httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Du Hao <dwayn...@gmail.com>
Subject [users@httpd] Unexpected result of requesting client certificate when requesting locations with different SSLVerifyClient settings
Date Wed, 10 Apr 2019 15:48:09 GMT
Hello,

I ran into a problem when configuring different locations for Apache HTTP
Server while utilizing client certificate. The client certificate is not
stored permanently on the browser; It is expected that the client
certificate will be inserted by encrypted USB stick before the user is
clicking on the protected location.

Let's say I have a virtual host (https://host/) with SSLVerifyClient
optional and a location inside that v-host (https://host/require) with
SSLVerifyClient require.
___________________sample config_____________

<VirtualHost _default_:443>
ServerName host
........
SSLVerifyClient optional
SSLVerifyDepth 10
SSLOptions +FakeBasicAuth +ExportCertData
.......
<Location /require>
SSLVerifyClient require
</Location>
</VirtualHost>
___________________________________________


When I either directly visit https://host/require or https://host/, they
both request client certificate normally; the difference is that if I
cancel submitting certificate, the latter one would still allow access,
while the former one rejecting access by SSL error:
ERR_BAD_SSL_CLIENT_AUTH_CERT.
The problem happens when I DOESN'T submit the certificate (or don't have a
certificate at the time) when I visit https://host/, then I acquired the
client certificate and then browse to https://host/require in the same
browser tab. Ideally it should request client certificate once more, but it
doesn't; instead it emits ERR_BAD_SSL_CLIENT_AUTH_CERT immediately. Only
after I clicked the Refresh button on https://host/require, then it request
client certificate as normal.

I checked the debug log and it looks like the following:

