client side certificates

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

client side certificates

Raymond Popowich

Hello,

I have a project that requires I enable client side certificates.  I have
been through a couple guides but can not seem to get them working.  I have
an apache+modssl (solaris) web server and a CA created on that web server.

I tried using both the CA cert and a cert that came with the signed client
side certificate from Geotrust.  I also have a client side certificate from
Verisign on another computer.  Both computers get a pop-up to pick a cert to
use to connect from within IE, but the box is empty.  Below is what I added
to the apache config within the virtualhost section for this particular web
site.  If it matters this web site is nothing more than an HTTPS proxy to
another web server that is not internet accessible.

# Config for the Client Side Certificates
SSLVerifyClient require
SSLVerifyDepth 1
SSLCACertificateFile /export/CA/certs/geotrust.crt
SSLCACertificatePath /export/CA/certs
#SSLProtocol     all
#SSLCipherSuite  HIGH:MEDIUM

Example Error log:

[Tue Nov  1 10:42:07 2005] [error] OpenSSL: error:140890C7:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
[Hint: No CAs known to server for verification?]

I have a certificate.

The no CA's comment does not make sense to me since I have the cert
configured.

One thing that I'd like some clarification on.  Once I get this working,
shouldn't there be a way for me to say I only want certain client side
certificates to be able to connect to this web site?  Otherwise anyone with
a client side cert can connect.  I'm sure I'm missing an important piece of
information here and I just need to be pointed in the right direction.

Thanks,
-Raymond

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: client side certificates

Michael Sierchio
Raymond Popowich wrote:

> One thing that I'd like some clarification on.  Once I get this working,
> shouldn't there be a way for me to say I only want certain client side
> certificates to be able to connect to this web site?  Otherwise anyone
> with a client side cert can connect.  I'm sure I'm missing an important
> piece of information here and I just need to be pointed in the right
> direction.

If a server supports or requires client auth, it sends a cert
request that includes what type of cert is required, and a list
of DN's of recognized certificate authorities.  If you do not
present a cert signed directly by one of these, or a certificate
chain that has a cert signed by one of these, the handshake will
fail.

See the spec:

http://wp.netscape.com/eng/ssl3
SSL 3.0 Specification


5.6.4 Certificate request

    A non-anonymous server can optionally request a certificate from
    the client, if appropriate for the selected cipher suite.

      enum {
          rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
          rsa_ephemeral_dh(5), dss_ephemeral_dh(6), fortezza_kea(20),
          (255)
      } ClientCertificateType;

      opaque DistinguishedName<1..2^16-1>;

      struct {
          ClientCertificateType certificate_types<1..2^8-1>;
          DistinguishedName certificate_authorities<3..2^16-1>;
      } CertificateRequest;

      certificate_types This field is a list of the types of
                        certificates requested, sorted in order of the
                        server's preference.
      certificate_authorities
                        A list of the distinguished names of acceptable
                        certificate authorities.

    Note:          DistinguishedName is derived from [X509].

    Note:          It is a fatal handshake_failure alert for an
                   anonymous server to request client identification.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: client side certificates

Jason Haar
In reply to this post by Raymond Popowich
Raymond Popowich wrote:

>
>
> I tried using both the CA cert and a cert that came with the signed
> client side certificate from Geotrust.  I also have a client side
> certificate from Verisign on another computer.  Both computers get a
> pop-up to pick a cert to use to connect from within IE, but the box is
> empty.  Below is what I added to the apache config within the
> virtualhost section for this particular web site.  If it matters this
> web site is nothing more than an HTTPS proxy to another web server
> that is not internet accessible.
>

If IE gives you an empty popup for choosing a cert, then either IE has
no client cert to offer, or the server is asking for certs signed by CAs
that don't include the ones the client has. (BTW it's a bug in IE - it
can do the same thing for clients without *any* certs when faced with
the "SSLVerifyClient optional" rule!).

