Client authentication problem

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Client authentication problem

Gaël Lams
Hi all,

I'm trying to configure client authentication for one of my sites
(SuSe 9.0, apache 2.0.48, openssl-0.9.7b-133 distribution's rpm).
You will find below the steps I'm following, the problem I have is
that, when I go to the page, it first asks me to accept the server's
certificate, then ask me to select one of the client certificate
imported in the browser, and then:
- on IE, it gives me the error "Cannot find server or DNS Error"
- on Firefox, it gives me a blank page

In the apache log file
[Tue Jul 12 15:03:41 2005] [error] Re-negotiation handshake failed:
Not accepted by client!?
[Tue Jul 12 15:03:43 2005] [notice] child pid 9192 exit signal
Segmentation fault (11)

If I remove "SSLVerifyCLient require" and authenticate only the
server, I can see the right web page.

After several unsuccessful test, I'm wondering whether I'm missing something

Here are the steps I follow:

1 Generate my own Certificate Authority:

openssl genrsa -out itcilo-ca.key 2048
openssl req -new -x509 -days 3650 -key itcilo-ca.key -out itcilo-ca.crt

2 Generate the server key and request for signing

openssl genrsa -out tomcat-server.key 1024
openssl req -new -key tomcat-server.key -out tomcat-server.csr

3 Sign the certificate signing request with the self-created
certificate authority

openssl x509 -req -in tomcat-server.csr -out tomcat-server.crt -sha1
-CA itcilo-ca.crt -CAkey itcilo-ca.key -days 3650

I had to create an itcilo-ca.srl file (echo "01" >itcilo-ca.srl)

4 Create a new private key and a certificate request for the user:
openssl genrsa -out lams.key 1024
openssl req -new -key lams.key -out lams.csr

5 Sign the certificate request, thereby creating the client certificate:
openssl x509 -req -in lams.csr -out lams.crt -sha1 -CA itcilo-ca.crt
-CAkey itcilo-ca.key -days 3650

6 Generate the PKCS#12 certificate:
openssl pkcs12 -export -in lams.crt -inkey lams.key -name "Lams Gael
Cert" -out lams.p12

7 Import the certificate into the browser

And here is my virtual host configuration:
<VirtualHost *:443>
ServerAdmin myemailaddress
DocumentRoot /srv/www/vhosts/myfqdn
ServerName myfqdn
SSLEngine on
SSLCertificateFile /etc/apache2/ssl.crt/tomcat-server.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/tomcat-server.key
SSLCACertificateFile /etc/apache2/ssl.crt/itcilo-ca.crt

</VirtualHost>

<Directory /srv/www/vhosts/myfqdn>

SSLRequireSSL
SSLVerifyCLient require
SSLVerifyDepth 1

Options Indexes
AllowOverride None
Order allow,deny
Allow from all

</Directory>

Any help, pointer would be greatly appreciated

Regards,

gaël
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Client authentication problem

Lincoln-9
Looks to me that client authentication failed. And
this is most likely due to client cert processing on
the server side:

[notice] child pid 9192 exit signal Segmentation fault
(11)

  The above indicates that. Make sure client cert
processing is done correctly on the server side. If it
is a program failure, then you need to get the
programmer to debug the program.

Regards,
Dr. Wu


--- Gaël Lams <[hidden email]> wrote:

