httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jason Pyeron" <jpye...@pdinc.us>
Subject RE: [users@httpd] CAC Card Client Certificate Auth and Crypto Suites
Date Mon, 23 Mar 2015 23:51:39 GMT
> -----Original Message-----
> From: McGregor, Donald (Don) (CIV) 
> Sent: Monday, March 23, 2015 15:22
> 
> 
> I'm attempting to get smart cards (DoD CAC) working with 
> apache 2.2 (CentOS 6).
> 
> It works on some browsers-Chrome, Safari-but not Firefox 
> 36.0.3 and IE 11.0.9600.1760 on Windows 8.1. Firefox doesn't work
> on OS X, either. The root cause of the problem seems to be 
> the SSL negotiation.

Interesting.

Lets ignore FF and OS X for now, as Chrome and IE (on windows) use the same certificate store
for accessing the smart card.

> 
> The SSLProtocol setting is this:
> 
> SSLProtocol All -SSLv2 -SSLv3 -TLSv1.2 -TLSv1.1
> 
> I started off allowing TLS 1.1 and 1.2 but this seemed to 
> provoke complaints in the
> protocol negotiation about downgrade attacks. Apparently the 
> clients tried to downgrade
> to TLS1 and the server thought there was some sort of attack going on
> and terminated the negotiation. 
> 
> The above change got through the initial version negotiation, 
> but then ran aground on 
> this, with info level debugging on:
> 

Can you run wireshark on the browser side?

I would like to see (pcap.gz please) the chrome success and the IE failure, then we can tweak
to get IE working too.

> 
> [Mon Mar 23 12:08:08 2015] [info] Seeding PRNG with 144 bytes 
> of entropy
> [Mon Mar 23 12:08:08 2015] [info] [client 172.20.82.139] SSL 
> library error 1 in handshake (server localhost.localdomain:443)
> [Mon Mar 23 12:08:08 2015] [info] SSL Library Error: 
> 336109761 error:1408A0C1:SSL 
> routines:SSL3_GET_CLIENT_HELLO:no shared cipher Too 
> restrictive SSLCipherSuite or using DSA server certificate?
> [Mon Mar 23 12:08:08 2015] [info] [client 172.20.82.139] 
> Connection closed to child 2 with abortive shutdown (server 
> localhost.localdomain:443)
> 
> 
> The cipher suite is highly (i.e., too) accommodating:
> 
> SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
> 
> So:
> 
> Anyone seen this before? What should the SSLProtocol and 
> CipherSuite settings be to allow
> client certificate authentication while maintaining 
> reasonable security? Alternatively, what
> should the client settings on the browsers be? I have very 
> limited control over the client
> settings  but it would be nice to know.
> 
> httpd-2.2.15-39.el6.centos.x86_64
> openssl-1.0.1e-30.el6_6.5.x86_64

--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-                                                               -
- Jason Pyeron                      PD Inc. http://www.pdinc.us -
- Principal Consultant              10 West 24th Street #100    -
- +1 (443) 269-1555 x333            Baltimore, Maryland 21218   -
-                                                               -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This message is copyright PD Inc, subject to license 20080407P00. 

Mime
View raw message