Abhijit Bhate | 20 Dec 06:59 2010

peer did not return a certificate No CAs known to server for verification?

Hello All,

 

We have opened a java web service & our clients are facing issues while accessing it. They are consistently getting SSL / TLS connection failure message. All these clients are using VeriSign class 1 certificates. In apache error logs we see below message:

 

[Fri Oct 12 17:42:04 2007] [error] mod_ssl: Certificate Verification: Error (20): unable to get local issuer certificate
[Fri Oct 12 17:42:04 2007] [error] mod_ssl: Re-negotiation handshake failed: Not accepted by client!?
[Fri Oct 12 17:42:04 2007] [error] mod_ssl: Certificate Verification: Error (20): unable to get local issuer certificate
[Fri Oct 12 17:42:04 2007] [error] mod_ssl: SSL error on writing data (OpenSSL library error follows)
[Fri Oct 12 17:42:04 2007] [error] OpenSSL: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned

 

This is happening only with class 1 certificates, class 3 certificates are working fine. Earlier we were using IBM HTTP Server & our clients were able to connect to our web service. But since we have moved to Apache HTTP Server, they are facing this issue.

 

Is there any known fix for this? kindly advice. You suggestions are real value for us.

 

Note: All these clients are either PHP / .NET clients. Java clients are able to use class 1 certificates successfully.

 

Thanks,

Abhijit Mohan Bhate

+91-98-50-886360

 

dreed2010 | 17 Nov 21:31 2010

App requires port 8081, gets errors using HTTPS


I have a third-party XML application compiled into Apache as a module that
requires using port 8081.  I have run it successfully for years using HTTP
on Apache 1.3.27 (the version required by the vendor), but now I need to run
it using HTTPS.

So, I installed openssl-0.9.4 and mod_ssl-2.8.14-1.3.27 and the installation
seemed to go well except for the question "File to Patch:  ", which I had to
skip since I had no answer for it.

The application still runs fine when I browse to http://my.app.com:8081, but
when I try HTTPS using https://my.app.com:8081 I get a message that "Secure
Connection Failed - SSL received a record that exceeded the maximum
permissible length (Error code: ssl_error_rx_record_too_long)."  An error
codes reference says, "This generally indicates that the remote peer system
has a flawed implementation of SSL, and is violating the SSL specification."

The Apache error log says "Invalid method in request \x16\x03\x01"

Any thoughts on how to troubleshoot this?

Thanks,
Dave

--

-- 
View this message in context: http://old.nabble.com/App-requires-port-8081%2C-gets-errors-using-HTTPS-tp30238956p30238956.html
Sent from the mod_ssl - Users mailing list archive at Nabble.com.

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users <at> modssl.org
Automated List Manager                            majordomo <at> modssl.org

rangeli nepal | 17 Oct 02:19 2010
Picon

Client Authentication

Good Afternoon Everybody,

I am not sure if it is the right forum to ask this question. If not
please guide me.

mod_ssl provides fabulous mechanism of doing client authentication. It
does so by  issuing client certificates  signed by your own CA
certificate ca.crt.

 How we can use mod_ssl ( with client auth)  when we we do not have
control on whole community i.e people are using certificates that is
signed by different CA.?

 One way I was thinking was to accumulate public certs ( which may not
be CA cert)  at one place( directory) and give its path to mod_ssl.

However I am not sure if this a good practice or even doable practice.

Any input will be highly appreciated.
Thank you.
rn
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users <at> modssl.org
Automated List Manager                            majordomo <at> modssl.org

Jeff Blaine | 15 Oct 23:49 2010
Picon

Certs work, one doesn't, cannot determine why

Hi folks.  I'm *really* stumped here.  If anyone has any
ideas, I would love to hear them.  How can I debug this
further?  I need more information that Apache + mod_ssl
is giving me right now.

All version information and configuration detail is after
this next paragraph.

Works: SSL via my corporate cert, SSL via 3 other people's
        corporate certs
Fails: 1 person's cert so far, yet is logged as "SUCCESS"
        when logging SSL_CLIENT_VERIFY via CustomLog

Example:

[15/Oct/2010:09:53:38 -0400] 1xx.xx.160.92 on TLSv1 RC4-MD5 128 
/O=our.org/OU=People/UID=mbs/CN=Simpson Mary B SUCCESS 3 452E Simpson 
Mary B - "GET /index.html HTTP/1.1" 295

[Fri Oct 15 09:53:38 2010] [error] [client 1xx.xx.160.92] access to 
/apps/rtsrv1dev/share/html/index.html failed, reason: SSL requirement 
expression not fulfilled (see SSL logfile for more details)

Config Specifics:

OS: RHELv5
Apache: 2.2.3
mod_ssl: 2.2.3-43.el5

<VirtualHost 1xx.xx.9.85:443>
     ServerName rtdev1.our.org:443

     ErrorLog logs/ssl_error443_log
     TransferLog logs/ssl_access443_log
     LogLevel warn

     SSLEngine on
     SSLProtocol all -SSLv2
     SSLCipherSuite ALL:!ADH:!EXPORT:SSLv3:RC4+RSA:+HIGH:+MEDIUM:+LOW
     SSLCertificateFile /apps/rtsrv1dev/PKI/rtdev1-signed.cer
     SSLCertificateKeyFile /apps/rtsrv1dev/PKI/rtdev1.key
     SSLCertificateChainFile /apps/rtsrv1dev/PKI/rtdev1-signed.cer
     SSLCACertificateFile /apps/rtsrv1dev/PKI/MITRE-cert-bundle.cer
     SSLVerifyClient require
     SSLVerifyDepth  2

     SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire

     <Files ~ "\.(cgi|shtml|phtml|php3?)$">
         SSLOptions +StdEnvVars
     </Files>
     <Directory "/apps/rtsrv1dev/share/html">
         SSLOptions +StdEnvVars
     </Directory>

     SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

     CustomLog logs/ssl_access443_log \
         "%h - - %t \"%r\" %{HTTPS}x %{SSL_PROTOCOL}x"

     CustomLog logs/ssl_error443_log \
         "%t %h %{HTTPS}x %{SSL_PROTOCOL}x %{SSL_CIPHER}x 
%{SSL_CIPHER_USEKEYSIZE}x %{SSL_CLIENT_S_DN}x %{SSL_CLIENT_VERIFY}x 
%{SSL_CLIENT_M_VERSION}x %{SSL_CLIENT_M_SERIAL}x %{SSL_CLIENT_S_DN_CN}x 
%{SSL_CLIENT_S_DN_UID}x \"%r\" %b"

     DocumentRoot /apps/rtsrv1dev/share/html
     AddDefaultCharset UTF-8
     PerlRequire "/apps/rtsrv1dev/bin/webmux.pl"
         SetHandler default
     </Location>

     <Location />
         SetHandler perl-script
         PerlResponseHandler RT::Mason
         SSLVerifyClient require

         SSLRequire %{SSL_CLIENT_S_DN} in { \
              "/O=our.org/OU=people/UID=jblaine/CN=Blaine Charles J.", \
              "/O=our.org/OU=people/UID=mloveless/CN=Laveless Marc W.", \
              "/O=our.org/OU=people/UID=mbs/CN=Simpson Mary B", \
              "/O=our.org/OU=people/UID=bcietta/CN=Cietta Barbara A." \
         }
     </Location>
</VirtualHost>
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users <at> modssl.org
Automated List Manager                            majordomo <at> modssl.org

Hintz, Dan | 13 Sep 23:21 2010

SSLv3 alone (without TLSv1) does not work from client browser

In our Apache conf file, we have the following directives:

 

SSLProtocol -all +SSLv3 +TLSv1

SSLCipherSuite ALL:!DH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXP:!eNULL:!aNULL

 

When we use a browser (Internet Explorer, or Firefox) to connect, it will work if we have both SSLv3 and TLSv1 configured within the browser.  But, when we remove the TLSv1, we cannot connect.

 

Does anyone know what could be the problem?

 

Thanks in advance,

Dan

 

Gunner Geller | 9 Sep 18:13 2010

Specifying the openssl version used with mod_ssl

 Hello,

    We are using mac Leopard OS. We have rolled our own Apache(2.2.16) separate from the default install. We have also rolled our own OpenSSL to the latest version. However when we compile Apache and enable mod_ssl it still uses the old OpenSSL version. We can see it in our http headers:

 

Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/0.9.7l

 

When typing “openssl version” from my account and the root account I get:

OpenSSL 1.0.0a 1 Jun 2010

I've seen this in some apache configs:

--enable-ssl --with-ssl=/usr/local/ssl

I've tried the above with no success. According to the output I get when configuring/making/installing apache it is finding openssl at the above directory. The problem is though that the http header stays the same.

 

The problem is we can’t upgrade the default openssl version on the OS without apple providing the update. The outdated version is tripping our security scans. Like I said we rolled our owned updated version but cannot get apache/mod_ssl to use it. Any help is appreciated.

Thanks,

 

Gunner Geller

Ulf Wahlqvist | 27 Jul 16:43 2010

OCSP-validation fails

Hi

I'm trying to get Apache to do Client certificate verification with OCSP-validation.
It works without OCSP, but OCSP-validation fails when I turn it on.