> Hi all,
>
> I'm trying to configure client authentication for
> one of my sites
> (SuSe 9.0, apache 2.0.48, openssl-0.9.7b-133
> distribution's rpm).
> You will find below the steps I'm following, the
> problem I have is
> that, when I go to the page, it first asks me to
> accept the server's
> certificate, then ask me to select one of the client
> certificate
> imported in the browser, and then:
> - on IE, it gives me the error "Cannot find server
> or DNS Error"
> - on Firefox, it gives me a blank page
>
> In the apache log file
> [Tue Jul 12 15:03:41 2005] [error] Re-negotiation
> handshake failed:
> Not accepted by client!?
> [Tue Jul 12 15:03:43 2005] [notice] child pid 9192
> exit signal
> Segmentation fault (11)
>
> If I remove "SSLVerifyCLient require" and
> authenticate only the
> server, I can see the right web page.
>
> After several unsuccessful test, I'm wondering
> whether I'm missing something
>
> Here are the steps I follow:
>
> 1 Generate my own Certificate Authority:
>
> openssl genrsa -out itcilo-ca.key 2048
> openssl req -new -x509 -days 3650 -key itcilo-ca.key
> -out itcilo-ca.crt
>
> 2 Generate the server key and request for signing
>
> openssl genrsa -out tomcat-server.key 1024
> openssl req -new -key tomcat-server.key -out
> tomcat-server.csr
>
> 3 Sign the certificate signing request with the
> self-created
> certificate authority
>
> openssl x509 -req -in tomcat-server.csr -out
> tomcat-server.crt -sha1
> -CA itcilo-ca.crt -CAkey itcilo-ca.key -days 3650
>
> I had to create an itcilo-ca.srl file (echo "01"
> >itcilo-ca.srl)
>
> 4 Create a new private key and a certificate request
> for the user:
> openssl genrsa -out lams.key 1024
> openssl req -new -key lams.key -out lams.csr
>
> 5 Sign the certificate request, thereby creating the
> client certificate:
> openssl x509 -req -in lams.csr -out lams.crt -sha1
> -CA itcilo-ca.crt
> -CAkey itcilo-ca.key -days 3650
>
> 6 Generate the PKCS#12 certificate:
> openssl pkcs12 -export -in lams.crt -inkey lams.key
> -name "Lams Gael
> Cert" -out lams.p12
>
> 7 Import the certificate into the browser
>
> And here is my virtual host configuration:
> <VirtualHost *:443>
> ServerAdmin myemailaddress
> DocumentRoot /srv/www/vhosts/myfqdn
> ServerName myfqdn
> SSLEngine on
> SSLCertificateFile
> /etc/apache2/ssl.crt/tomcat-server.crt
> SSLCertificateKeyFile
> /etc/apache2/ssl.key/tomcat-server.key
> SSLCACertificateFile
> /etc/apache2/ssl.crt/itcilo-ca.crt
>
> </VirtualHost>
>
> <Directory /srv/www/vhosts/myfqdn>
>
> SSLRequireSSL
> SSLVerifyCLient require
> SSLVerifyDepth 1
>
> Options Indexes
> AllowOverride None
> Order allow,deny
> Allow from all
>
> </Directory>
>
> Any help, pointer would be greatly appreciated
>
> Regards,
>
> gaël
>
______________________________________________________________________
> OpenSSL Project                                
> http://www.openssl.org
> User Support Mailing List                  
> [hidden email]
> Automated List Manager                          
> [hidden email]
>


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com 
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Client authentication problem

Gaël Lams
>   The above indicates that. Make sure client cert
> processing is done correctly on the server side. If it
> is a program failure, then you need to get the
> programmer to debug the program.
>

Thank you for your answer. I'm not sure what you intend with "program
failure": the pages served by this virtual host  are for the time
being only static html pages. The only programs involed are apache,
openssl and the browser

I tried the following command found in the openssl faq "openssl
s_client -connect tomcat-ssl.itcilo.org:443 -state -debug" and it
finished with the following error:

SSL_connect:SSLv3 write client key exchange A
write to 080B07A0 [080BFFC0] (6 bytes => -1 (0xFFFFFFFF))
SSL_connect:error in SSLv3 write finished A
SSL_connect:error in SSLv3 write finished A

I've googled a little bit but didn't really find something that
allowed me to solve my problem.

host:~/CA # openssl s_client -connect myhost:443 -showcerts -CAfile
/root/CA/itcilo-ca.crt
CONNECTED(00000003)
depth=1 /C=IT/ST=Piemonte/L=Turin/O=ITCILO/OU=MIS/CN=ITCILO
CA/emailAddress=[hidden email]
verify return:1
depth=0 /C=IT/ST=Piemonte/L=Turin/O=ITCILO/OU=MIS/CN=myhost/emailAddress=[hidden email]
verify return:1
17680:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert
handshake failure:s3_pkt.c:1052:SSL alert number 40
17680:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:226:

