Fedora 16 Apache SSL Certificates: Problem with properly setting up server

goral09 · 05-10-2012, 03:21 AM

Hi all!
I know that this subject has been brought up many times, but I have been struggling with this for few days know and my mind is complete mess after reading so many different solutions.

So maybe from the beginning, I have created key and certificate with openssl library and began to modify proper files. I am not touching httpd.conf only ssl.conf so here it goes:

Quote:

#
<VirtualHost *:443>

ErrorLog /var/www/goralCA/logs/ssl_error_log
TransferLog /var/www/goralCA/logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL
SSLCertificateFile /etc/httpd/ssl/goralCA.pem
SSLCertificateKeyFile /etc/httpd/ssl/goralCA.key
SSLVerifyClient require
SSLVerifyDepth 5
<Location />
SSLRequire ( %{SSL_CLIENT_S_CN_OU} in {"Mateusz Gorski"})
</Location>
SSLOptions +ExportCertData +StdEnvVars
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars +ExportCertData
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars +ExportCertData
</Directory>
</VirtualHost>

Of course it's not the whole file, but most important part I think.

Now I am typing 'https://localhost' in browser and after accepting certificate I get this message:

Quote:

SSL peer was unable to negotiate an acceptable set of security parameters.

(Error code: ssl_error_handshake_failure_alert)

Can you help me? I am really getting really pissed off beacuse of it

Thanks in advance

Noway2 · 05-10-2012, 05:14 AM

May I ask for clarification: are you trying to get https to work or do you have that working and are you trying to get certificate authentication to work?

"SSLVerifyClient require" means require a client certificate which has to be directly # signed by our CA certificate. Unless you have installed such a certicate in your client browser, you will get that error message.

goral09 · 05-10-2012, 12:52 PM

yes, certificate is addded to the browser.

and about 1st thing, I am not quiet sure if https is working properly, i assumed so sine it's asking for the certificate and prompt that it's all personal

lithos · 05-10-2012, 01:30 PM

Hi,

I would give you some examples to go through the setup procedure, see if anything you did is missing/wrong:
- Setting up an SSL secured Webserver with CentOS
- SSL with Apache 2
- RedHat Apache HTTP Secure Server Configuration

good luck

Noway2 · 05-11-2012, 04:03 AM

Here is another how to document that I routinely use when I need a command reference on creating client certificates: http://www.vanemery.com/Linux/Apache/apache-SSL.html

I suggest you start by turning off the client authentication verification and start by seeing if you can access the page via https: and then pull up the certificate information from the browser. This will isolate whether the problem is in your https configuration or a problem with the client authentication.

I also noticed that you set the SSLVerifyDepth to 5, whereas I normally see this set to 1. Please see the following: http://www.modssl.org/docs/2.6/ssl_reference.html (scroll down to SSLRequierDepth). Doubt that it is causing your problem, but it is non standard.

Edit: Make sure that your client certificate has been signed by the CA you used to sign the server certificate too! You also need to be really careful of the CN (common name) parameter. See the how to I linked above.

goral09 · 05-13-2012, 06:31 PM

@Noway2,
thank mate! It works, it seems that I had problem with this pkcs#12 format. Man, you made my day. I can proceed with project now, thanks again!

unSpawn · 05-14-2012, 11:12 AM

@goral09: your new question was moved to a new thread: Fedora 16 Apache SSL Certificates: authorization based on name of client or email address.