--------------------------------------------
On Tue, 6/17/14, Viktor Dukhovni <openssl-us...@dukhovni.org> wrote:
Subject: Re: mod_ssl - client certificates broken after yum update of openssl
To: openssl-users@openssl.org
Date: Tuesday, June 17, 2014, 10:53 PM
On Tue, Jun 17, 2014 at
06:48:28PM -0700, Nelson wrote:
> Perfectly working VM running Amazon Linux
with Apache and mod_ssl
> configured for
client certificates.
>
> Ran yum update to get the latest openssl
(OpenSSL 1.0.1h-fips 5
> Jun
2014)/mod_ssl(2.2.27 )/httpd(2.2.27) security updates
from
> Amazon's yum repository.
Did Apache get upgraded too?
Did the upgrade change the default
cipherlist?
> Now the client certificate checks are
failing and I am getting:
What is the key size of the client
certificates? What is the
signature
algorithm?
>
"Certificate Verification: Error (7): certificate
signature
> failure" in the Apache
log.
Are they signed with
MD5? Did Apache disable support for MD5
signed certs?
>
SSLVerifyClient require
>
SSLVerifyDepth 1
>
SSLCACertificateFile
/etc/ssl/certs/clientca_master
Have you tried a VerifyDepth of 2 or more?
Do the client certs in
question work with "openssl s_server" as
the server?
--
Viktor.
Viktor,
Apache was upgraded with openssl as well as mod_ssl. I am not sure how to
check if the cipherlist (see output from openssl below on openssl s_client)
I tried
VerifyDepth of 5, no change.
Haven't ever tested a certificate before, but I tried:
openssl s_server -accept 7569 -cert /home/ssl/client-cert.pem
-key /home/ssl/client-key.pem -CAfile /home/ssl/ca_master
returns:
Using default temp DH parameters
Using default temp ECDH parameters
ACCEPT
Below is the certificate information, hopefully that exposes something:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, ST=California, L=XXXX, O=XXXX Software, OU=RSG,
CN=xxxxx/emailAddress=x...@xxxx.com
Validity
Not Before: Sep 13 21:46:05 2013 GMT
Not After : Dec 30 21:46:05 2037 GMT
Subject: C=US, ST=California, L=XXXXX, O=XXXX Software, OU=RSG,
CN=xxxxx/emailAddress=xx...@xxxxx.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:de:80:4d:cf:8b:40:24:f2:cc:07:18:63:8f:f0:
e8:ca:28:c0:b4:79:8d:47:9c:60:31:31:ee:90:c6:
64:fa:b7:63:15:3d:c7:3c:c6:b5:1a:56:e1:6f:d6:
b6:37:b2:58:2a:80:05:6e:20:d1:dd:67:3f:a9:00:
ff:dc:92:86:7b:b8:ab:24:b1:a6:1f:9c:e5:dc:57:
c4:bf:af:33:c4:af:8e:11:f0:a8:d3:53:e6:48:c7:
3c:82:d3:9d:be:c7:0c:38:16:71:df:0d:ad:5f:dc:
52:f2:db:20:d1:15:1c:01:f3:dd:04:a7:53:42:a6:
6f:7a:0c:2d:9a:0d:22:5e:11:aa:07:2d:ee:d1:0f:
9a:6f:b7:f2:8f:e9:fa:77:9b:dc:fe:9a:64:91:e0:
68:15:46:d8:c2:de:d8:29:f6:c6:ab:fb:d6:39:f4:
5e:2a:e3:cc:a7:4c:a9:cb:5f:cd:a9:18:cf:42:8c:
07:8a:15:3c:e8:db:2a:a0:8c:c0:b4:7a:44:93:ce:
6e:14:dc:c6:26:4d:3d:6e:73:85:1c:97:53:10:1d:
7b:b1:9d:35:69:3e:43:7a:26:03:17:6a:79:97:73:
dc:ab:ee:f8:cd:07:09:01:3a:0a:f6:a6:cf:c5:c7:
63:36:20:4f:23:06:47:b5:ca:44:43:d1:12:49:15:
f7:c7
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
D3:22:6B:17:D1:55:0A:4F:88:4A:3B:BE:D1:EF:AD:A8:F2:E4:98:60
X509v3 Authority Key Identifier:
keyid:D3:22:6B:17:D1:55:0A:4F:88:4A:3B:BE:D1:EF:AD:A8:F2:E4:98:60
DirName:/C=US/ST=California/L=XXXXX/O=XXXXX
Software/OU=RSG/CN=xxxxx/emailAddress=xx...@xxxx.com
serial:00
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: md5WithRSAEncryption
35:74:cd:c4:d4:9a:9e:2f:a9:b2:55:ae:87:60:af:13:66:a4:
7b:82:0a:8b:17:e4:dc:93:0e:ce:75:ba:34:c7:02:eb:d3:f0:
9b:c4:07:ca:80:1d:32:26:75:0c:2c:95:da:9a:2c:6d:85:65:
0b:7a:66:7a:28:c9:75:ee:11:fc:28:91:14:87:5f:c1:53:ce:
29:d3:4b:bb:f1:3b:41:05:0a:9e:62:2d:07:a1:c6:94:67:05:
f5:cc:7a:00:e9:39:08:94:d2:df:b2:e6:84:aa:e8:33:57:48:
cd:f5:c3:6a:51:f1:f7:b9:05:a3:7a:ca:2d:48:9d:de:9f:f4:
33:1e:91:f9:4b:ec:b3:9c:92:e3:4d:0f:ef:a7:ef:6e:5e:09:
27:29:d4:b6:94:55:3e:a6:9b:44:82:1f:4c:8f:1e:b4:6c:ce:
c0:7b:fb:5c:ee:67:49:f2:80:5c:75:41:2b:f1:09:39:a7:00:
a5:29:24:f4:3c:54:ee:8a:89:d0:e5:5a:5d:cf:7e:21:28:3e:
8a:57:6a:33:e8:a0:ea:32:d8:d2:1f:54:f4:e1:3f:88:26:af:
5d:2e:c1:0c:4a:0f:f6:cd:8b:66:d3:ae:91:b7:c1:62:d9:ee:
54:ca:3f:b1:6c:68:bb:02:91:aa:fa:ce:20:38:15:49:d8:26:
fe:29:12:41
And openssl s_client (didn't know which certificate to try) makes s_server
output:
Shared
ciphers:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:EDH
-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:DES-CBC3-SHA:IDEA-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5
CIPHER is ECDHE-RSA-AES256-GCM-SHA384
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