I also tried passing to "openssl s_client" the client certificate and
key, with also an error, as you can see below:
dolphin:~/CA # openssl s_client -cert lams.crt -key lams.key -CAfile
itcilo-ca.crt -ssl3 -showcerts -connect myhost:443
CONNECTED(00000003)
depth=1 /C=IT/ST=Piemonte/L=Turin/O=ITCILO/OU=MIS/CN=ITCILO
CA/emailAddress=[hidden email]
verify return:1
depth=0 /C=IT/ST=Piemonte/L=Turin/O=ITCILO/OU=MIS/CN=myhost/emailAddress=[hidden email]
verify return:1
17910:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
failure:s3_pkt.c:529:

I tried with ssl2 with same exit.

I'm searching but really don't understand the problem. I also created
again all the certificates with the same result.

Any help would be appreciated as I'm pretty baffled

Regards,

Gaël
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Client authentication problem

Gayathri Sundar-2
In reply to this post by Gaël Lams
Hi.

Have you imported the CA of the client cert on the server side?
A verify depth of 1 has been set, which could mean that the client
cert is self signed? Can you set it to some higher value and try?

Also can you check whether the option "SSL_VERIFY_FAIL_IF_NO_PEER_CERT"?
It looks to me a definitive server side issue..

Can you retry the same thing from Mozilla or something.
FYI: I implemented the exacy same thing recently and didnt see such
problems..is your server mod_ssl?

Thanks
--Gayathri


>   The above indicates that. Make sure client cert
> processing is done correctly on the server side. If it
> is a program failure, then you need to get the
> programmer to debug the program.
>

Thank you for your answer. I'm not sure what you intend with "program
failure": the pages served by this virtual host  are for the time
being only static html pages. The only programs involed are apache,
openssl and the browser

I tried the following command found in the openssl faq "openssl
s_client -connect tomcat-ssl.itcilo.org:443 -state -debug" and it
finished with the following error:

SSL_connect:SSLv3 write client key exchange A
write to 080B07A0 [080BFFC0] (6 bytes => -1 (0xFFFFFFFF))
SSL_connect:error in SSLv3 write finished A
SSL_connect:error in SSLv3 write finished A

I've googled a little bit but didn't really find something that
allowed me to solve my problem.

host:~/CA # openssl s_client -connect myhost:443 -showcerts -CAfile
/root/CA/itcilo-ca.crt
CONNECTED(00000003)
depth=1 /C=IT/ST=Piemonte/L=Turin/O=ITCILO/OU=MIS/CN=ITCILO
CA/emailAddress=[hidden email]
verify return:1
depth=0
/C=IT/ST=Piemonte/L=Turin/O=ITCILO/OU=MIS/CN=myhost/emailAddress=[hidden email]
verify return:1
17680:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert
handshake failure:s3_pkt.c:1052:SSL alert number 40
17680:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:226:

I also tried passing to "openssl s_client" the client certificate and
key, with also an error, as you can see below:
dolphin:~/CA # openssl s_client -cert lams.crt -key lams.key -CAfile
itcilo-ca.crt -ssl3 -showcerts -connect myhost:443
CONNECTED(00000003)
depth=1 /C=IT/ST=Piemonte/L=Turin/O=ITCILO/OU=MIS/CN=ITCILO
CA/emailAddress=[hidden email]
verify return:1
depth=0
/C=IT/ST=Piemonte/L=Turin/O=ITCILO/OU=MIS/CN=myhost/emailAddress=[hidden email]
verify return:1
17910:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
failure:s3_pkt.c:529:

I tried with ssl2 with same exit.

I'm searching but really don't understand the problem. I also created
again all the certificates with the same result.

Any help would be appreciated as I'm pretty baffled

Regards,

Gaël
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Client authentication problem

Gaël Lams
> Hi.

Hi,

Thanks for the reply

> Have you imported the CA of the client cert on the server side?

Yes, it's the itcilo-ca.crt, I put it in ssl.crt (self-signed)

> A verify depth of 1 has been set, which could mean that the client
> cert is self signed? Can you set it to some higher value and try?

