topic Re: openssl - server and client certificates in Operating System - HP-UX

openssl - server and client certificates

UNIX Daemon — Fri, 29 Jun 2007 15:39:36 GMT

Has anyone worked with client side ssl certificates for an apache web instance?

If so, what am I doing wrong here? I create the CA, then the server csr and sign it. Then create the client certs export them to a pkcs#12 format for my MSIE 6.0 testing.

Any and all help is much appreciated.

Here are the steps I take:

# - gen CA (certificate authority - like ViriSign) for all certs
openssl genrsa -des3 -out my-ca.key 2048

openssl req -new -x509 -days 3650 -key my-ca.key -out my-ca.crt

openssl x509 -in my-ca.crt -text -noout

# - gen cert for apache server
openssl genrsa -des3 -out jims-server.key 2048

openssl req -new -key jims-server.key -out jims-server.csr

openssl x509 -req -in jims-server.csr -out jims-server.crt -sha1 -CA my-ca.crt -CAkey my-ca.key -CAcreateserial -days 365

openssl x509 -in jims-server.crt -text -noout
#
# - gen client side cert and sign with CA
openssl genrsa -des3 -out jim-c.key 2048

openssl req -new -key jim-c.key -out jim-c.csr

openssl x509 -req -in jim-c.csr -out jim-c.crt -sha1 -CA my-ca.crt -CAkey my-ca.key -CAcreateserial -days 365

openssl pkcs12 -export -in jim-c.crt -inkey jim-c.key -name "Test Site" -out jim-c.p12

openssl pkcs12 -in jim-c.p12 -clcerts -nokeys -info

Re: openssl - server and client certificates

UNIX Daemon — Mon, 02 Jul 2007 10:12:23 GMT

Tell me no one has worked with this before?
Does anyone have any suggestions?

Re: openssl - server and client certificates

Steven E. Protter — Mon, 02 Jul 2007 11:19:48 GMT

Shalom,

I've done it.

Your generation script looks reasonable.

Where are you placing it after you generate it?

What is the configuration of your ssl.conf file?

Are there entries on the access_log error_log log files?

SEP

Re: openssl - server and client certificates

UNIX Daemon — Mon, 02 Jul 2007 11:40:56 GMT

Hey SEP,
Thanks for repling.

This is the ssl.conf VHOST
-----------------------------------------

DocumentRoot "/opt/hpws/apache/vhost-root"
DirectoryIndex index.htm
SSLEngine on
SSLCipherSuite !ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /opt/hpws/apache/conf/ssl.crt/jims-server.crt
SSLCertificateKeyFile /opt/hpws/apache/conf/ssl.key/jims-server.key
ServerName jims-test-site
ErrorLog logs/jims-test-site.error_log
CustomLog logs/jims-test-site.access_log common

DirectoryIndex sindex.htm
AllowOverride None
AddType text/html .shtml

DirectoryIndex index.htm
SSLVerifyClient require
SSLVerifyDepth 1

. . . etc.
-------------------------------------------

I can import the PKCS12 just fine into MSIE but see these messages when I try to access it.

[Fri Jun 29 14:50:06 2007] [error] Certificate Verification: [127.0.0.1] Error (self signed certificate) Subject: /C=US/ST=PA/L=Horsham/O=NCO/CN=jims-test-site
[Fri Jun 29 14:50:06 2007] [error] Re-negotiation handshake failed: Not accepted by client!?
[Fri Jun 29 14:59:03 2007] [error] Re-negotiation handshake failed: Not accepted by client!?
[Fri Jun 29 14:59:35 2007] [error] Re-negotiation handshake failed: Not accepted by client!?

IS it that my /urs/local/openssl/openssl.cfg isn't configured with specific information about the CA or certs?

I'm just guessing here . . .

Thanks again for any help you might provide.

Re: openssl - server and client certificates

Heironimus — Mon, 02 Jul 2007 15:50:26 GMT

I don't see anything in your Apache configuration telling it where to find the CA certificate for validating the client cert. Do you have a SSLCACertificateFile directive pointing at your CA certificate?

Re: openssl - server and client certificates

UNIX Daemon — Mon, 02 Jul 2007 15:59:09 GMT

Sorry about that. . .

