httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alan Brown" <em745...@blueyonder.co.uk>
Subject Re: [users@httpd] SSL library error 1 in handshake
Date Tue, 18 Jan 2011 16:28:53 GMT
Not sure if this is the cause of your problem but the phrase 'works until I add: SSLVerifyClient
require' reminds me of a similar problem I encountered recently with SSL client certificates.
In Apache documentation on SSL (or in Apache Cookbook) it doesn't mention that a client certificate
must contain a private key as well as the actual cert itself.

Thus a composite file in a standard format called PKCS#12 (.p12 file extension) is needed,
which you can create with the OpenSSL command :-

openssl pkcs12 -export -out client_a.p12 -in client_a.crt -inkey client_a.key

where client_a.crt is the client cert and client_a.key is the private key file.

This file can then be imported to a browser as a 'Personal Certificate'.

Without the private key on the client side SSL Handshake will not work.

HTH.

  ----- Original Message ----- 
  From: g f 
  To: users@httpd.apache.org 
  Sent: Tuesday, January 18, 2011 3:36 PM
  Subject: Re: [users@httpd] SSL library error 1 in handshake


  Hello Martin,
  thanks for the reply.
  I have those directives already and it all works until I add:
  SSLVerifyClient require

  I changed this directive to optional and it seems to work now, though I am not so confidant
in this configuration.
  I wonder if there is a way to pass the client cert through to the python proxy?

  Thanks,
  G40


  On Tue, Jan 18, 2011 at 9:30 AM, Martin Kuba <makub@ics.muni.cz> wrote:

    Hi G40,

    the "SSLVerifyClient require" requires that the client presents a certificate.
    You have to configure also the list of Certification Authorities that
    the server accepts by the following directives:

     SSLCACertificatePath /etc/ssl/certs/
    or
     SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt

    If the client certificate is not signed by a root CA, but by some intermediate CA,
    which may be in turn signed by another intermediate CA, etc., you need also
    to set the value for SSLVerifyDepth to the highest length of the certificate chain
    that the client may provide.

    The "Allow" directives play no role in this, because the error you have got
    happened during the SSL handshake, which is sooner than the Allow directives are applied.

    Martin

    Dne 18.1.2011 16:16, g f napsal(a):


      Hello all,
      I have a debian os running Apache 2.2.16(debian) along with tomcat 6.0.29. I use mod_jk
as well as mod_auth_kerb module for apache. Apache and the modules are debian repository packages.

      I recently attempted to activate common access cards and if I just activate them but
do not force them it works great.
      Once I force access cards, I get the following error and my web-apps break.

      Force access cards via:
      |SSLVerifyClient require
      SSLVerifyDepth 2|

      info level logging error.log:
      [Tue Jan 18 14:47:07 2011] [info] [client 127.0.1.1] SSL library error 1 in handshake
(server myserver.xxx.xxx.xxx:443)
      [Tue Jan 18 14:47:07 2011] [info] SSL Library Error: 336105671 error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer
did not return a certificate No CAs known to server for verification?

      The web-app that throws this message uses a python proxy to make an ajax call to a different
web context (we do this to avoid the cross site error).
      I believe what is happening is that the python script [client 127.0.1.1] is making the
request to apache without valid client certs and hence is getting denied.
      I have a directive in apache2_home/sites-enabled/default-ssl conf file that I had hoped
would solve this issue(however it does not).
      directive in default-ssl conf file
      |Allow from localhost
      Allow from 127.0.1.1
      Allow from 127.0.0.1

      |Is there a solution to this issue?
      Perhaps a way to not require client cert from localhost?
      Thanks for any advice, much appreciated!

      Cheers,
       G40




    -- 
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Supercomputing Center Brno             Martin Kuba
    Institute of Computer Science    email: makub@ics.muni.cz
    Masaryk University             http://www.ics.muni.cz/~makub/
    Botanicka 68a, 60200 Brno, CZ     mobil: +420-603-533775
    --------------------------------------------------------------




Mime
View raw message