Yes, it's a self signed certificate, I tried with a higher values (5)
without any success

> Also can you check whether the option "SSL_VERIFY_FAIL_IF_NO_PEER_CERT"?

I searched for the string on my server but can not find it. In which
should I find it?

> Can you retry the same thing from Mozilla or something.

I tried with firefox with the same result

> is your server mod_ssl?

Yes, apache 2 on suse includes it by default.

I turned the loglevel to debug and attached the log file below, just in case

There are a lot of
Wed Jul 13 11:48:34 2005] [debug] ssl_engine_kernel.c(1793): OpenSSL:
Handshake: start
[Wed Jul 13 11:48:34 2005] [debug] ssl_engine_kernel.c(1801): OpenSSL:
Loop: before/accept initialization
[Wed Jul 13 11:48:34 2005] [debug] ssl_engine_io.c(1518): OpenSSL: I/O
error, 11 bytes expected to read on BIO#836ffc8 [mem: 8377648]
[Wed Jul 13 11:48:34 2005] [debug] ssl_engine_kernel.c(1830): OpenSSL:
Exit: error in SSLv2/v3 read client hello A
[Wed Jul 13 11:48:34 2005] [info] (70014)End of file found: SSL
handshake interrupted by system [Hint: Stop button pressed in
browser?!]
[Wed Jul 13 11:48:34 2005] [info] Connection to child 9 closed with
abortive shutdown(server tomcat-ssl.itcilo.org:443, client ::1)
[Wed Jul 13 11:48:34 2005] [info] Connection to child 9 established
(server tomcat-ssl.itcilo.org:443, client ::1)
[Wed Jul 13 11:48:34 2005] [info] Seeding PRNG with 136 bytes of entropy

and then
[Wed Jul 13 11:48:42 2005] [debug] ssl_engine_kernel.c(1793): OpenSSL:
Handshake: start
[Wed Jul 13 11:48:42 2005] [debug] ssl_engine_kernel.c(1801): OpenSSL:
Loop: before/accept initialization
[Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1507): OpenSSL:
read 11/11 bytes from BIO#8372060 [mem: 83776d8] (BIO dump follows)
[Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1454):
+-------------------------------------------------------------------------+
[Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1479): | 0000: 80
67 01 03 00 00 4e 00-00 00 10                 .g....N....      |
[Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1485):
+-------------------------------------------------------------------------+
[Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1507): OpenSSL:
read 94/94 bytes from BIO#8372060 [mem: 83776e3] (BIO dump follows)
[Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1454):
+-------------------------------------------------------------------------+
[Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1479): | 0000: 01
00 80 03 00 80 07 00-c0 06 00 40 02 00 80 04  ...........@.... |
[Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1479): | 0010: 00
80 00 00 39 00 00 38-00 00 35 00 00 33 00 00  ....9..8..5..3.. |
[Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1479): | 0020: 32
00 00 04 00 00 05 00-00 2f 00 00 16 00 00 13  2......../...... |
[Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1479): | 0030: 00
fe ff 00 00 0a 00 00-15 00 00 12 00 fe fe 00  ................ |
[Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1479): | 0040: 00
09 00 00 64 00 00 62-00 00 03 00 00 06 69 13  ....d..b......i. |
[Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1479): | 0050: 73
ff 86 72 4e 7d 52 4a-fe 9a b9 38 b9 1e        s..rN}RJ...8..   |
[Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1485):
+-------------------------------------------------------------------------+
[Wed Jul 13 11:48:42 2005] [debug] ssl_engine_kernel.c(1801): OpenSSL:
Loop: SSLv3 read client hello A
[Wed Jul 13 11:48:42 2005] [debug] ssl_engine_kernel.c(1801): OpenSSL:
Loop: SSLv3 write server hello A
[Wed Jul 13 11:48:42 2005] [debug] ssl_engine_kernel.c(1801): OpenSSL:
Loop: SSLv3 write certificate A
[Wed Jul 13 11:48:42 2005] [debug] ssl_engine_kernel.c(1185): handing
out temporary 1024 bit DH key
[Wed Jul 13 11:48:42 2005] [debug] ssl_engine_kernel.c(1801): OpenSSL:
Loop: SSLv3 write key exchange A
[Wed Jul 13 11:48:42 2005] [debug] ssl_engine_kernel.c(1801): OpenSSL:
Loop: SSLv3 write certificate request A
[Wed Jul 13 11:48:42 2005] [debug] ssl_engine_kernel.c(1801): OpenSSL:
Loop: SSLv3 flush data
[Wed Jul 13 11:48:47 2005] [debug] ssl_engine_io.c(1507): OpenSSL:
read 5/5 bytes from BIO#8372060 [mem: 83776d8] (BIO dump follows)
[Wed Jul 13 11:48:47 2005] [debug] ssl_engine_io.c(1454):
+-------------------------------------------------------------------------+
[Wed Jul 13 11:48:47 2005] [debug] ssl_engine_io.c(1479): | 0000: 16
03 00 04 16                                   .....            |
[Wed Jul 13 11:48:47 2005] [debug] ssl_engine_io.c(1485):
+-------------------------------------------------------------------------+
[Wed Jul 13 11:48:47 2005] [debug] ssl_engine_io.c(1507): OpenSSL:
read 1046/1046 bytes from BIO#8372060 [mem: 83776dd] (BIO dump
follows)
[Wed Jul 13 11:48:47 2005] [debug] ssl_engine_io.c(1454):
+-------------------------------------------------------------------------+
[Wed Jul 13 11:48:47 2005] [debug] ssl_engine_io.c(1479): | 0000: 0b
00 03 06 00 03 03 00-03 00 30 82 02 fc 30 82  ..........0...0. |
[Wed Jul 13 11:48:47 2005] [debug] ssl_engine_io.c(1479): | 0010: 01
e4 02 01 02 30 0d 06-09 2a 86 48 86 f7 0d 01  .....0...*.H.... |
[Wed Jul 13 11

