Hello, I ran into a problem when configuring different locations for Apache HTTP Server while utilizing client certificate. The client certificate is not stored permanently on the browser; It is expected that the client certificate will be inserted by encrypted USB stick before the user is clicking on the protected location.
Let's say I have a virtual host (https://host/) with SSLVerifyClient optional and a location inside that v-host (https://host/require) with SSLVerifyClient require. ___________________sample config_____________ <VirtualHost _default_:443> ServerName host ........ SSLVerifyClient optional SSLVerifyDepth 10 SSLOptions +FakeBasicAuth +ExportCertData ....... <Location /require> SSLVerifyClient require </Location> </VirtualHost> ___________________________________________ When I either directly visit https://host/require or https://host/, they both request client certificate normally; the difference is that if I cancel submitting certificate, the latter one would still allow access, while the former one rejecting access by SSL error: ERR_BAD_SSL_CLIENT_AUTH_CERT. The problem happens when I DOESN'T submit the certificate (or don't have a certificate at the time) when I visit https://host/, then I acquired the client certificate and then browse to https://host/require in the same browser tab. Ideally it should request client certificate once more, but it doesn't; instead it emits ERR_BAD_SSL_CLIENT_AUTH_CERT immediately. Only after I clicked the Refresh button on https://host/require, then it request client certificate as normal. I checked the debug log and it looks like the following: _________Visiting https://host/_________ [Wed Apr 10 23:13:49.290449 2019] [ssl:debug] [pid 2656:tid 140593581737728] ssl_engine_kernel.c(746): [client 10.111.84.227:62107] AH02255: Changed client verification type will force renegotiation [Wed Apr 10 23:13:49.290476 2019] [ssl:info] [pid 2656:tid 140593581737728] [client 10.111.84.227:62107] AH02221: Requesting connection re-negotiation [Wed Apr 10 23:13:49.290485 2019] [ssl:debug] [pid 2656:tid 140593581737728] ssl_engine_kernel.c(975): [client 10.111.84.227:62107] AH02260: Performing full renegotiation: complete handshake protocol (client does support secure renegotiation) [Wed Apr 10 23:13:49.290530 2019] [ssl:info] [pid 2656:tid 140593581737728] [client 10.111.84.227:62107] AH02226: Awaiting re-negotiation handshake [Wed Apr 10 23:13:49.292550 2019] [ssl:error] [pid 2656:tid 140593581737728] [client 10.111.84.227:62107] AH02261: Re-negotiation handshake failed _________Clicking "cancel" on submitting certificate to https://host/_________ [Wed Apr 10 23:13:50.788696 2019] [ssl:debug] [pid 2656:tid 140593573345024] ssl_engine_kernel.c(746): [client 10.111.84.227:62108] AH02255: Changed client verification type will force renegotiation [Wed Apr 10 23:13:50.788795 2019] [ssl:info] [pid 2656:tid 140593573345024] [client 10.111.84.227:62108] AH02221: Requesting connection re-negotiation [Wed Apr 10 23:13:50.788832 2019] [ssl:debug] [pid 2656:tid 140593573345024] ssl_engine_kernel.c(975): [client 10.111.84.227:62108] AH02260: Performing full renegotiation: complete handshake protocol (client does support secure renegotiation) [Wed Apr 10 23:13:50.789059 2019] [ssl:info] [pid 2656:tid 140593573345024] [client 10.111.84.227:62108] AH02226: Awaiting re-negotiation handshake [Wed Apr 10 23:13:50.794931 2019] [authz_core:debug] [pid 2656:tid 140593573345024] mod_authz_core.c(820): [client 10.111.84.227:62108] AH01626: authorization result of Require all granted: granted [Wed Apr 10 23:13:50.794940 2019] [authz_core:debug] [pid 2656:tid 140593573345024] mod_authz_core.c(820): [client 10.111.84.227:62108] AH01626: authorization result of <RequireAny>: granted [Wed Apr 10 23:13:50.798066 2019] [authz_core:debug] [pid 2656:tid 140593564952320] mod_authz_core.c(820): [client 