logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Apache 2.4.3 not validating ssl trust chain properly
Author
jmendezsarabia



Joined: 20 Feb 2013
Posts: 3
Location: USA, Manassas, va

PostPosted: Thu 21 Feb '13 18:00    Post subject: Apache 2.4.3 not validating ssl trust chain properly Reply with quote

Hi all,

I am in the process of upgrading from apache 2.2.21 to apache 2.4.3. I'm using apache lounge's compiled 2.4.3 by the way. I'm working on a windows 7 SP1 64 bit workstation.

My old 2.2.21 was configured to use ssl with client pki authentication. When I configure 2.4.3 with the ssl options and move the CAs, private key and server certificate from my old 2.2.21 instance I get the following error. Is anybody else having this problem? Or does someone have any suggestions as to why I keep getting these errors? My requests are not being forwarded to my tomcat instance.


[Wed Feb 20 18:42:51.017019 2013] [ssl:info] [pid 9572:tid 908] [client ::1:51252] AH01964: Connection to child 63 established (server localhost:443)
[Wed Feb 20 18:42:51.018019 2013] [ssl:debug] [pid 9572:tid 908] ssl_engine_kernel.c(1939): [client ::1:51252] AH02043: SSL virtual host for servername localhost found
[Wed Feb 20 18:42:51.119029 2013] [ssl:debug] [pid 9572:tid 908] ssl_engine_io.c(1172): (70014)End of file found: [client ::1:51252] AH02007: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]
[Wed Feb 20 18:42:51.119029 2013] [ssl:info] [pid 9572:tid 908] [client ::1:51252] AH01998: Connection closed to child 63 with abortive shutdown (server localhost:443)
[Wed Feb 20 18:42:54.006318 2013] [ssl:info] [pid 9572:tid 908] [client ::1:51257] AH01964: Connection to child 63 established (server localhost:443)
[Wed Feb 20 18:42:54.006318 2013] [ssl:debug] [pid 9572:tid 908] ssl_engine_kernel.c(1939): [client ::1:51257] AH02043: SSL virtual host for servername localhost found
[Wed Feb 20 18:42:54.008318 2013] [ssl:debug] [pid 9572:tid 908] ssl_engine_kernel.c(1411): [client ::1:51257] AH02275: Certificate Verification, depth 1, CRL checking mode: none [subject: CN=Subordinate Certificate Manager,C=US / issuer: CN=Certificate Manager,C=US / serial: 020A / notbefore: Mar 20 14:30:54 2007 GMT / notafter: Mar 20 14:30:54 2027 GMT]
[Wed Feb 20 18:42:54.008318 2013] [ssl:info] [pid 9572:tid 908] [client ::1:51257] AH02276: Certificate Verification: Error (20): unable to get local issuer certificate [subject: CN=Subordinate Certificate Manager,C=US / issuer: CN=Certificate Manager,C=US / serial: 020A / notbefore: Mar 20 14:30:54 2007 GMT / notafter: Mar 20 14:30:54 2027 GMT]
[Wed Feb 20 18:42:54.008318 2013] [ssl:info] [pid 9572:tid 908] [client ::1:51257] AH02008: SSL library error 1 in handshake (server localhost:443)
[Wed Feb 20 18:42:54.008318 2013] [ssl:info] [pid 9572:tid 908] SSL Library Error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
[Wed Feb 20 18:42:54.008318 2013] [ssl:info] [pid 9572:tid 908] [client ::1:51257] AH01998: Connection closed to child 63 with abortive shutdown (server localhost:443)

My PKI certificate's chain is:
Certificate Manager
Subordinate Certificate Manager
test certificate

I've verified my PKI agains the CAs I have and the trust chain is validated with openssl.

These are my httpd-ssl.conf directives:


Listen 443 https

SSLProtocol all

SSLPassPhraseDialog builtin

SSLSessionCache "shmcb:C:/apache-test/httpd-2.4.3-win64/Apache24/logs/ssl_gcache_data"
SSLSessionCacheTimeout 1800

<VirtualHost _default_:443>

RewriteEngine On
RewriteOptions Inherit

SSLVerifyClient require
SSLVerifyDepth 3

DocumentRoot "C:/apache-test/httpd-2.4.3-win64/Apache24/htdocs"
ServerName localhost:443

# Turn on the SSL/TLS Protocol Engine (default=off)
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXP:!NULL:!LOW:!MEDIUM:+TLSv1:+SSLv3

SSLCertificateFile "C:/apache-test/httpd-2.4.3-win64/Apache24/conf/serverCert.pem"
SSLCertificateKeyFile "C:/apache-test/httpd-2.4.3-win64/Apache24/conf/serverKey.pkcs8"

SSLCACertificatePath "C:/apache-test/httpd-2.4.3-win64/Apache24/conf/CAs/"
SSLCARevocationPath "C:/apache-test/httpd-2.4.3-win64/Apache24/conf/CRLs/"

SSLOptions +ExportCertData +StdEnvVars +StrictRequire +OptRenegotiate

SSLUserName SSL_CLIENT_S_DN

BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

################################################################################
# Custom Logging configuration
#
# The format of the custom log and its output location is configured here.
#
# Documentation URL: http://httpd.apache.org/docs/2.2/mod/mod_log_config.html
# ------------------------------------------------------------------------------
ErrorLog "C:/apache-test/httpd-2.4.3-win64/Apache24/logs/error_log"
LogLevel debug

