I don't accept it is an openssl issue.
I have already verified that the client connection from openssl to the apache
server is reporting the correct certificates, and likewise that the server is
returning a correct unexpired certificate and CA chain to the client.
It is not an openssl issue as openssl works when used at both ends it is an
apache server issue that causes it to reject the client connection with:
SSLv3
server:
>
> client 172.22.10.5] Certificate Verification: Error (19): self signed
> certificate in certificate chain
client:
SSL 3
11820:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad
certificate:s3_pkt.c:1102:SSL alert number 42
11820:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
failure:s3_pkt.c:539:
TLS1
9124:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown
ca:s3_pkt.c:1102:SSL alert number 48
9124:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
failure:s3_pkt.c:539:
On 18 Aug 2011, at 12:04, J-H Johansen wrote:
> On Sun, Aug 14, 2011 at 11:42 AM, paddy carroll <paddy.carr...@mac.com> wrote:
> Hi,
>
> I have spent too long staring at my crypto material and apache logs. I'm
> stuck.
> I have checked and also had a colleague check my crypto trust chain,
> certificates and keys more than once.
> I have a reverse proxy setup
>
> client --> firewall --> reverse proxy --> tomcat
>
> firewall presents all requests to reverse proxy as coming from the same
> address, but on different ports
> The server appears to be rejecting client negotiations after the discovery of
> our self signed root certificate, we have two certificates in the chain, a
> RooCA and a subca
> when I emulate the connection using openssl as a server on a different port
> it succeeds
>
> CLIENT FAILURE
>
> from client
> ++++++++++++++++++++++++
> $ openssl s_client -connect lltpdxc001:443 -CApath test-ssl.crt -cert
> test.pem -verify 3 -ssl3
> verify depth is 3
> CONNECTED(00000003)
> depth=2 /CN=TEST-Msad-Root-CA
> verify return:1
> depth=1 /DC=com/DC=horizonng/DC=internal/DC=Msad/CN=TEST-Msad-Sub-CA
> verify return:1
> depth=0 /CN=lltpdxc001
> verify return:1
> 70352:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad
> certificate:s3_pkt.c:1102:SSL alert number 42
> 70352:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
> failure:s3_pkt.c:539:
> ++++++++++++++++++++++++
> Server says
> ++++++++++++++++++++++++
> Sun Aug 14 10:20:34 2011] [debug] ssl_engine_kernel.c(1321): [client
> 172.22.10.5] Certificate Verification: depth: 2, subject:
> /CN=TEST-Msad-Root-CA, issuer: /CN=TEST-Msad-Root-CA
> Sun Aug 14 10:20:34 2011] [error] [client 172.22.10.5] Certificate
> Verification: Error (19): self signed certificate in certificate chain
> Sun Aug 14 10:20:34 2011] [debug] ssl_engine_kernel.c(1884): OpenSSL: Write:
> SSLv3 read client certificate B
> Sun Aug 14 10:20:34 2011] [debug] ssl_engine_kernel.c(1903): OpenSSL: Exit:
> error in SSLv3 read client certificate B
> Sun Aug 14 10:20:34 2011] [debug] ssl_engine_kernel.c(1903): OpenSSL: Exit:
> error in SSLv3 read client certificate B
> Sun Aug 14 10:20:34 2011] [info] [client 172.22.10.5] SSL library error 1 in
> handshake (server lltpdxc001:443)
> Sun Aug 14 10:20:34 2011] [info] SSL Library Error: 336105650
> error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate
> returned
> Sun Aug 14 10:20:34 2011] [info] [client 172.22.10.5] Connection closed to
> child 6 with abortive shutdown (server lltpdxc001:443)
> +++++++++++++++++++++++++
> relevant server config from server-info
> +++++++++++++++++++++++++
> ` In file: /data/httpd/conf/extra/proxydefs/lltpest001_443.conf