So can you confirm that entering "Tools->Internet
Options->Content->Certificates" shows "Personal" certs, and that if you
"View" them it states there's a private key associated with that cert?
And then confirm that the CA that signed that cert is one trusted by
Apache via SSLCACertificateFile or SSLCACertificatePath (those should
point to copies of the CA public keys - not the same cert that is on the
client. I can't figure out from your mail if you've already worked that
out, so sorry if that's pointing out the bleeding obvious ;-)


>
>
> One thing that I'd like some clarification on.  Once I get this
> working, shouldn't there be a way for me to say I only want certain
> client side certificates to be able to connect to this web site?
> Otherwise anyone with a client side cert can connect.  I'm sure I'm
> missing an important piece of information here and I just need to be
> pointed in the right direction.


That's what  SSLCACertificateFile or SSLCACertificatePath is about. You
can use that to restrict what client certs you support down to just
those signed by those CAs. To further restrict to a subselection, see
mod_ssl documentation for SSLRequire - e.g.

SSLRequire       %{SSL_CLIENT_S_DN_O}  eq "Snake Oil, Ltd." \
               and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"}

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: client side certificates

Raymond Popowich

Hello,

>> So can you confirm that entering "Tools->Internet
>> Options->Content->Certificates" shows "Personal" certs, and that if you
>> "View" them it states there's a private key associated with that cert?
>> And then confirm that the CA that signed that cert is one trusted by
>> Apache via SSLCACertificateFile or SSLCACertificatePath (those should
>> point to copies of the CA public keys - not the same cert that is on the
>> client. I can't figure out from your mail if you've already worked that
>> out, so sorry if that's pointing out the bleeding obvious ;-)

Yes, I have a Verisign Class 1 personal certificate.

It stats that:

"You have a private key that corresponds to this certificate".

I asked versign for the certificate that signed my cert and they sent it to
me.  It was base64, I converted to what appears to be a PEM format.  I have
this file (verisign.pem) as my SSLCACertificateFile and manually created the
hash link to it.

So right now I have this included within this servers virtualhost:

# Config for the Client Side Certificates
SSLVerifyClient require
SSLVerifyDepth 1
SSLCACertificateFile /export/CA/certs/verisign.pem
SSLCACertificatePath /export/CA/certs
SSLProtocol     ALL
SSLCipherSuite  ALL
  <Location />
    SSLRequire %{REMOTE_ADDR} =~ m/^x\.x\.x\.[0-9]+$/
  </Location>
</VirtualHost>

And the certs dir has 1 link and 1 file:

lrwxrwxrwx   1 root     other         12 Nov  2 10:57 c19d42c7.0 ->
verisign.pem

-rw-r--r--   1 root     other       3028 Nov  2 10:49 verisign.pem



>> That's what  SSLCACertificateFile or SSLCACertificatePath is about. You
>> can use that to restrict what client certs you support down to just
>> those signed by those CAs. To further restrict to a subselection, see
>> mod_ssl documentation for SSLRequire - e.g.
>>
>> SSLRequire       %{SSL_CLIENT_S_DN_O}  eq "Snake Oil, Ltd." \
>>                and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"}

I see.  Thanks for the tip.

To keep this simple I am using SSLRequire and check for my IP..

I continue to get the blank pop-up window that asks me to select a cert.

I rebooted my laptop for good measure.

The same error appears in my apache error log.

[Wed Nov  2 11:20:17 2005] [error] mod_ssl: SSL handshake failed (server
ice.choiceonecom.com:443, client 216.153.201.171) (OpenSSL library error
follows)

[Wed Nov  2 11:20:17 2005] [error] OpenSSL: error:140890C7:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
[Hint: No CAs known to server for verification?]

Is my verisign.pem in the wrong format?


Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            39:ca:54:89:fe:50:22:32:fe:32:d9:db:fb:1b:84:19
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, O=VeriSign, Inc., OU=Class 1 Public Primary
Certification Authority - G2, OU=(c) 1998 VeriSign, Inc. - For authorized
use only, OU=VeriSign Trust Network
        Validity
            Not Before: May 18 00:00:00 1998 GMT
            Not After : May 18 23:59:59 2018 GMT
        Subject: C=US, O=VeriSign, Inc., OU=Class 1 Public Primary
Certification Authority - G2, OU=(c) 1998 VeriSign, Inc. - For authorized
use only, OU=VeriSign Trust Network
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:aa:d0:ba:be:16:2d:b8:83:d4:ca:d2:0f:bc:76:
                    31:ca:94:d8:1d:93:8c:56:02:bc:d9:6f:1a:6f:52:
                    36:6e:75:56:0a:55:d3:df:43:87:21:11:65:8a:7e:
                    8f:bd:21:de:6b:32:3f:1b:84:34:95:05:9d:41:35:
                    eb:92:eb:96:dd:aa:59:3f:01:53:6d:99:4f:ed:e5:
                    e2:2a:5a:90:c1:b9:c4:a6:15:cf:c8:45:eb:a6:5d:
                    8e:9c:3e:f0:64:24:76:a5:cd:ab:1a:6f:b6:d8:7b:
                    51:61:6e:a6:7f:87:c8:e2:b7:e5:34:dc:41:88:ea:
                    09:40:be:73:92:3d:6b:e7:75
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha1WithRSAEncryption
        8b:f7:1a:10:ce:76:5c:07:ab:83:99:dc:17:80:6f:34:39:5d:
        98:3e:6b:72:2c:e1:c7:a2:7b:40:29:b9:78:88:ba:4c:c5:a3:
        6a:5e:9e:6e:7b:e3:f2:02:41:0c:66:be:ad:fb:ae:a2:14:ce:
        92:f3:a2:34:8b:b4:b2:b6:24:f2:e5:d5:e0:c8:e5:62:6d:84:
        7b:cb:be:bb:03:8b:7c:57:ca:f0:37:a9:90:af:8a:ee:03:be:
        1d:28:9c:d9:26:76:a0:cd:c4:9d:4e:f0:ae:07:16:d5:be:af:
        57:08:6a:d0:a0:42:42:42:1e:f4:20:cc:a5:78:82:95:26:38:
        8a:47
-----BEGIN CERTIFICATE-----
MIIDAjCCAmsCEDnKVIn+UCIy/jLZ2/sbhBkwDQYJKoZIhvcNAQEFBQAwgcExCzAJ
BgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE8MDoGA1UECxMzQ2xh
c3MgMSBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEcy
MTowOAYDVQQLEzEoYykgMTk5OCBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3Jp
emVkIHVzZSBvbmx5MR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMB4X
DTk4MDUxODAwMDAwMFoXDTE4MDUxODIzNTk1OVowgcExCzAJBgNVBAYTAlVTMRcw
FQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE8MDoGA1UECxMzQ2xhc3MgMSBQdWJsaWMg
UHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEcyMTowOAYDVQQLEzEo
YykgMTk5OCBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5
MR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQCq0Lq+Fi24g9TK0g+8djHKlNgdk4xWArzZbxpvUjZudVYK
VdPfQ4chEWWKfo+9Id5rMj8bhDSVBZ1BNeuS65bdqlk/AVNtmU/t5eIqWpDBucSm
Fc/IReumXY6cPvBkJHalzasab7bYe1FhbqZ/h8jit+U03EGI6glAvnOSPWvndQID
AQABMA0GCSqGSIb3DQEBBQUAA4GBAIv3GhDOdlwHq4OZ3BeAbzQ5XZg+a3Is4cei
e0ApuXiIukzFo2penm574/ICQQxmvq37rqIUzpLzojSLtLK2JPLl1eDI5WJthHvL
vrsDi3xXyvA3qZCviu4Dvh0onNkmdqDNxJ1O8K4HFtW+r1cIatCgQkJCHvQgzKV4
gpUmOIpH
-----END CERTIFICATE-----



-Raymond

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]