Regards

Gaël

tomcat-ssl_error_log (55K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Client authentication problem

Gayathri Sundar-2
In reply to this post by Gaël Lams
Hi Again.,

This is what I found from the "log" file you sent..is this pointing to the
same CA cert "itcilo-ca.crt, I put it in ssl.crt" ?

debug] ssl_engine_init.c(1112): CA certificate:
/C=IT/ST=Piemonte/L=Turin/O=ITCILO/OU=MIS/CN=ITCILO
CA/emailAddress=[hidden email]
[Wed Jul 13 11:48:34 2005] [debug] ssl_engine_init.c(703): Configuring
server certificate chain (1 CA certificate)

You will not find that option "SSL_VERIFY_FAIL_IF_NO_PEER_CERT" thats
openssl macro..I thought you had written your own server..

found this link
http://httpd.apache.org/docs-2.0/mod/mod_ssl.html
perhaps your already aware of this..but sorry no idea abt apache mod ssl :)

Thanks
Gayathri



> Hi.

Hi,

Thanks for the reply

> Have you imported the CA of the client cert on the server side?

Yes, it's the itcilo-ca.crt, I put it in ssl.crt (self-signed)

> A verify depth of 1 has been set, which could mean that the client
> cert is self signed? Can you set it to some higher value and try?

Yes, it's a self signed certificate, I tried with a higher values (5)
without any success

> Also can you check whether the option "SSL_VERIFY_FAIL_IF_NO_PEER_CERT"?

I searched for the string on my server but can not find it. In which
should I find it?

> Can you retry the same thing from Mozilla or something.

I tried with firefox with the same result

> is your server mod_ssl?

Yes, apache 2 on suse includes it by default.

