From users-return-118620-apmail-httpd-users-archive=httpd.apache.org@httpd.apache.org Wed Apr 10 15:48:36 2019 Return-Path: X-Original-To: apmail-httpd-users-archive@www.apache.org Delivered-To: apmail-httpd-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [207.244.88.153]) by minotaur.apache.org (Postfix) with SMTP id E249018F0B for ; Wed, 10 Apr 2019 15:48:35 +0000 (UTC) Received: (qmail 43507 invoked by uid 500); 10 Apr 2019 15:48:25 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 43484 invoked by uid 500); 10 Apr 2019 15:48:25 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 43474 invoked by uid 99); 10 Apr 2019 15:48:25 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 10 Apr 2019 15:48:25 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id F421EC044D for ; Wed, 10 Apr 2019 15:48:24 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1.8 X-Spam-Level: * X-Spam-Status: No, score=1.8 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=2, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, WEIRD_PORT=0.001] autolearn=disabled Authentication-Results: spamd4-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id QXeJ7s9-U8LU for ; Wed, 10 Apr 2019 15:48:22 +0000 (UTC) Received: from mail-lj1-f169.google.com (mail-lj1-f169.google.com [209.85.208.169]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id 3F72C6259B for ; Wed, 10 Apr 2019 15:48:22 +0000 (UTC) Received: by mail-lj1-f169.google.com with SMTP id k8so2586993lja.8 for ; Wed, 10 Apr 2019 08:48:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=9Op/pKR8uspVJnLRdseq3Qz4AUy4MRh7z3tUXkBUl/w=; b=axqIu4AWVgOKCigdyfnSVYPVfswPOKtjZLO6vnLogu73YTS2jzedtwnn0vpLYGKmcN 9uxC8qPFL5ThwlLWJ2jr5fXQoEWm6ws+DQpF7OmPEpUuVwlC58c4GoGbMWu9gZTjpsxj mc4AYCS1iEF4GSnom3WHveA7gDCL3aAfpLsHdf8xkHqExxxzWRsPuzFHg8jiJ2B3Xx+g ApO3eVl++vnWMtZ14yBqedNtZohqSIgFs74aS9sL7e68u6fY+MeW6VNZjCqGUyXUYT6j rcimJk1jhlr02EKN8dV8U0SoLO1sVhgtfIqfzDmrtlySery+5QXXhtN7quVDd2W7NpCa xXwA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=9Op/pKR8uspVJnLRdseq3Qz4AUy4MRh7z3tUXkBUl/w=; b=PzsgGw/Ls957P/qS5QT/oJc/48DmORkO3QgwW7ddq+8BZ1w2KqHHV3j46a4LOXzNRy vSoMa+gZ8Lap4dxs7hOGtQ87efxHVJU6cWR5K4WcJmzHYEwLml2n3M5tmsryEe9fy3Qc BKua1pl7wlxhVkQDcLSKd6+D0WTVWUkfezEKsF3ZNJ37ckI1t02DPgR/5+5fV5KYVX5q 9NCIbsLwjjU/SAZoRtw3cjn3j4Vo32krl+2w5bRQkjHSGGZ/E4mEoTgjo5dwtaK1AIfI dtlLUTutLZqUjx4GSHWhgvMnG6PjY896U+62/cTfh28oE4vfgEaVJAoxv6rizbPIN20i +BWw== X-Gm-Message-State: APjAAAVvtkl+CY/UXvwUlFWiUbCcUPdQiine6GASg8iIm+TPSL+BVc9h 3lMyefHZs1rM5yK8K/fWo5sWLerA84n7V8knMSfw0dd8soo= X-Google-Smtp-Source: APXvYqzouspUlMHMPUFIStM3AtLlhKUn1OBpGclMMhMsk8XeIyiwEr8Vp9pyrfq4VeKcJRxfhTr1heLi5PkJP/1I2NM= X-Received: by 2002:a2e:9811:: with SMTP id a17mr13072601ljj.96.1554911300753; Wed, 10 Apr 2019 08:48:20 -0700 (PDT) MIME-Version: 1.0 From: Du Hao Date: Wed, 10 Apr 2019 23:48:09 +0800 Message-ID: To: users@httpd.apache.org Content-Type: multipart/alternative; boundary="000000000000bd1e1405862eff0b" Subject: [users@httpd] Unexpected result of requesting client certificate when requesting locations with different SSLVerifyClient settings --000000000000bd1e1405862eff0b Content-Type: text/plain; charset="UTF-8" Hello, I ran into a problem when configuring different locations for Apache HTTP Server while utilizing client certificate. The client certificate is not stored permanently on the browser; It is expected that the client certificate will be inserted by encrypted USB stick before the user is clicking on the protected location. Let's say I have a virtual host (https://host/) with SSLVerifyClient optional and a location inside that v-host (https://host/require) with SSLVerifyClient require. ___________________sample config_____________ ServerName host ........ SSLVerifyClient optional SSLVerifyDepth 10 SSLOptions +FakeBasicAuth +ExportCertData ....... SSLVerifyClient require ___________________________________________ When I either directly visit https://host/require or https://host/, they both request client certificate normally; the difference is that if I cancel submitting certificate, the latter one would still allow access, while the former one rejecting access by SSL error: ERR_BAD_SSL_CLIENT_AUTH_CERT. The problem happens when I DOESN'T submit the certificate (or don't have a certificate at the time) when I visit https://host/, then I acquired the client certificate and then browse to https://host/require in the same browser tab. Ideally it should request client certificate once more, but it doesn't; instead it emits ERR_BAD_SSL_CLIENT_AUTH_CERT immediately. Only after I clicked the Refresh button on https://host/require, then it request client certificate as normal. I checked the debug log and it looks like the following: _________Visiting https://host/_________ [Wed Apr 10 23:13:49.290449 2019] [ssl:debug] [pid 2656:tid 140593581737728] ssl_engine_kernel.c(746): [client 10.111.84.227:62107] AH02255: Changed client verification type will force renegotiation [Wed Apr 10 23:13:49.290476 2019] [ssl:info] [pid 2656:tid 140593581737728] [client 10.111.84.227:62107] AH02221: Requesting connection re-negotiation [Wed Apr 10 23:13:49.290485 2019] [ssl:debug] [pid 2656:tid 140593581737728] ssl_engine_kernel.c(975): [client 10.111.84.227:62107] AH02260: Performing full renegotiation: complete handshake protocol (client does support secure renegotiation) [Wed Apr 10 23:13:49.290530 2019] [ssl:info] [pid 2656:tid 140593581737728] [client 10.111.84.227:62107] AH02226: Awaiting re-negotiation handshake [Wed Apr 10 23:13:49.292550 2019] [ssl:error] [pid 2656:tid 140593581737728] [client 10.111.84.227:62107] AH02261: Re-negotiation handshake failed _________Clicking "cancel" on submitting certificate to https://host/_________ [Wed Apr 10 23:13:50.788696 2019] [ssl:debug] [pid 2656:tid 140593573345024] ssl_engine_kernel.c(746): [client 10.111.84.227:62108] AH02255: Changed client verification type will force renegotiation [Wed Apr 10 23:13:50.788795 2019] [ssl:info] [pid 2656:tid 140593573345024] [client 10.111.84.227:62108] AH02221: Requesting connection re-negotiation [Wed Apr 10 23:13:50.788832 2019] [ssl:debug] [pid 2656:tid 140593573345024] ssl_engine_kernel.c(975): [client 10.111.84.227:62108] AH02260: Performing full renegotiation: complete handshake protocol (client does support secure renegotiation) [Wed Apr 10 23:13:50.789059 2019] [ssl:info] [pid 2656:tid 140593573345024] [client 10.111.84.227:62108] AH02226: Awaiting re-negotiation handshake [Wed Apr 10 23:13:50.794931 2019] [authz_core:debug] [pid 2656:tid 140593573345024] mod_authz_core.c(820): [client 10.111.84.227:62108] AH01626: authorization result of Require all granted: granted [Wed Apr 10 23:13:50.794940 2019] [authz_core:debug] [pid 2656:tid 140593573345024] mod_authz_core.c(820): [client 10.111.84.227:62108] AH01626: authorization result of : granted [Wed Apr 10 23:13:50.798066 2019] [authz_core:debug] [pid 2656:tid 140593564952320] mod_authz_core.c(820): [client 10.111.84.227:62108] AH01626: authorization result of Require all granted: granted [Wed Apr 10 23:13:50.798075 2019] [authz_core:debug] [pid 2656:tid 140593564952320] mod_authz_core.c(820): [client 10.111.84.227:62108] AH01626: authorization result of : granted [Wed Apr 10 23:13:50.798100 2019] [authz_core:debug] [pid 