[users@httpd] SSLVerifyClient within

[Jose Jerez]

Hello folks,

I'm having trouble with the apache configuration in one of my virtual hosts
and I'm starting to wonder if what I'm trying is a supported configuration.

I'm setting up an SSL vhost with a <Location> directive, so that when a
request is made for that location the client certificate is requested, or is
supposed to because what really happens is that an error is shown in the
browser (ssl_error_handshake_failure_alert in firefox) and in the apache logs
(Re-negotiation request failed).

The environment where it is installed is: Linux SLES10, apache 2.2.3 and
SLES11, apache 2.2.10

The vhost configuration is:

###################################################################
<IfDefine SSL>
<IfDefine !NOSSL>

<VirtualHost 10.241.128.121:443>

        DocumentRoot "/srv/www/vhosts/portaladriano"
        ServerName portaladriano-pre.justicia.junta-andalucia.es:443
        ServerAdmin gtsl....@juntadeandalucia.es
        ErrorLog /var/log/apache2/ws121-error_log
        TransferLog /var/log/apache2/ws121-access_log

        SSLEngine on

        SSLProtocol all -SSLv2

        SSLCipherSuite HIGH:MEDIUM

        SSLCertificateFile /etc/apache2/ssl.crt/padrianop.crt
        SSLCertificateKeyFile /etc/apache2/ssl.key/padrianop.key
        SSLCACertificateFile /etc/apache2/ssl.crt/fnmt.crt

        <Location "/Fispenco/">
            SSLOptions +stdEnvVars +ExportCertData
            SSLVerifyClient require
            SSLVerifyDepth  2
        </Location>

        <Directory "/srv/www/vhosts/portaladriano">
                Options FollowSymLinks
                AllowOverride None
                Order allow,deny
                Allow from all
        </Directory>
</VirtualHost>
</IfDefine>
##################################################################

The reason to use a <Location> instead of a <Directory> is because, in the
production servers, the URL within the directive is jk mounted from a tomcat
server.

Accessing the parts outside the <Location> works without any problem, the ssl
connection is made and the requested content is shown.

For example accessing the URL 

    https://10.241.128.121/DilPenHU.html 

shows the html page perfectly, but accessing

    https://10.241.128.121/Fispenco/fispenco.htm 

returns the error mentioned before.

Funny thing is that this same configuration is working in one of my test
servers (SLES10, apache 2.2.3), the first one that was set up. And on top of
that a few of my colleagues, not many, get the client certificate request when
accessing the URL in the <Location> directive, in the servers where the
vhost configuration is "mostly" not working.

Also tried to access the URL with curl and this is what I get:

#######################################################################
# curl -v --cacert ca.cert 
https://portaladriano-pre.justicia.junta-andalucia.es/Fispenco/fispenco.htm
* About to connect() to portaladriano-pre.justicia.junta-andalucia.es port 443 
(#0)
*   Trying 10.241.128.121... connected
* Connected to portaladriano-pre.justicia.junta-andalucia.es (10.241.128.121) 
port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: ca.cert
  CApath: /etc/ssl/certs/
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using DHE-RSA-AES256-SHA
* Server certificate:
*        subject: /C=es/O=Junta de 
Andalucia/OU=ius/CN=portaladriano-pre.justicia.junta-andalucia.es/emailAddress=gtsl....@juntadeandalucia.es
*        start date: 2009-06-23 10:29:23 GMT
*        expire date: 2024-06-23 10:29:23 GMT
*        common name: portaladriano-pre.justicia.junta-andalucia.es (matched)
*        issuer: /C=es/O=junta-andalucia/OU=ius/CN=AC para la Administracion de 
Justicia en la Junta de Andalucia
* SSL certificate verify ok.
> GET /Fispenco/fispenco.htm HTTP/1.1
> User-Agent: curl/7.18.1 (i686-suse-linux-gnu) libcurl/7.18.1 OpenSSL/0.9.8g 
> zlib/1.2.3 libidn/1.8
> Host: portaladriano-pre.justicia.junta-andalucia.es
> Accept: */*
>
* SSLv3, TLS alert, Server hello (2):
* Empty reply from server
* Connection #0 to host portaladriano-pre.justicia.junta-andalucia.es left 
intact
curl: (52) Empty reply from server
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):
#######################################################################

Any clues about what might be happening here?

Thanks.



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org