I turned the loglevel to debug and attached the log file below, just in case

There are a lot of
Wed Jul 13 11:48:34 2005] [debug] ssl_engine_kernel.c(1793): OpenSSL:
Handshake: start
[Wed Jul 13 11:48:34 2005] [debug] ssl_engine_kernel.c(1801): OpenSSL:
Loop: before/accept initialization
[Wed Jul 13 11:48:34 2005] [debug] ssl_engine_io.c(1518): OpenSSL: I/O
error, 11 bytes expected to read on BIO#836ffc8 [mem: 8377648]
[Wed Jul 13 11:48:34 2005] [debug] ssl_engine_kernel.c(1830): OpenSSL:
Exit: error in SSLv2/v3 read client hello A
[Wed Jul 13 11:48:34 2005] [info] (70014)End of file found: SSL
handshake interrupted by system [Hint: Stop button pressed in
browser?!]
[Wed Jul 13 11:48:34 2005] [info] Connection to child 9 closed with
abortive shutdown(server tomcat-ssl.itcilo.org:443, client ::1)
[Wed Jul 13 11:48:34 2005] [info] Connection to child 9 established
(server tomcat-ssl.itcilo.org:443, client ::1)
[Wed Jul 13 11:48:34 2005] [info] Seeding PRNG with 136 bytes of entropy

and then
[Wed Jul 13 11:48:42 2005] [debug] ssl_engine_kernel.c(1793): OpenSSL:
Handshake: start
[Wed Jul 13 11:48:42 2005] [debug] ssl_engine_kernel.c(1801): OpenSSL:
Loop: before/accept initialization
[Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1507): OpenSSL:
read 11/11 bytes from BIO#8372060 [mem: 83776d8] (BIO dump follows)
[Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1454):
+-------------------------------------------------------------------------+
[Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1479): | 0000: 80
67 01 03 00 00 4e 00-00 00 10                 .g....N....      |
[Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1485):
+-------------------------------------------------------------------------+
[Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1507): OpenSSL:
read 94/94 bytes from BIO#8372060 [mem: 83776e3] (BIO dump follows)
[Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1454):
+-------------------------------------------------------------------------+
[Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1479): | 0000: 01
00 80 03 00 80 07 00-c0 06 00 40 02 00 80 04  ...........@.... |
[Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1479): | 0010: 00
80 00 00 39 00 00 38-00 00 35 00 00 33 00 00  ....9..8..5..3.. |
[Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1479): | 0020: 32
00 00 04 00 00 05 00-00 2f 00 00 16 00 00 13  2......../...... |
[Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1479): | 0030: 00
fe ff 00 00 0a 00 00-15 00 00 12 00 fe fe 00  ................ |
[Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1479): | 0040: 00
09 00 00 64 00 00 62-00 00 03 00 00 06 69 13  ....d..b......i. |
[Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1479): | 0050: 73
ff 86 72 4e 7d 52 4a-fe 9a b9 38 b9 1e        s..rN}RJ...8..   |
[Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1485):
+-------------------------------------------------------------------------+
[Wed Jul 13 11:48:42 2005] [debug] ssl_engine_kernel.c(1801): OpenSSL:
Loop: SSLv3 read client hello A
[Wed Jul 13 11:48:42 2005] [debug] ssl_engine_kernel.c(1801): OpenSSL:
Loop: SSLv3 write server hello A
[Wed Jul 13 11:48:42 2005] [debug] ssl_engine_kernel.c(1801): OpenSSL:
Loop: SSLv3 write certificate A
[Wed Jul 13 11:48:42 2005] [debug] ssl_engine_kernel.c(1185): handing
out temporary 1024 bit DH key
[Wed Jul 13 11:48:42 2005] [debug] ssl_engine_kernel.c(1801): OpenSSL:
Loop: SSLv3 write key exchange A
[Wed Jul 13 11:48:42 2005] [debug] ssl_engine_kernel.c(1801): OpenSSL:
Loop: SSLv3 write certificate request A
[Wed Jul 13 11:48:42 2005] [debug] ssl_engine_kernel.c(1801): OpenSSL:
Loop: SSLv3 flush data
[Wed Jul 13 11:48:47 2005] [debug] ssl_engine_io.c(1507): OpenSSL:
read 5/5 bytes from BIO#8372060 [mem: 83776d8] (BIO dump follows)
[Wed Jul 13 11:48:47 2005] [debug] ssl_engine_io.c(1454):
+-------------------------------------------------------------------------+
[Wed Jul 13 11:48:47 2005] [debug] ssl_engine_io.c(1479): | 0000: 16
03 00 04 16                                   .....            |
[Wed Jul 13 11:48:47 2005] [debug] ssl_engine_io.c(1485):
+-------------------------------------------------------------------------+
[Wed Jul 13 11:48:47 2005] [debug] ssl_engine_io.c(1507): OpenSSL:
read 1046/1046 bytes from BIO#8372060 [mem: 83776dd] (BIO dump
follows)
[Wed Jul 13 11:48:47 2005] [debug] ssl_engine_io.c(1454):
+-------------------------------------------------------------------------+
[Wed Jul 13 11:48:47 2005] [debug] ssl_engine_io.c(1479): | 0000: 0b
00 03 06 00 03 03 00-03 00 30 82 02 fc 30 82  ..........0...0. |
[Wed Jul 13 11:48:47 2005] [debug] ssl_engine_io.c(1479): | 0010: 01
e4 02 01 02 30 0d 06-09 2a 86 48 86 f7 0d 01  .....0...*.H.... |
[Wed Jul 13 11

