On Thu, Aug 18, 2011 at 5:44 PM, paddy carroll <paddy.carr...@mac.com>wrote:
> I don't accept it is an openssl issue. > I have already verified that the client connection from openssl to the > apache server is reporting the correct certificates, and likewise that the > server is returning a correct unexpired certificate and CA chain to the > client. > It is not an openssl issue as openssl works when used at both ends it is an > apache server issue that causes it to reject the client connection with: > SSLv3 > server: > > client 172.22.10.5] Certificate Verification: Error (19): self signed >> certificate in certificate chain > > client: > SSL 3 > 11820:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad > certificate:s3_pkt.c:1102:SSL alert number 42 > 11820:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake > failure:s3_pkt.c:539: > > TLS1 > 9124:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown > ca:s3_pkt.c:1102:SSL alert number 48 > 9124:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake > failure:s3_pkt.c:539: > > I've had some issues running Apache with SSLProxyEngine as well and was made aware of a bug in mod_ssl where it fails to use the correct (or any) client certificate for communicating with the server you're proxing to. Take a look at this bugzilla bug report and see if it fits your problem: https://issues.apache.org/bugzilla/show_bug.cgi?id=47134 I was using Apache 2.2.17 at the time as a rev.proxy communicating with a client certificate to the server at the other end. I had to make a few modifications to the mod_ssl code but after recompilation it worked as intended (at least from my point of view). > On 18 Aug 2011, at 12:04, J-H Johansen wrote: > > On Sun, Aug 14, 2011 at 11:42 AM, paddy carroll <paddy.carr...@mac.com>wrote: > >> Hi, >> >> I have spent too long staring at my crypto material and apache logs. I'm >> stuck. >> I have checked and also had a colleague check my crypto trust chain, >> certificates and keys more than once. >> I have a reverse proxy setup >> >> client --> firewall --> reverse proxy --> tomcat >> >> firewall presents all requests to reverse proxy as coming from the same >> address, but on different ports >> The server appears to be rejecting client negotiations after the discovery >> of our self signed root certificate, we have two certificates in the chain, >> a RooCA and a subca >> when I emulate the connection using openssl as a server on a different >> port it succeeds >> >> CLIENT FAILURE >> >> from client >> ++++++++++++++++++++++++ >> $ openssl s_client -connect lltpdxc001:443 -CApath test-ssl.crt -cert >> test.pem -verify 3 -ssl3 >> verify depth is 3 >> CONNECTED(00000003) >> depth=2 /CN=TEST-Msad-Root-CA >> verify return:1 >> depth=1 /DC=com/DC=horizonng/DC=internal/DC=Msad/CN=TEST-Msad-Sub-CA >> verify return:1 >> depth=0 /CN=lltpdxc001 >> verify return:1 >> 70352:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad >> certificate:s3_pkt.c:1102:SSL alert number 42 >> 70352:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake >> failure:s3_pkt.c:539: >> ++++++++++++++++++++++++ >> Server says >> ++++++++++++++++++++++++ >> Sun Aug 14 10:20:34 2011] [debug] ssl_engine_kernel.c(1321): [client >> 172.22.10.5] Certificate Verification: depth: 2, subject: >> /CN=TEST-Msad-Root-CA, issuer: /CN=TEST-Msad-Root-CA >> Sun Aug 14 10:20:34 2011] [error] [client 172.22.10.5] Certificate >> Verification: Error (19): self signed certificate in certificate chain >> Sun Aug 14 10:20:34 2011] [debug] ssl_engine_kernel.c(1884): OpenSSL: >> Write: SSLv3 read client certificate B >> Sun Aug 14 10:20:34 2011] [debug] ssl_engine_kernel.c(1903): OpenSSL: >> Exit: error in SSLv3 read client certificate B >> Sun Aug 14 10:20:34 2011] [debug] ssl_engine_kernel.c(1903): OpenSSL: >> Exit: error in SSLv3 read client certificate B >> Sun Aug 14 10:20:34 2011] [info] [client 172.22.10.5] SSL library error 1 >> in handshake (server lltpdxc001:443) >> Sun Aug 14 10:20:34 2011] [info] SSL Library Error: 336105650 >> error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate >> returned >> Sun Aug 14 10:20:34 2011] [info] [client 172.22.10.5] Connection closed to >> child 6 with abortive shutdown (server lltpdxc001:443) >> +++++++++++++++++++++++++ >> relevant server config from server-info >> +++++++++++++++++++++++++ >> ` In file: /data/httpd/conf/extra/proxydefs/lltpest001_443.conf >> 1: <VirtualHost _default_:443> >> 2: SSLEngine on >> 3: SSLProxyEngine on >> In file: /data/httpd/conf/extra/httpd-ssl.conf >> 1: SSLProtocol -all +SSLv3 +TLSv1 >> 2: SSLProxyCipherSuite >> ADH-AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:DHE-DSS-RC4-SHA:KRB5-RC4-MD5:KRB5-RC4-SHA:RC4-SHA:RC4-MD5:ADH-RC4-MD5:RC2-CBC-MD5:RC4-MD5 >> 3: SSLCipherSuite >> ADH-AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:DHE-DSS-RC4-SHA:KRB5-RC4-MD5:KRB5-RC4-SHA:RC4-SHA:RC4-MD5:ADH-RC4-MD5:RC2-CBC-MD5:RC4-MD5 >> 4: SSLCertificateFile /data/httpd/conf/server.crt >> 5: SSLCertificateKeyFile /data/httpd/conf/server.key >> 6: SSLCertificateChainFile /data/httpd/conf/ssl.crt/server-ca.crt >> 7: SSLCACertificatePath /data/httpd/conf/ssl.crt/ >> 10: SSLProxyVerify require >> 11: SSLVerifyClient require >> 12: SSLVerifyDepth 2 >> 13: SSLProxyVerifyDepth 2 >> 14: SSLCADNRequestPath /data/httpd/conf/ssl.crt/ >> In file: /data/httpd/conf/extra/proxydefs/lltpest001_443.conf >> 8: <Location /EMDBEndpointWSInterface/> >> 9: SSLRequireSSL >> : </Location> >> : </VirtualHost> >> +++++++++++++++++++++++++++++++++ >> >> > Add the -showcerts parameter to the openssl command and verify each and > every certificate you're using. > If you still can't find the problem try asking the same question on the > openssl > mailing list (http://www.openssl.org/support/community.html). > > >> EMULATED CLIENT SUCCESS >> >> +++++++++++++++++++++++++++++++++++++++++ >> from the server >> +++++++++++++++++++++++++++++++++++++++++ >> [root@lltpdxc001 conf]# openssl s_server -cert server.crt -accept 40020 >> -CApath /data/httpd/conf/ssl.crt -Verify 2 -key server.key >> verify depth is 2, must return a certificate >> Using default temp DH parameters >> ACCEPT >> +++++++++++++++++++++++++++++++++++++++++ >> from the client >> +++++++++++++++++++++++++++++++++++++++++ >> >> $ openssl s_client -connect lltpdxc001:40020 -CApath test-ssl.crt -cert >> /home/carrollpg/test.pem >> CONNECTED(00000003) >> depth=2 /CN=TEST-Msad-Root-CA >> verify return:1 >> depth=1 /DC=com/DC=horizonng/DC=internal/DC=Msad/CN=TEST-Msad-Sub-CA >> verify return:1 >> depth=0 /CN=lltpdxc001 >> verify return:1 >> --- >> Certificate chain >> 0 s:/CN=lltpdxc001 >> i:/DC=com/DC=horizonng/DC=internal/DC=Msad/CN=TEST-Msad-Sub-CA >> 1 s:/DC=com/DC=horizonng/DC=internal/DC=Msad/CN=TEST-Msad-Sub-CA >> i:/CN=TEST-Msad-Root-CA >> 2 s:/CN=TEST-Msad-Root-CA >> i:/CN=TEST-Msad-Root-CA >> --- >> Server certificate >> -----BEGIN CERTIFICATE----- >> MIIFbjCCBFagAwIBAgIKGMspqwAAAAAABj >> ............. >> 9jo= >> -----END CERTIFICATE----- >> subject=/CN=lltpdxc001 >> issuer=/DC=com/DC=horizonng/DC=internal/DC=Msad/CN=TEST-Msad-Sub-CA >> --- >> No client certificate CA names sent >> --- >> SSL handshake has read 4429 bytes and written 4449 bytes >> --- >> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA >> Server public key is 1024 bit >> Secure Renegotiation IS supported >> Compression: NONE >> Expansion: NONE >> SSL-Session: >> Protocol : TLSv1 >> Cipher : DHE-RSA-AES256-SHA >> Session-ID: >> BB3AE2B7F2AB96802985F0C131C7AA51AD2D3673E82F12999418D788467A4506 >> Session-ID-ctx: >> Master-Key: >> DA5D9DED5CBCD6E57A687B87FAC0E034C2D7CD0DFFAA877847C5AB1E973C43BC2FB1D7A9B5C5135CC41FBCE9F037CC31 >> Key-Arg : None >> Start Time: 1313313462 >> Timeout : 300 (sec) >> Verify return code: 0 (ok) >> ++++++++++++++++++++++++++++++++++++++++++ >> >> Help! >> >> --------------------------------------------------------------------- >> The official User-To-User support forum of the Apache HTTP Server Project. >> See <URL:http://httpd.apache.org/userslist.html> for more info. >> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org >> " from the digest: users-digest-unsubscr...@httpd.apache.org >> For additional commands, e-mail: users-h...@httpd.apache.org >> >> > > > -- > Jens-Harald Johansen > -- > There are 10 kinds of people in the world: Those who understand binary and > those who don't... > > > paddy carroll > paddy.carr...@mac.com > > > > -- Jens-Harald Johansen -- There are 10 kinds of people in the world: Those who understand binary and those who don't...
