Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have an apache2 https server (already working) that I'd like to set up client certificate authentication on. Sadly I've read about as far into the logs and output as I understand, and I'm in need of someone who knows more about this than myself.
Currently I have three certs:
1) The CA certificate (rootCA)
2) The sever certificate (*.example.com) signed by rootCA
3) The client certificate (client.example.com) signed by rootCA
Then I imported the client certificate (in PK#12 format) into the "Personal" store in a Windows client. I attempted to visit https://www.example.com/example and the result was
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:error in SSLv2/v3 read server hello A
SSL_connect:SSLv3 read server hello A
depth=1 /C=US/ST=xxxx/L=xxxx/O=xxxx/CN=rootCA/emailAddress=xxx@xxx.xxx
verify return:1
depth=0 /C=US/ST=xxxx/L=xxxx/O=xxxx/CN=*.example.com/emailAddress=xxxx@xxxx.xxx
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:error in SSLv3 read server session ticket A
SSL_connect:error in SSLv3 read server session ticket A
SSL_connect:SSLv3 read server session ticket A
SSL_connect:SSLv3 read finished A
GET /example
SSL_connect:SSL renegotiate ciphers
SSL_connect:SSLv3 write client hello A
SSL_connect:error in SSLv3 read server hello A
SSL_connect:SSLv3 read server hello A
depth=1 /C=US/ST=xxxx/L=xxxx/O=xxxx/CN=rootCA/emailAddress=xxxx@xxx.xxx
verify return:1
depth=0 /C=US/ST=xxxx/L=xxxx/O=xxxx/CN=*.example.com/emailAddress=xxxx@xxx.xxx
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client certificate A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write certificate verify A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:error in SSLv3 read server session ticket A
SSL3 alert read:fatal:unsupported certificate
SSL_connect:failed in SSLv3 read server session ticket A
5153:error:14094413:SSL routines:SSL3_READ_BYTES:sslv3 alert unsupported certificate:s3_pkt.c:1102:SSL alert number 43
5153:error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure:s3_pkt.c:854:
However, I don't know what a working example of that ^^^ should look like, and further I don't know which of the three certs is causing all these unsupported certificate errors. So hopefully someone here has done this before / has a working setup they'd be willing to check the configuration against.
Off of the top of my head, the verify depth looks high. I can't recall exactly what this means, but maybe you could try lowering it to 1 and see if you get different results.
I am not an expert in SSL and certificates, to the point where I can tell you what to do based upon your errors. I do, however, use them myself on my servers. Here is a link to the how-to document that I used. Maybe it will give you some insight into where your process went wrong.
I looked through my access and error logs and I found this line repeated each time that I tried to connect:
Code:
[Tue Oct 04 08:48:40 2011] [error] [client xxx.xxx.xxx.xxx] Re-negotiation handshake failed: Not accepted by client!?
Other than that my config looks like all the others. I believe the depth option just indicates how many links can be between the client and the CA (CA signs server, server signs department, department signs client), so I don't think that one will matter. There must be something wrong with the certificates. Has anyone used XCA before?
Forgive the question, but you didn't by chance import the CA cert into the client?
I did, I wasn't clear enough in my OP when I said that I had https working. I should have said that I imported the CA into my trusted CA's on the client and can view the site without getting any certificate errors.
Thanks, I overlooked that. Currently the client box I made the cert for is disposed doing data recovery so I wont be able to test the altered config until that finishes (ddrescue takes FOREVER on large drives). I don't want to go signing new certs and possibly messing that up until I nail down the current one and can reproduce that reliably. Best not to introduce new bugs before the old ones are fixed.
I tested this with two sets of files 2048 and 4096 and it worked with both.
I tested with FF and Chrome.
I imported the client.p12 into XP, but had to import it again into Firefox, Chrome found it in XP and asked if it should use it.
I trimmed some of the extra crud out of this, this is one of a hundred virtualhosts on this box, but it's the only one that requires a client cert. I was just testing.
Code:
##### IP Based VirtualHost
Listen 11.222.333.44:501
<VirtualHost 11.222.333.44:501>
ServerAdmin russ@whatever.net
ServerName crypt.whatever.net
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml .htm .html
# Some MIME-types for downloading Certificates and CRLs
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
#
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
#
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
#
SSLCACertificateFile /vh/hosts-cert/whatever.net/ca.crt
SSLCertificateFile /vh/hosts-cert/whatever.net/crypt.whatever.net.crt
SSLCertificateChainFile /vh/hosts-cert/whatever.net/chain.crt
SSLCertificateKeyFile /vh/hosts-cert/whatever.net/crypt.whatever.net.pem
DocumentRoot "/vh/hosts/whatever.net"
#
<Directory "/vh/hosts/whatever.net">
SSLRequireSSL
SSLVerifyClient require
#
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
#
DirectoryIndex bsod.png indexs.htm indexs.html indexs.shtml indexs.php \
index.htm index.html index.shtml index.php
AllowOverride AuthConfig FileInfo Indexes Limit
Options -Indexes Includes
Order allow,deny
Allow from all
</Directory>
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</VirtualHost>
Quote:
In my Access Log I see a bunch of 403 Errors. In my Error Log I see the error from above "Not accepted by client!?".
I got exactly the same in access and error before I imported the client.p12 into firefox.
Quote:
I did find this tid-bit of information in the log file (about 50 lines up from the end, the first line if the request)
Code:
[Thu Oct 13 07:49:56 2011] [error] Init: Private key not found
Is this referring to the Server key? If so, where do you store your keys, and in which format?
I think it's referring to the client, did you make the client.p12 using both the crt and key?
Some of my files end in .crt but I think they are all pem format.
My setup is custom so my locations won't be of any use.
I'm 99% sure that I'm using the Key+Cert .pk12 version of the certificate on the client. When I open up MMC, under Current User\Personal\Certificates it has my client cert and when I double click it there is a key icon with the text "You have a private key that corresponds to this certificate", the certification path is valid and looks like this "CA>Client"
The format of your CA and Server_Cert look different than mine, but I'm pretty sure that apache would fail to restart if it didn't understand them, the same is true of permissions and locations, it will fail to restart if it can't find the files.
Restart apache after changing a cert or config file.
Restart your browser between tests.!!!
I attached two files to this, a working CA.crt and Client.p12, I have tested this pair and they work. You can use them to verify that your setup is correct.
At least this way you can tell if the problem is the setup or the certs.
I've never attached a file to a message here, hopefully it will work.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.