In general, when a client certificate is presented to the server the server will attempt to "validate" the client certificate. In addition to checking validity dates (i.e.. make sure the certificate is not expired), Certificate Revocation Lists (i.e. make sure the certificate is not revoked), and "Key Usage" extensions (i.e. make sure the client can be used for client authentication), the server will check the digital signature on each certificate in the chain (i.e. root, intermediate, and end user).
To check digital signatures, the server will first check in your SSLCACertificateFile to see if you have the root/intermediate/issuing Certification Authority certificates. If you do not have these certificates, the server will attempt to build the certificate chain from information listed in either the "Authority Information Access" or "Authority/Subject Key Identifier" extensions which are part of most certificates. Once the certificate chain is built the public key of each certificate is used to verify each "child's" certificate. So to answer your question "Does it compare who signed the client certificate with the CA it has in SSLCACertificateFile? Yes. And if "who" signed the client certificate is NOT in the SSLCACertificateFile the server will attempt to download the signing certificate. Hope this helps. Sincerely, Patrick Tronnier Principal Security Architect Open Access Technology International Inc. www.oaticerts.com CONFIDENTIAL INFORMATION: This email and any attachment(s) contain confidential and/or proprietary information of Open Access Technology International, Inc. Do not copy or distribute without the prior written consent of OATI. If you are not a named recipient to the message, please notify the sender immediately and do not retain the message in any form, printed or electronic. -----Original Message----- From: Jose Correia (J) [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 18, 2002 8:54 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: apache with client certificates Actually how does Apache know about the client certificate that the client has got?? Does it compare who signed the client certificate with the CA it has in SSLCACertificateFile? Thanks anyone. Regards Jose -----Original Message----- From: Jose Correia (J) Sent: 18 September 2002 14:52 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: apache with client certificates Hi all I'm actually now getting in ssl_engine.log: [18/Sep/2002 14:41:57 32739] [error] OpenSSL: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate [Hint: No CAs known to server for verification?] Any ideas? I don't understand how it can say "No CAs known to server for verification" (although only a hint) if I am specifying: SSLCACertificateFile /jose/CA2/demoCA/cacert.pem in my httpd.conf... Thanks Jose -----Original Message----- From: Jose Correia (J) Sent: 18 September 2002 08:30 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: apache with client certificates Hi there I set the depth to 1 and I do have my cache set to: SSLSessionCache dbm:/usr/local/apache/logs/ssl_scache SSLSessionCacheTimeout 300 SSLMutex file:/usr/local/apache/logs/ssl_mutex Still not working... Argghhh, this is so frustrating... any other ideas? Did you put your CA into the local .keystore or in C:\Program Files\JavaSoft\JRE\1.3.1\lib\security\cacerts?? On my Java side I'm using JSSE 1.0.3 together with Innovation's HTTPClient like: java.security.Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider()); SSLContext sc = SSLContext.getInstance("SSL"); TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509"); KeyManagerFactory kmf = KeyManagerFactory.getInstance( "SunX509" ); KeyStore ks = KeyStore.getInstance( "JKS") ; char[] passphrase = "whatever".toCharArray(); ks.load(new FileInputStream("C:\\Documents and Settings\\correij\\.keystore"), passphrase); tmf.init(ks); kmf.init(ks, passphrase); sc.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null); HTTPConnection con = new HTTPConnection("https", urlString, -1); con.setDefaultSSLSocketFactory(sc.getSocketFactory()); HTTPResponse response = con.Get("/test/servlet/ldapb2bservlet"); InputStream content = (InputStream)response.getInputStream(); .... Any other ideas, thanks... -----Original Message----- From: Xperex Tim [mailto:[EMAIL PROTECTED]] Sent: 18 September 2002 01:07 To: [EMAIL PROTECTED] Subject: Re: apache with client certificates I am using Apache 1.3.26 with OpenSSL 0.9.6c and client authentication works for me. I have SSLVerifyDepth set to 1 and specified an SSLSessionCache but otherwise my setup is roughly the same as yours. --- "Jose Correia (J)" <[EMAIL PROTECTED]> wrote: > Hi all > > Is anyone aware of Apache version 1.3.20 having problems with client > authentication?? > > I've created my own CA created using openssl (vs 0.9.6a). I then > created and signed my server certificate with the CA using openssl. > (apache is on a RH Linux 6.2 machine) > > I then created a client public key using Java's keytool (from my > Win2000 client machine). I then took this key and signed it with my CA > using openssl which I duly converted into DER format. I then imported > my CA's certificate in my JSSE keystore plus the now created client > certificate which replaces the previous public key. > > In my Apache I mention these: > SSLCertificateFile /jose/CA2/server.crt > SSLCertificateKeyFile /jose/CA2/server.key > SSLCACertificateFile /jose/CA2/demoCA/cacert.pem > SSLVerifyClient require > SSLVerifyDepth 10 > > When I connect, I'm getting the following on ssl_engine.log > > "[17/Sep/2002 15:20:22 28388] [error] SSL handshake failed (server > 155.239.48.43:443, client 165.148.59.202) (OpenSSL library error > follows) > [17/Sep/2002 15:20:22 28388] [error] OpenSSL: error:14094416:SSL > routines:SSL3_READ_BYTES:sslv3 alert certificate unknown" > > and from my Java client I'm getting: > > "main, SEND SSL v3.1 ALERT: fatal, description = certificate_unknown > main, WRITE: SSL v3.1 Alert, length = 2 > javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated" > > Hence my confusion since I know my client certificate was signed by > the CA mentioned in apache httpd.conf... :-( > > Anyone got a clue? I've searched extensevily... > > Thanks a lot > Jose Correia > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] __________________________________________________ Do you Yahoo!? Yahoo! News - Today's headlines http://news.yahoo.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