The error is "OCSP_check_validity:status too old", but that doesn't make sense because the clocks are
within 2 seconds. 
The client (Apache) says "Mon Jul 26 15:50:06.488292 2010" and the response says "Mon, 26 Jul 2010 13:50:05
GMT" which is the same time.

//// Can there be a problem with comparing timestamps?

A more likely problem might be that the OCSP-responder require a SIGNED message, but I don't understand how
to get Apache to sign it. Some European OCSP-responders seems to accept only signed requests and I'm
trying to find out if this is one of them.

//// Will Apache be able to sign OCSP-requests ( In that case - How do I pass the cert/key) ? 

** my config
************************************************************************************************************************************* 

[root <at> fedoragui logs]# httpd -v
Server version: Apache/2.3.6 (Unix)
Server built:   Jul 16 2010 15:31:39

[root <at> fedoragui logs]# openssl version
OpenSSL 1.0.0a-fips 1 Jun 2010

./configure --enable-ssl

** error_log *************************************************************************************************************************************

[Mon Jul 26 15:50:05.782378 2010] [info] [pid 9164:tid 3053448048] [client 10.0.2.2:2112] Connection
to child 193 established (server fedoragui.mydomain.com:443)
[Mon Jul 26 15:50:06.461652 2010] [debug] [pid 9164:tid 3053448048] ssl_util_ocsp.c(79): [client
10.0.2.2:2112] connecting to OCSP responder 'ocsp.trust.telia.com'
[Mon Jul 26 15:50:06.466167 2010] [debug] [pid 9164:tid 3053448048] ssl_util_ocsp.c(105): [client
10.0.2.2:2112] sending request to OCSP responder
[Mon Jul 26 15:50:06.488292 2010] [debug] [pid 9164:tid 3053448048] ssl_util_ocsp.c(209): [client
10.0.2.2:2112] OCSP response header: Date: Mon, 26 Jul 2010 13:50:05 GMT
[Mon Jul 26 15:50:06.493946 2010] [debug] [pid 9164:tid 3053448048] ssl_util_ocsp.c(209): [client
10.0.2.2:2112] OCSP response header: Server: Apache
[Mon Jul 26 15:50:06.494352 2010] [debug] [pid 9164:tid 3053448048] ssl_util_ocsp.c(209): [client
10.0.2.2:2112] OCSP response header: Content-Length: 1264
[Mon Jul 26 15:50:06.494828 2010] [debug] [pid 9164:tid 3053448048] ssl_util_ocsp.c(209): [client
10.0.2.2:2112] OCSP response header: Connection: close
[Mon Jul 26 15:50:06.495071 2010] [debug] [pid 9164:tid 3053448048] ssl_util_ocsp.c(209): [client
10.0.2.2:2112] OCSP response header: Content-Type: application/ocsp-response
[Mon Jul 26 15:50:06.495303 2010] [debug] [pid 9164:tid 3053448048] ssl_util_ocsp.c(252): [client
10.0.2.2:2112] OCSP response: got 1264 bytes, 1264 total
[Mon Jul 26 15:50:06.498272 2010] [debug] [pid 9164:tid 3053448048] ssl_util_ocsp.c(235): [client
10.0.2.2:2112] OCSP response: got EOF
[Mon Jul 26 15:50:06.500184 2010] [error] [pid 9164:tid 3053448048] SSL Library Error:
error:2707307F:OCSP routines:OCSP_check_validity:status too old
[Mon Jul 26 15:50:06.504012 2010] [error] [pid 9164:tid 3053448048] [client 10.0.2.2:2112]
Certificate Verification: Error (50): application verification failure
[Mon Jul 26 15:50:06.504430 2010] [info] [pid 9164:tid 3053448048] [client 10.0.2.2:2112] SSL library
error 1 in handshake (server fedoragui.mydomain.com:443)

/ulfW

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users <at> modssl.org
Automated List Manager                            majordomo <at> modssl.org

John Carpenter | 22 Jul 18:07 2010
Picon

SSLCACertificateFile getting ignored when I use a Location directive

 
Hello,
 
Adding <Location> around SSLVerifyClient and SSLVerifyDepth is causing my mutual authentication to fail with a ssl_error_handshake_failure_alert message.    I can't seem to determine what might be causing this.   I'll just jump right to the code below:
 
 
[WORKS]
 
Excerpting my httpd.conf:
 
