09 08:45:41 2010] [info] Requesting connection re-negotiation
[Thu Sep 09 08:45:41 2010] [info] Awaiting re-negotiation handshake
[Thu Sep 09 08:45:41 2010] [error] Re-negotiation handshake failed:
Not accepted by client!?

which suggests to me that it's broken because renegotiation isn't
allowed, and the SSLVerifyClient directive in the Directory context
makes it think it needs to renegotiate because the Directory context
is different from the VirtualHost context.  If I move SSLVerifyClient
into the VirtualHost context the error goes away, but no client ssl
authentication is done at all.  If I put it in both contexts, the same
errors occurs, so it's trying to renegotiate even though both contexts
have the same directive.

I've spent hours crawling forums and google trying to figure this out
and I'm baffled, did the disabling of renegotiation basically prevent
client-side ssl auth from working or is there a way round this?  I'm
confused as to why SSLVerifyClient does nothing when used in the
VirtualHost context, could it be that I have something elsewhere in
the apache general config that disables it when used in this context?

Any help and advice would be much appreciated.


The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message