Regards

Gaël


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Client authentication problem

Gayathri Sundar-2
In reply to this post by Gaël Lams
Hey can you try setting verify depth to Zero and not pointing to any CA cert
i.e SSLCACertificatePath pointing to null?

Thanks
--Gayathri

> Hi Again.,
>
> This is what I found from the "log" file you sent..is this pointing to the
> same CA cert "itcilo-ca.crt, I put it in ssl.crt" ?
>
> debug] ssl_engine_init.c(1112): CA certificate:
> /C=IT/ST=Piemonte/L=Turin/O=ITCILO/OU=MIS/CN=ITCILO
> CA/emailAddress=[hidden email]
> [Wed Jul 13 11:48:34 2005] [debug] ssl_engine_init.c(703): Configuring
> server certificate chain (1 CA certificate)
>
> You will not find that option "SSL_VERIFY_FAIL_IF_NO_PEER_CERT" thats
> openssl macro..I thought you had written your own server..
>
> found this link
> http://httpd.apache.org/docs-2.0/mod/mod_ssl.html
> perhaps your already aware of this..but sorry no idea abt apache mod ssl
> :)
>
> Thanks
> Gayathri
>
>
>
>> Hi.
>
> Hi,
>
> Thanks for the reply
>
>> Have you imported the CA of the client cert on the server side?
>
> Yes, it's the itcilo-ca.crt, I put it in ssl.crt (self-signed)
>
>> A verify depth of 1 has been set, which could mean that the client
>> cert is self signed? Can you set it to some higher value and try?
>
> Yes, it's a self signed certificate, I tried with a higher values (5)
> without any success
>
>> Also can you check whether the option "SSL_VERIFY_FAIL_IF_NO_PEER_CERT"?
>
> I searched for the string on my server but can not find it. In which
> should I find it?
>
>> Can you retry the same thing from Mozilla or something.
>
> I tried with firefox with the same result
>
>> is your server mod_ssl?
>
> Yes, apache 2 on suse includes it by default.
>
> I turned the loglevel to debug and attached the log file below, just in
> case
>
> There are a lot of
> Wed Jul 13 11:48:34 2005] [debug] ssl_engine_kernel.c(1793): OpenSSL:
> Handshake: start
> [Wed Jul 13 11:48:34 2005] [debug] ssl_engine_kernel.c(1801): OpenSSL:
> Loop: before/accept initialization
> [Wed Jul 13 11:48:34 2005] [debug] ssl_engine_io.c(1518): OpenSSL: I/O
> error, 11 bytes expected to read on BIO#836ffc8 [mem: 8377648]
> [Wed Jul 13 11:48:34 2005] [debug] ssl_engine_kernel.c(1830): OpenSSL:
> Exit: error in SSLv2/v3 read client hello A
> [Wed Jul 13 11:48:34 2005] [info] (70014)End of file found: SSL
> handshake interrupted by system [Hint: Stop button pressed in
> browser?!]
> [Wed Jul 13 11:48:34 2005] [info] Connection to child 9 closed with
> abortive shutdown(server tomcat-ssl.itcilo.org:443, client ::1)
> [Wed Jul 13 11:48:34 2005] [info] Connection to child 9 established
> (server tomcat-ssl.itcilo.org:443, client ::1)
> [Wed Jul 13 11:48:34 2005] [info] Seeding PRNG with 136 bytes of entropy
>
> and then
> [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_kernel.c(1793): OpenSSL:
> Handshake: start
> [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_kernel.c(1801): OpenSSL:
> Loop: before/accept initialization
> [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1507): OpenSSL:
> read 11/11 bytes from BIO#8372060 [mem: 83776d8] (BIO dump follows)
> [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1454):
> +-------------------------------------------------------------------------+
> [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1479): | 0000: 80
> 67 01 03 00 00 4e 00-00 00 10                 .g....N....      |