2656:tid 140593564952320] mod_authz_core.c(820): [client 10.111.84.227:62108] AH01626: authorization result of Require all granted: granted [Wed Apr 10 23:13:50.798103 2019] [authz_core:debug] [pid 2656:tid 140593564952320] mod_authz_core.c(820): [client 10.111.84.227:62108] AH01626: authorization result of : granted _________Visiting https://host/require_________ [Wed Apr 10 23:14:08.548394 2019] [ssl:debug] [pid 2534:tid 140593665664768] ssl_engine_kernel.c(746): [client 10.111.84.227:62110] AH02255: Changed client verification type will force renegotiation [Wed Apr 10 23:14:08.548469 2019] [ssl:info] [pid 2534:tid 140593665664768] [client 10.111.84.227:62110] AH02221: Requesting connection re-negotiation [Wed Apr 10 23:14:08.548505 2019] [ssl:debug] [pid 2534:tid 140593665664768] ssl_engine_kernel.c(975): [client 10.111.84.227:62110] AH02260: Performing full renegotiation: complete handshake protocol (client does support secure renegotiation) [Wed Apr 10 23:14:08.548659 2019] [ssl:info] [pid 2534:tid 140593665664768] [client 10.111.84.227:62110] AH02226: Awaiting re-negotiation handshake [Wed Apr 10 23:14:08.553605 2019] [ssl:error] [pid 2534:tid 140593665664768] [client 10.111.84.227:62110] AH02261: Re-negotiation handshake failed [Wed Apr 10 23:14:08.559173 2019] [ssl:debug] [pid 2656:tid 140593531381504] ssl_engine_kernel.c(746): [client 10.111.84.227:62111] AH02255: Changed client verification type will force renegotiation [Wed Apr 10 23:14:08.559240 2019] [ssl:info] [pid 2656:tid 140593531381504] [client 10.111.84.227:62111] AH02221: Requesting connection re-negotiation [Wed Apr 10 23:14:08.559275 2019] [ssl:debug] [pid 2656:tid 140593531381504] ssl_engine_kernel.c(975): [client 10.111.84.227:62111] AH02260: Performing full renegotiation: complete handshake protocol (client does support secure renegotiation) [Wed Apr 10 23:14:08.559395 2019] [ssl:info] [pid 2656:tid 140593531381504] [client 10.111.84.227:62111] AH02226: Awaiting re-negotiation handshake [Wed Apr 10 23:14:08.565194 2019] [ssl:error] [pid 2656:tid 140593531381504] [client 10.111.84.227:62111] AH02261: Re-negotiation handshake failed [Wed Apr 10 23:14:08.565268 2019] [ssl:error] [pid 2656:tid 140593531381504] SSL Library Error: error:1417C0C7:SSL routines:tls_process_client_certificate:peer did not return a certificate -- No CAs known to server for verification? _________Server emits ERR_BAD_SSL_CLIENT_AUTH_CERT_________ I tried with the following scenarios: 1. The Vhost root use SSLVerifyClient none and Location uses SSLVerifyClient require: the latter emits no error before requesting client certificate; 2. The Vhost root use SSLVerifyClient none, Location1 uses SSLVerifyClient optional, and Location2 uses SSLVerifyClient require: If I have visited Location1 and submitted no client certificate, Location2 will emit ERR_BAD_SSL_CLIENT_AUTH_CERT before requesting client certificate, no matter if I am jumping from root or Location 1. I suspect there is a bug involved in the SSL client verification type changing and the re-negotiation flow. While I admit it may be a corner case but the original use case is very crucial to my current user base. I checked the Bug database and there is a similar bug except that is related to TLSv1.3. For browser compatibility, I am currently disabling TLSv1.3, although I am testing with Apache 2.4.38 and OpenSSL 1.1.1b. I would love to hear any suggestions on an alternative configuration to support my scenario, and thank you very much in advance. Regards, Hao Du --000000000000bd1e1405862eff0b Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hello,