LogFormat "%h %l %{SSL_CLIENT_S_DN_CN}x %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""
TransferLog "C:/apache-test/httpd-2.4.3-win64/Apache24/logs/access_log"
CustomLog "C:/apache-test/httpd-2.4.3-win64/Apache24/logs/ssl_request_log" \
"%t host: %h user: \"%{SSL_CLIENT_S_DN}x\" protocol: %{SSL_PROTOCOL}x cipher: %{SSL_CIPHER}x request line: \"%r\" size of response: %b status: %s"

ProxyRequests On
ProxyVia On

<Location /client1>
SSLVerifyClient optional
</Location>

<Proxy *>
Order deny,allow
Allow from all
</Proxy>

ProxyPass /client1 ajp://localhost/client1
ProxyPassReverse /client1 ajp://localhost/client1

</VirtualHost>
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 3092
Location: Hilversum, NL, EU

PostPosted: Thu 21 Feb '13 18:07    Post subject: Reply with quote

Try to Google : Apache SSL3_GET_CLIENT_CERTIFICATE:no certificate returned

Returns some with same fault.

You can try SSLVerifyDepth >1

When there is a solution, please post here.

Steffen


btw.
Please do not use bold in your text the way you do.
Back to top
jmendezsarabia



Joined: 20 Feb 2013
Posts: 3
Location: USA, Manassas, va

PostPosted: Fri 22 Feb '13 16:50    Post subject: Reply with quote

I tried setting
SSLVerifyDepth >1
But I get the following error now

[Fri Feb 22 09:39:25.904724 2013] [ssl:debug] [pid 7676:tid 908] ssl_engine_kernel.c(1411): [client ::1:65278] AH02275: Certificate Verification, depth 1, CRL checking mode: chain [subject: CN=Subordinate Certificate Manager,C=US / issuer: CN=Certificate Manager,C=US / serial: 020A / notbefore: Mar 20 14:30:54 2007 GMT / notafter: Mar 20 14:30:54 2027 GMT]
[Fri Feb 22 09:39:25.904724 2013] [ssl:info] [pid 7676:tid 908] [client ::1:65278] AH02276: Certificate Verification: Error (20): unable to get local issuer certificate [subject: CN=Subordinate Certificate Manager,C=US / issuer: CN=Certificate Manager,C=US / serial: 020A / notbefore: Mar 20 14:30:54 2007 GMT / notafter: Mar 20 14:30:54 2027 GMT]
[Fri Feb 22 09:39:25.904724 2013] [ssl:error] [pid 7676:tid 908] [client ::1:65278] AH02040: Certificate Verification: Certificate Chain too long (chain has 1 certificates, but maximum allowed are only 0)
[Fri Feb 22 09:39:25.904724 2013] [ssl:info] [pid 7676:tid 908] [client ::1:65278] AH02008: SSL library error 1 in handshake (server localhost:443)
[Fri Feb 22 09:39:25.904724 2013] [ssl:info] [pid 7676:tid 908] SSL Library Error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
[Fri Feb 22 09:39:25.904724 2013] [ssl:info] [pid 7676:tid 908] [client ::1:65278] AH01998: Connection closed to child 63 with abortive shutdown (server localhost:443)

I was having my initial issue on another server earlier today. That server is a Linux RHEL 64 bit server with Apache 2.4.3 with openssl 1.0.1c also. The issue there was that the root certificate was not in the CAs directory. After placing the root CA in the CAs directory, all worked fine. So on my windows instance of apache this may be the same problem. I may need to rework the certificates and see if that is the problem. I'll continue my search also on google with Steffen's suggested query.

I'm still confused though, i've validated the certificate chain with openssl's verify tool and they're ok:
openssl.exe verify -CApath ../conf/CAs ../conf/tester1.crt
../conf/tester1.crt: OK
Back to top
jmendezsarabia



Joined: 20 Feb 2013
Posts: 3
Location: USA, Manassas, va

PostPosted: Fri 22 Feb '13 19:02    Post subject: Reply with quote

Ok, so I found the solution.

Originally I was verifying my certificates with my old apache instance's openssl (0.9.8r). I tried hashing the certificates with apache 2.4.3's openssl (1.0.1c) and noticed that the hash values were different. I renamed the certificates with the new generated hashes and I was able to get thru to tomcat!
Back to top
krishna@



Joined: 01 Jun 2016
Posts: 2

PostPosted: Thu 02 Jun '16 20:01    Post subject: Reply with quote

Hi jmendezsarabia,

Can you provide detailed info as to what is "renamed the certificates with the new generated hashes and I was able to get thru to tomcat"

How have you generated new hashes and renamed them.
Thank you!!
Back to top
krishna@



Joined: 01 Jun 2016
Posts: 2

PostPosted: Wed 08 Jun '16 21:22    Post subject: Reply with quote

Can Someone please provide an update onto fix the issue quoted above. Let me know if I need to provide any additional details to debug further
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg

PostPosted: Thu 16 Jun '16 18:39    Post subject: Reply with quote

I think he just just a newer OpenSSL version to create the certs (again).
Back to top


Reply to topic   Topic: Apache 2.4.3 not validating ssl trust chain properly View previous topic :: View next topic
Post new topic   Forum Index -> Apache