logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Smart Card/Cac Card Authentication
Author
mcgredo



Joined: 28 May 2014
Posts: 1
Location: USA, Monterey

PostPosted: Fri 30 May '14 0:02    Post subject: Smart Card/Cac Card Authentication Reply with quote

I'm attempting to get CAC card authentication working with Apache httpd-2.2.3-85 on Centos 5. CAC cards are the DoD variant of smart cards. The SSL connection is failing (Chrome error: ERR_SSL_PROTOCOL_ERROR) and I'm having problems diagnosing exactly where the problem is.

The objective is to confirm that the user posseses a valid CAC card--at this point I don't need to extract the contents of the client certificate into environment variables and do a SSLFakeAuth. If they have a valid CAC card, they should be able to reach the page.

Subdirectory I want CAC authentication in:

Code:
<Directory /var/www/html/cac>
SSLVerifyDepth 10
SSLVerifyClient require
</Directory>


SSL settings:

Code:
SSLEngine on
SSLProtocol all -SSLv2
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES: /
ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
SSLCertificateFile /etc/httpd/keys/myCertificate.crt
SSLCertificateKeyFile /etc/httpd/keys/myCertificate.key
SSLCertificateChainFile /etc/pki/tls/certs/allDoDCerts.pem
SSLCACertificateFile /etc/pki/tls/certs/allDoDCerts.pem
SSLCARevocationFile /etc/pki/tls/crls/allCrls.pem


Non-CAC https works. Client certificate authentication for CAC cards fails.

I've retrieved the CRL list. allDoDCerts.pem is the PEM encoded, concatenated, root and intermediate certificates for the DoD CAs. I'm testing the client side on windows 8.1. In IE 11 I'm presented with a list of candidate certificates (showing that the OS and browser are contacting the smart card, and that the SSLCACertificateFile is doing its job of providing the client with a list of candidate CAs) and enter a PIN to access the card. The SSL connection then fails to be established.

What can I do to trouble shoot exactly where this problem resides? Ideally this would be some magic that allowed me to see the client or the server failing to authenticate a certificate, so I could see exactly where the problem is.

Mod node: added bb tags
Back to top


Reply to topic   Topic: Smart Card/Cac Card Authentication View previous topic :: View next topic
Post new topic   Forum Index -> Apache