> [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1485):
> +-------------------------------------------------------------------------+
> [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1507): OpenSSL:
> read 94/94 bytes from BIO#8372060 [mem: 83776e3] (BIO dump follows)
> [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1454):
> +-------------------------------------------------------------------------+
> [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1479): | 0000: 01
> 00 80 03 00 80 07 00-c0 06 00 40 02 00 80 04  ...........@.... |
> [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1479): | 0010: 00
> 80 00 00 39 00 00 38-00 00 35 00 00 33 00 00  ....9..8..5..3.. |
> [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1479): | 0020: 32
> 00 00 04 00 00 05 00-00 2f 00 00 16 00 00 13  2......../...... |
> [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1479): | 0030: 00
> fe ff 00 00 0a 00 00-15 00 00 12 00 fe fe 00  ................ |
> [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1479): | 0040: 00
> 09 00 00 64 00 00 62-00 00 03 00 00 06 69 13  ....d..b......i. |
> [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1479): | 0050: 73
> ff 86 72 4e 7d 52 4a-fe 9a b9 38 b9 1e        s..rN}RJ...8..   |
> [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_io.c(1485):
> +-------------------------------------------------------------------------+
> [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_kernel.c(1801): OpenSSL:
> Loop: SSLv3 read client hello A
> [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_kernel.c(1801): OpenSSL:
> Loop: SSLv3 write server hello A
> [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_kernel.c(1801): OpenSSL:
> Loop: SSLv3 write certificate A
> [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_kernel.c(1185): handing
> out temporary 1024 bit DH key
> [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_kernel.c(1801): OpenSSL:
> Loop: SSLv3 write key exchange A
> [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_kernel.c(1801): OpenSSL:
> Loop: SSLv3 write certificate request A
> [Wed Jul 13 11:48:42 2005] [debug] ssl_engine_kernel.c(1801): OpenSSL:
> Loop: SSLv3 flush data
> [Wed Jul 13 11:48:47 2005] [debug] ssl_engine_io.c(1507): OpenSSL:
> read 5/5 bytes from BIO#8372060 [mem: 83776d8] (BIO dump follows)
> [Wed Jul 13 11:48:47 2005] [debug] ssl_engine_io.c(1454):
> +-------------------------------------------------------------------------+
> [Wed Jul 13 11:48:47 2005] [debug] ssl_engine_io.c(1479): | 0000: 16
> 03 00 04 16                                   .....            |
> [Wed Jul 13 11:48:47 2005] [debug] ssl_engine_io.c(1485):
> +-------------------------------------------------------------------------+
> [Wed Jul 13 11:48:47 2005] [debug] ssl_engine_io.c(1507): OpenSSL:
> read 1046/1046 bytes from BIO#8372060 [mem: 83776dd] (BIO dump
> follows)
> [Wed Jul 13 11:48:47 2005] [debug] ssl_engine_io.c(1454):
> +-------------------------------------------------------------------------+
> [Wed Jul 13 11:48:47 2005] [debug] ssl_engine_io.c(1479): | 0000: 0b
> 00 03 06 00 03 03 00-03 00 30 82 02 fc 30 82  ..........0...0. |
> [Wed Jul 13 11:48:47 2005] [debug] ssl_engine_io.c(1479): | 0010: 01
> e4 02 01 02 30 0d 06-09 2a 86 48 86 f7 0d 01  .....0...*.H.... |
> [Wed Jul 13 11
>
> Regards
>
> Gaël
>
>
>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]