> 1: <VirtualHost _default_:443>
> 2: SSLEngine on
> 3: SSLProxyEngine on
> In file: /data/httpd/conf/extra/httpd-ssl.conf
> 1: SSLProtocol -all +SSLv3 +TLSv1
> 2: SSLProxyCipherSuite
> ADH-AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:DHE-DSS-RC4-SHA:KRB5-RC4-MD5:KRB5-RC4-SHA:RC4-SHA:RC4-MD5:ADH-RC4-MD5:RC2-CBC-MD5:RC4-MD5
> 3: SSLCipherSuite
> ADH-AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:DHE-DSS-RC4-SHA:KRB5-RC4-MD5:KRB5-RC4-SHA:RC4-SHA:RC4-MD5:ADH-RC4-MD5:RC2-CBC-MD5:RC4-MD5
> 4: SSLCertificateFile /data/httpd/conf/server.crt
> 5: SSLCertificateKeyFile /data/httpd/conf/server.key
> 6: SSLCertificateChainFile /data/httpd/conf/ssl.crt/server-ca.crt
> 7: SSLCACertificatePath /data/httpd/conf/ssl.crt/
> 10: SSLProxyVerify require
> 11: SSLVerifyClient require
> 12: SSLVerifyDepth 2
> 13: SSLProxyVerifyDepth 2
> 14: SSLCADNRequestPath /data/httpd/conf/ssl.crt/
> In file: /data/httpd/conf/extra/proxydefs/lltpest001_443.conf
> 8: <Location /EMDBEndpointWSInterface/>
> 9: SSLRequireSSL
> : </Location>
> : </VirtualHost>
> +++++++++++++++++++++++++++++++++
>
>
> Add the -showcerts parameter to the openssl command and verify each and every
> certificate you're using.
> If you still can't find the problem try asking the same question on the
> openssl mailing list (http://www.openssl.org/support/community.html).
>
> EMULATED CLIENT SUCCESS
>
> +++++++++++++++++++++++++++++++++++++++++
> from the server
> +++++++++++++++++++++++++++++++++++++++++
> [root@lltpdxc001 conf]# openssl s_server -cert server.crt -accept 40020
> -CApath /data/httpd/conf/ssl.crt -Verify 2 -key server.key
> verify depth is 2, must return a certificate
> Using default temp DH parameters
> ACCEPT
> +++++++++++++++++++++++++++++++++++++++++
> from the client
> +++++++++++++++++++++++++++++++++++++++++
>
> $ openssl s_client -connect lltpdxc001:40020 -CApath test-ssl.crt -cert
> /home/carrollpg/test.pem
> CONNECTED(00000003)
> depth=2 /CN=TEST-Msad-Root-CA
> verify return:1
> depth=1 /DC=com/DC=horizonng/DC=internal/DC=Msad/CN=TEST-Msad-Sub-CA
> verify return:1
> depth=0 /CN=lltpdxc001
> verify return:1
> ---
> Certificate chain
> 0 s:/CN=lltpdxc001
> i:/DC=com/DC=horizonng/DC=internal/DC=Msad/CN=TEST-Msad-Sub-CA
> 1 s:/DC=com/DC=horizonng/DC=internal/DC=Msad/CN=TEST-Msad-Sub-CA
> i:/CN=TEST-Msad-Root-CA
> 2 s:/CN=TEST-Msad-Root-CA
> i:/CN=TEST-Msad-Root-CA
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> MIIFbjCCBFagAwIBAgIKGMspqwAAAAAABj
> .............
> 9jo=
> -----END CERTIFICATE-----
> subject=/CN=lltpdxc001
> issuer=/DC=com/DC=horizonng/DC=internal/DC=Msad/CN=TEST-Msad-Sub-CA
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 4429 bytes and written 4449 bytes
> ---
> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
> Server public key is 1024 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
> Protocol : TLSv1
> Cipher : DHE-RSA-AES256-SHA
> Session-ID:
> BB3AE2B7F2AB96802985F0C131C7AA51AD2D3673E82F12999418D788467A4506
> Session-ID-ctx:
> Master-Key:
> DA5D9DED5CBCD6E57A687B87FAC0E034C2D7CD0DFFAA877847C5AB1E973C43BC2FB1D7A9B5C5135CC41FBCE9F037CC31
> Key-Arg : None
> Start Time: 1313313462
> Timeout : 300 (sec)
> Verify return code: 0 (ok)
> ++++++++++++++++++++++++++++++++++++++++++
>
> Help!
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> " from the digest: users-digest-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>
>
>
> --
> Jens-Harald Johansen
> --
> There are 10 kinds of people in the world: Those who understand binary and
> those who don't...
paddy carroll
paddy.carr...@mac.com