<VirtualHost _default_:443>
 DocumentRoot "<path edited>/htdocs"
 SSLEngine on
 SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP:+eNULL
 SSLCertificateFile "<path edited>/Cert/ssl.crt/server.crt"
 SSLCertificateKeyFile "<path edited>/Cert/ssl.key/server.key"
 SSLCACertificateFile "<path edited> Cert/ca.cer"
  SSLVerifyClient required
  SSLVerifyDepth 1
 <truncated>
 
The above works like a charm.    The only problem is it works EVERYWHERE I use 443 ... which is as expected.    So when I add my <Location> directive as below I get the Error code: ssl_error_handshake_failure_alert.     Though it properly triggers this error on requests to the specified location.    So I know that part is being picked up properly.    Does anybody know what can be causing this?      This seems to be how it was behaving before I added in the SSLCACertificateFile information.    Could the Location tag be causing the server to somehow ignore my SSLCACertificateFile?   
 
 
[DOESN'T WORK] :   Error code: ssl_error_handshake_failure_alert
 
<VirtualHost _default_:443>
 DocumentRoot "<path edited>/htdocs"
 SSLEngine on
 SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP:+eNULL
 SSLCertificateFile "<path edited>/Cert/ssl.crt/server.crt"
 SSLCertificateKeyFile "<path edited>/Cert/ssl.key/server.key"
 SSLCACertificateFile "<path edited> Cert/ca.cer"
  <Location /logonWithCertificate> 
  SSLVerifyClient required
  SSLVerifyDepth 1
 </Location>
 
<truncated>
 
Thanks in advance for any insight.
 
-John


Andreas Worbs | 1 Jun 11:40 2010

FTP and HTTP Mirror

Hello,
here are the facts about our mirror:

* URL of mirror: http://artfiles.org/modssl.org
* URL of mirror: ftp://artfiles.org/modssl.org
* Hosting institution, country and city where the mirror is located:
Artfiles New Media GmbH, Hamburg, Germany
* Contact email address: mirror <at> artfiles.org
* Update frequency:  daily
* Speed: 1000MBit/s
Please add us to your list.

With best regards

Artfiles New Media GmbH

Andreas Worbs

--

-- 
Artfiles New Media GmbH | Heidenkampsweg 100 | 20097 Hamburg
Tel: 040 - 32 02 72 90 | Fax: 040 - 32 02 72 95
E-Mail: support <at> artfiles.de | Web: http://www.artfiles.de
Geschäftsführer: Carsten Bals | Harald Oltmanns | Tim Evers
Eingetragen im Handelsregister Hamburg - HRB 81478

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users <at> modssl.org
Automated List Manager                            majordomo <at> modssl.org

Lionel Falise | 10 May 17:02 2010
Picon

SSLRequire on OID extension DER encoded field value

hey guys,
I hope you're all doing fine. I need a little support here on ssl client
verification, tell me please if this is not the right place. 

I need to check for specific extensions field value from x509 client
certificates to grant access to defined users. 

I read this could be possible using oid() or peerextlist() functions. 

I had to determine the field oid using openssl java package, and I'm
trying to debug the sslrequire check using setenfiv module SSI+perl
printenv.pl (maybe there is a better way to do this?). 

So, my problem is I can't seem to find a way to validate my client based
on this field. 

I was wondering if first: this should work? second: if extension value
is der encoded would apache be able to handle this check and how would I
store the granted values. 

I'm using apache 2.2.9. Let me know if you need some more detailed info
on this, I can handle the certificate or my entire configuration file if
needed.

This is what I ended up trying and results:

SSLEngine on
SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire +StdEnvVars 

SSLCertificateFile ssl/server.crt
SSLCertificateKeyFile ssl/server-private.key 

LogLevel debug
SSLVerifyClient require
SSLVerifyDepth 2
SSLCACertificateFile /ssl/clients/ca.crt

<Location />
	SetenvIf OID("2.5.4.5") "(.*)" OIDTEST=$1
	SSLRequire "400023144340" in OID("2.5.4.5")
</Location>	

[Mon May 10 15:59:43 2010] [info] Access to cgi-bin/printenv.pl denied
for 127.0.0.1 (requirement expression not fulfilled) 
[Mon May 10 15:59:43 2010] [info] Failed expression: "400023144340" in
OID("2.5.4.5")

Output if bypassing the sslrequire directive (this should return the oid
matching field value, right?):
OIDTEST=""

Thanks in advance for your help.
Lionel
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users <at> modssl.org
Automated List Manager                            majordomo <at> modssl.org

jpguilloteau | 10 May 16:01 2010
Picon

Jean-Pierre Guilloteau est absent.


I will be out of the office starting Sat 08/05/10 and will not return until
Mon 17/05/10.

I will respond to your message when I return.

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users <at> modssl.org
Automated List Manager                            majordomo <at> modssl.org


Gmane