I ran into a pr= oblem when configuring different locations for Apache HTTP Server while uti= lizing client certificate. The client certificate is not stored permanently= on the browser; It is expected that the client certificate will be inserte= d by encrypted USB stick before the user is clicking on the protected locat= ion.=C2=A0

Let's say I have a virtual host (https://host/) with SSLVerifyClient optional an= d a location inside that v-host (https://h= ost/require)=C2=A0with SSLVerifyClient require.
_____________= ______sample config_____________

<VirtualHost _= default_:443>
ServerName host
........
SSL= VerifyClient optional
SSLVerifyDepth 10
SSLOptions=C2= =A0+FakeBasicAuth=C2=A0+ExportCertData
.......
<Loca= tion /require>
SSLVerifyClient require
</Location= >
</VirtualHost>
_____________________________= ______________


When I either direct= ly visit https://host/require or https://host/, they both request client certificat= e normally; the difference is that if I cancel submitting certificate, the = latter one would still allow access, while the former one rejecting access = by SSL error: ERR_BAD_SSL_CLIENT_AUTH_CERT.
The problem happens w= hen I DOESN'T submit the certificate (or don't have a certificate a= t the time) when I visit https://host/, then = I acquired the client certificate and then browse to https://host/require in the same browser tab. Ideally it sho= uld request client certificate once more, but it doesn't; instead it em= its ERR_BAD_SSL_CLIENT_AUTH_CERT immediately. Only after I clicked the Refr= esh button on https://host/require, th= en it request client certificate as normal.

I chec= ked the debug log and it looks like the following:

_________Visiting https://host/________= _
[Wed Apr 10 23:13:49.290449 2019] [ssl:debug] [pid 265= 6:tid 140593581737728] ssl_engine_kernel.c(746): [client 10.111.84.227:62107] AH02255: Changed client verif= ication type will force renegotiation
[Wed Apr 10 23:13:49.290476= 2019] [ssl:info] [pid 2656:tid 140593581737728] [client 10.111.84.227:62107] AH02221: Requesting connectio= n re-negotiation
[Wed Apr 10 23:13:49.290485 2019] [ssl:debug] [p= id 2656:tid 140593581737728] ssl_engine_kernel.c(975): [client 10.111.84.227:62107] AH02260: Performing ful= l renegotiation: complete handshake protocol (client does support secure re= negotiation)
[Wed Apr 10 23:13:49.290530 2019] [ssl:info] [pid 26= 56:tid 140593581737728] [client 10.1= 11.84.227:62107] AH02226: Awaiting re-negotiation handshake
[= Wed Apr 10 23:13:49.292550 2019] [ssl:error] [pid 2656:tid 140593581737728]= [client 10.111.84.227:62107] AH= 02261: Re-negotiation handshake failed
_________Clicking "ca= ncel" on submitting certificate to = https://host/_________
[Wed Apr 10 23:13:50.788696 2019] = [ssl:debug] [pid 2656:tid 140593573345024] ssl_engine_kernel.c(746): [clien= t 10.111.84.227:62108] AH02255: = Changed client verification type will force renegotiation
[Wed Ap= r 10 23:13:50.788795 2019] [ssl:info] [pid 2656:tid 140593573345024] [clien= t 10.111.84.227:62108] AH02221: = Requesting connection re-negotiation
[Wed Apr 10 23:13:50.788832 = 2019] [ssl:debug] [pid 2656:tid 140593573345024] ssl_engine_kernel.c(975): = [client 10.111.84.227:62108] AH0= 2260: Performing full renegotiation: complete handshake protocol (client do= es support secure renegotiation)
[Wed Apr 10 23:13:50.789059 2019= ] [ssl:info] [pid 2656:tid 140593573345024] [client 10.111.84.227:62108] AH02226: Awaiting re-negotiation h= andshake
[Wed Apr 10 23:13:50.794931 2019] [authz_core:debug] [pi= d 2656:tid 140593573345024] mod_authz_core.c(820): [client 10.111.84.227:62108] AH01626: authorization resu= lt of Require all granted: granted
[Wed Apr 10 23:13:50.794940 20= 19] [authz_core:debug] [pid 2656:tid 140593573345024] mod_authz_core.c(820)= : [client 10.111.84.227:62108] A= H01626: authorization result of <RequireAny>: granted
[Wed = Apr 10 23:13:50.798066 2019] [authz_core:debug] [pid 2656:tid 1405935649523= 20] mod_authz_core.c(820): [client 1= 0.111.84.227:62108] AH01626: authorization result of Require all grante= d: granted
[Wed Apr 10 23:13:50.798075 2019] [authz_core:debug] [= pid 2656:tid 140593564952320] mod_authz_core.c(820): [client 10.111.84.227:62108] AH01626: authorization re= sult of <RequireAny>: granted
[Wed Apr 10 23:13:50.798100 2= 019] [authz_core:debug] [pid 2656:tid 140593564952320] mod_authz_core.c(820= ): [client 10.111.84.227:62108] = AH01626: authorization result of Require all granted: granted
[We= d Apr 10 23:13:50.798103 2019] [authz_core:debug] [pid 2656:tid 14059356495= 2320] mod_authz_core.c(820): [client 10.111.84.227:62108] AH01626: authorization result of <RequireAny&g= t;: granted
[Wed Apr 10 23:14:08.548= 394 2019] [ssl:debug] [pid 2534:tid 140593665664768] ssl_engine_kernel.c(74= 6): [client 10.111.84.227:62110]= AH02255: Changed client verification type will force renegotiation
[Wed Apr 10 23:14:08.548469 2019] [ssl:info] [pid 2534:tid 1405936656647= 68] [client 10.111.84.227:62110]= AH02221: Requesting connection re-negotiation
[Wed Apr 10 23:14:= 08.548505 2019] [ssl:debug] [pid 2534:tid 140593665664768] ssl_engine_kerne= l.c(975): [client 10.111.84.227:6211= 0] AH02260: Performing full renegotiation: complete handshake protocol = (client does support secure renegotiation)
[Wed Apr 10 23:14:08.5= 48659 2019] [ssl:info] [pid 2534:tid 140593665664768] [client 10.111.84.227:62110] AH02226: Awaiting re-neg= otiation handshake
[Wed Apr 10 23:14:08.553605 2019] [ssl:error] = [pid 2534:tid 140593665664768] [client 10.111.84.227:62110] AH02261: Re-negotiation handshake failed
<= div>[Wed Apr 10 23:14:08.559173 2019] [ssl:debug] [pid 2656:tid 14059353138= 1504] ssl_engine_kernel.c(746): [client 10.111.84.227:62111] AH02255: Changed client verification type will= force renegotiation
[Wed Apr 10 23:14:08.559240 2019] [ssl:info]= [pid 2656:tid 140593531381504] [client 10.111.84.227:62111] AH02221: Requesting connection re-negotiation<= /div>
[Wed Apr 10 23:14:08.559275 2019] [ssl:debug] [pid 2656:tid 14059= 3531381504] ssl_engine_kernel.c(975): [client 10.111.84.227:62111] AH02260: Performing full renegotiation: = complete handshake protocol (client does support secure renegotiation)
[Wed Apr 10 23:14:08.559395 2019] [ssl:info] [pid 2656:tid 1405935313= 81504] [client 10.111.84.227:62111] AH02226: Awaiting re-negotiation handshake
[Wed Apr 10 23:14:08.565268 2019] [ssl:err= or] [pid 2656:tid 140593531381504] SSL Library Error: error:1417C0C7:SSL ro= utines:tls_process_client_certificate:peer did not return a certificate -- = No CAs known to server for verification?
_________Server em= its ERR_BAD_SSL_CLIENT_AUTH_CERT_________

I tried = with the following scenarios:
1. The Vhost root use SSLVerifyClie= nt none and Location uses SSLVerifyClient require: the latter emits no erro= r before requesting client certificate;
2. The Vhost root use SSL= VerifyClient none, Location1 uses SSLVerifyClient optional, and Location2 u= ses SSLVerifyClient require: If I have visited Location1 and submitted no c= lient certificate, Location2 will emit ERR_BAD_SSL_CLIENT_AUTH_CERT before = requesting client certificate, no matter if I am jumping from root or Locat= ion 1.

I suspect there is a bug involved in the SS= L client verification type changing and the re-negotiation flow. While I ad= mit it may be a corner case but the original use case is very crucial to my= current user base. I checked the Bug database and there is a similar bug e= xcept that is related to TLSv1.3. For browser compatibility, I am currently= disabling TLSv1.3, although I am testing with Apache 2.4.38 and OpenSSL 1.= 1.1b.
I would love to hear any suggestions on an alternative conf= iguration to support my scenario, and thank you very much in advance.
=

Regards,
Hao Du

--000000000000bd1e1405862eff0b--