10.111.84.227:62108] AH01626: authorization result of Require all granted: granted [Wed Apr 10 23:13:50.798075 2019] [authz_core:debug] [pid 2656:tid 140593564952320] mod_authz_core.c(820): [client 10.111.84.227:62108] AH01626: authorization result of <RequireAny>: granted [Wed Apr 10 23:13:50.798100 2019] [authz_core:debug] [pid 2656:tid 140593564952320] mod_authz_core.c(820): [client 10.111.84.227:62108] AH01626: authorization result of Require all granted: granted [Wed Apr 10 23:13:50.798103 2019] [authz_core:debug] [pid 2656:tid 140593564952320] mod_authz_core.c(820): [client 10.111.84.227:62108] AH01626: authorization result of <RequireAny>: granted _________Visiting https://host/require_________ [Wed Apr 10 23:14:08.548394 2019] [ssl:debug] [pid 2534:tid 140593665664768] ssl_engine_kernel.c(746): [client 10.111.84.227:62110] AH02255: Changed client verification type will force renegotiation [Wed Apr 10 23:14:08.548469 2019] [ssl:info] [pid 2534:tid 140593665664768] [client 10.111.84.227:62110] AH02221: Requesting connection re-negotiation [Wed Apr 10 23:14:08.548505 2019] [ssl:debug] [pid 2534:tid 140593665664768] ssl_engine_kernel.c(975): [client 10.111.84.227:62110] AH02260: Performing full renegotiation: complete handshake protocol (client does support secure renegotiation) [Wed Apr 10 23:14:08.548659 2019] [ssl:info] [pid 2534:tid 140593665664768] [client 10.111.84.227:62110] AH02226: Awaiting re-negotiation handshake [Wed Apr 10 23:14:08.553605 2019] [ssl:error] [pid 2534:tid 140593665664768] [client 10.111.84.227:62110] AH02261: Re-negotiation handshake failed [Wed Apr 10 23:14:08.559173 2019] [ssl:debug] [pid 2656:tid 140593531381504] ssl_engine_kernel.c(746): [client 10.111.84.227:62111] AH02255: Changed client verification type will force renegotiation [Wed Apr 10 23:14:08.559240 2019] [ssl:info] [pid 2656:tid 140593531381504] [client 10.111.84.227:62111] AH02221: Requesting connection re-negotiation [Wed Apr 10 23:14:08.559275 2019] [ssl:debug] [pid 2656:tid 140593531381504] ssl_engine_kernel.c(975): [client 10.111.84.227:62111] AH02260: Performing full renegotiation: complete handshake protocol (client does support secure renegotiation) [Wed Apr 10 23:14:08.559395 2019] [ssl:info] [pid 2656:tid 140593531381504] [client 10.111.84.227:62111] AH02226: Awaiting re-negotiation handshake [Wed Apr 10 23:14:08.565194 2019] [ssl:error] [pid 2656:tid 140593531381504] [client 10.111.84.227:62111] AH02261: Re-negotiation handshake failed [Wed Apr 10 23:14:08.565268 2019] [ssl:error] [pid 2656:tid 140593531381504] SSL Library Error: error:1417C0C7:SSL routines:tls_process_client_certificate:peer did not return a certificate -- No CAs known to server for verification? _________Server emits ERR_BAD_SSL_CLIENT_AUTH_CERT_________ I tried with the following scenarios: 1. The Vhost root use SSLVerifyClient none and Location uses SSLVerifyClient require: the latter emits no error before requesting client certificate; 2. The Vhost root use SSLVerifyClient none, Location1 uses SSLVerifyClient optional, and Location2 uses SSLVerifyClient require: If I have visited Location1 and submitted no client certificate, Location2 will emit ERR_BAD_SSL_CLIENT_AUTH_CERT before requesting client certificate, no matter if I am jumping from root or Location 1. I suspect there is a bug involved in the SSL client verification type changing and the re-negotiation flow. While I admit it may be a corner case but the original use case is very crucial to my current user base. I checked the Bug database and there is a similar bug except that is related to TLSv1.3. For browser compatibility, I am currently disabling TLSv1.3, although I am testing with Apache 2.4.38 and OpenSSL 1.1.1b. I would love to hear any suggestions on an alternative configuration to support my scenario, and thank you very much in advance. Regards, Hao Du