_________Visiting https://host/_________
[Wed Apr 10 23:13:49.290449 2019] [ssl:debug] [pid 2656:tid
140593581737728] ssl_engine_kernel.c(746): [client 10.111.84.227:62107]
AH02255: Changed client verification type will force renegotiation
[Wed Apr 10 23:13:49.290476 2019] [ssl:info] [pid 2656:tid 140593581737728]
[client 10.111.84.227:62107] AH02221: Requesting connection re-negotiation
[Wed Apr 10 23:13:49.290485 2019] [ssl:debug] [pid 2656:tid
140593581737728] ssl_engine_kernel.c(975): [client 10.111.84.227:62107]
AH02260: Performing full renegotiation: complete handshake protocol (client
does support secure renegotiation)
[Wed Apr 10 23:13:49.290530 2019] [ssl:info] [pid 2656:tid 140593581737728]
[client 10.111.84.227:62107] AH02226: Awaiting re-negotiation handshake
[Wed Apr 10 23:13:49.292550 2019] [ssl:error] [pid 2656:tid
140593581737728] [client 10.111.84.227:62107] AH02261: Re-negotiation
handshake failed
_________Clicking "cancel" on submitting certificate to
https://host/_________
[Wed Apr 10 23:13:50.788696 2019] [ssl:debug] [pid 2656:tid
140593573345024] ssl_engine_kernel.c(746): [client 10.111.84.227:62108]
AH02255: Changed client verification type will force renegotiation
[Wed Apr 10 23:13:50.788795 2019] [ssl:info] [pid 2656:tid 140593573345024]
[client 10.111.84.227:62108] AH02221: Requesting connection re-negotiation
[Wed Apr 10 23:13:50.788832 2019] [ssl:debug] [pid 2656:tid
140593573345024] ssl_engine_kernel.c(975): [client 10.111.84.227:62108]
AH02260: Performing full renegotiation: complete handshake protocol (client
does support secure renegotiation)
[Wed Apr 10 23:13:50.789059 2019] [ssl:info] [pid 2656:tid 140593573345024]
[client 10.111.84.227:62108] AH02226: Awaiting re-negotiation handshake
[Wed Apr 10 23:13:50.794931 2019] [authz_core:debug] [pid 2656:tid
140593573345024] mod_authz_core.c(820): [client 10.111.84.227:62108]
AH01626: authorization result of Require all granted: granted
[Wed Apr 10 23:13:50.794940 2019] [authz_core:debug] [pid 2656:tid
140593573345024] mod_authz_core.c(820): [client 10.111.84.227:62108]
AH01626: authorization result of <RequireAny>: granted
[Wed Apr 10 23:13:50.798066 2019] [authz_core:debug] [pid 2656:tid
140593564952320] mod_authz_core.c(820): [client 10.111.84.227:62108]
AH01626: authorization result of Require all granted: granted
[Wed Apr 10 23:13:50.798075 2019] [authz_core:debug] [pid 2656:tid
140593564952320] mod_authz_core.c(820): [client 10.111.84.227:62108]
AH01626: authorization result of <RequireAny>: granted
[Wed Apr 10 23:13:50.798100 2019] [authz_core:debug] [pid 2656:tid
140593564952320] mod_authz_core.c(820): [client 10.111.84.227:62108]
AH01626: authorization result of Require all granted: granted
[Wed Apr 10 23:13:50.798103 2019] [authz_core:debug] [pid 2656:tid
140593564952320] mod_authz_core.c(820): [client 10.111.84.227:62108]
AH01626: authorization result of <RequireAny>: granted
_________Visiting https://host/require_________
[Wed Apr 10 23:14:08.548394 2019] [ssl:debug] [pid 2534:tid
140593665664768] ssl_engine_kernel.c(746): [client 10.111.84.227:62110]
AH02255: Changed client verification type will force renegotiation
[Wed Apr 10 23:14:08.548469 2019] [ssl:info] [pid 2534:tid 140593665664768]
[client 10.111.84.227:62110] AH02221: Requesting connection re-negotiation
[Wed Apr 10 23:14:08.548505 2019] [ssl:debug] [pid 2534:tid
140593665664768] ssl_engine_kernel.c(975): [client 10.111.84.227:62110]
AH02260: Performing full renegotiation: complete handshake protocol (client
does support secure renegotiation)
[Wed Apr 10 23:14:08.548659 2019] [ssl:info] [pid 2534:tid 140593665664768]
[client 10.111.84.227:62110] AH02226: Awaiting re-negotiation handshake
[Wed Apr 10 23:14:08.553605 2019] [ssl:error] [pid 2534:tid
140593665664768] [client 10.111.84.227:62110] AH02261: Re-negotiation
handshake failed
[Wed Apr 10 23:14:08.559173 2019] [ssl:debug] [pid 2656:tid
140593531381504] ssl_engine_kernel.c(746): [client 10.111.84.227:62111]
AH02255: Changed client verification type will force renegotiation
[Wed Apr 10 23:14:08.559240 2019] [ssl:info] [pid 2656:tid 140593531381504]
[client 10.111.84.227:62111] AH02221: Requesting connection re-negotiation
[Wed Apr 10 23:14:08.559275 2019] [ssl:debug] [pid 2656:tid
140593531381504] ssl_engine_kernel.c(975): [client 10.111.84.227:62111]
AH02260: Performing full renegotiation: complete handshake protocol (client
does support secure renegotiation)
[Wed Apr 10 23:14:08.559395 2019] [ssl:info] [pid 2656:tid 140593531381504]
[client 10.111.84.227:62111] AH02226: Awaiting re-negotiation handshake
[Wed Apr 10 23:14:08.565194 2019] [ssl:error] [pid 2656:tid
140593531381504] [client 10.111.84.227:62111] AH02261: Re-negotiation
handshake failed
[Wed Apr 10 23:14:08.565268 2019] [ssl:error] [pid 2656:tid
140593531381504] SSL Library Error: error:1417C0C7:SSL
routines:tls_process_client_certificate:peer did not return a certificate
-- No CAs known to server for verification?
_________Server emits ERR_BAD_SSL_CLIENT_AUTH_CERT_________

I tried with the following scenarios:
1. The Vhost root use SSLVerifyClient none and Location uses
SSLVerifyClient require: the latter emits no error before requesting client
certificate;
2. The Vhost root use SSLVerifyClient none, Location1 uses SSLVerifyClient
optional, and Location2 uses SSLVerifyClient require: If I have visited
Location1 and submitted no client certificate, Location2 will emit
ERR_BAD_SSL_CLIENT_AUTH_CERT before requesting client certificate, no
matter if I am jumping from root or Location 1.

I suspect there is a bug involved in the SSL client verification type
changing and the re-negotiation flow. While I admit it may be a corner case
but the original use case is very crucial to my current user base. I
checked the Bug database and there is a similar bug except that is related
to TLSv1.3. For browser compatibility, I am currently disabling TLSv1.3,
although I am testing with Apache 2.4.38 and OpenSSL 1.1.1b.
I would love to hear any suggestions on an alternative configuration to
support my scenario, and thank you very much in advance.

Regards,
Hao Du

Mime
View raw message