SSLCertificateChainFile /opt/hpws/apache/conf/ssl.crt/my-ca.crt
SSLCertificateKeyFile /opt/hpws/apache/conf/ssl.crt/my-ca.crt

most of the conf within the virtual host section is commented out. I didn't want to post things of non-relevance.

Here's the entire vhost in the ssl.conf though:

DocumentRoot "/opt/hpws/apache/vhost-root"
DirectoryIndex index.htm
SSLEngine on
SSLCipherSuite !ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /opt/hpws/apache/conf/ssl.crt/jims-server.crt
SSLCertificateKeyFile /opt/hpws/apache/conf/ssl.key/jims-server.key
ServerName jims-test-site
ErrorLog logs/jims-test-site.error_log
CustomLog logs/jims-test-site.access_log common

DirectoryIndex sindex.htm
AllowOverride None
AddType text/html .shtml

DirectoryIndex index.htm
SSLVerifyClient require
SSLVerifyDepth 1

#
#
#
# General setup for the virtual host
#DocumentRoot "/opt/hpws/apache/htdocs"
#ServerName corux28:443
#ServerAdmin www@corux28
#ErrorLog /opt/hpws/apache/logs/error_log
#TransferLog /opt/hpws/apache/logs/access_log

#SSLEngine on
#SSLCipherSuite !ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
#SSLCertificateFile /opt/hpws/apache/conf/ssl.crt/jims-server.crt

#SSLCertificateKeyFile /opt/hpws/apache/conf/ssl.key/jims-server.key

SSLCertificateChainFile /opt/hpws/apache/conf/ssl.crt/my-ca.crt
SSLCertificateKeyFile /opt/hpws/apache/conf/ssl.crt/my-ca.crt

#SSLCACertificatePath /opt/hpws/apache/conf/ssl.crt
#SSLCACertificateFile /opt/hpws/apache/conf/ssl.crt/ca-bundle.crt

#SSLCARevocationPath /opt/hpws/apache/conf/ssl.crl
#SSLCARevocationFile /opt/hpws/apache/conf/ssl.crl/ca-bundle.crl

#SSLVerifyClient require
#SSLVerifyDepth 10

# Access Control:
# With SSLRequire you can do per-directory access control based
# on arbitrary complex boolean expressions containing server
# variable checks and other lookup directives. The syntax is a
# mixture between C and Perl. See the mod_ssl documentation
# for more details.
#
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#

#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire

SSLOptions +StdEnvVars

SSLOptions +StdEnvVars

Re: openssl - server and client certificates

Heironimus — Mon, 02 Jul 2007 18:20:29 GMT

SSLCertificateChainFile is the CA chain for the server certificate. It is not used to validate client certificates.

SSLCertificateKeyFile should be the private key for your server certificate. You probably don't want that in the same file as your CA chain, but I suppose it probably can work that way.

I still don't see a SSLCACertificateFile directive. Assuming that you are using some Apache 2.0 version, you need to set this directive to point to the CA certificate that signed your clients.

The Apache web site has a document describing how to configure client authentication. Take a look at http://httpd.apache.org/docs/2.0/ssl/ssl_howto.html#accesscontrol and see if you've got everything.

Re: openssl - server and client certificates

UNIX Daemon — Tue, 03 Jul 2007 11:31:10 GMT

Gettnig closer . . .
I can connet now but I get this message in the error log file for this v-host.

# tail ../logs/jims-test-site.error_log
[Tue Jul 03 12:21:50 2007] [error] Re-negotiation handshake failed: Not accepted by client!?

I confirmed that if I remove the client side cert from my MSIE it fails to display the page. Like wise, when I import the cert I can get to the page.

But all the while I get these messages in the log file for the v-host.

# cat ../logs/jims-test-site.error_log
[Tue Jul 03 12:21:50 2007] [error] Re-negotiation handshake failed: Not accepted by client!?
[Tue Jul 03 12:28:16 2007] [error] Re-negotiation handshake failed: Not accepted by client!?
[Tue Jul 03 12:28:16 2007] [error] Re-negotiation handshake failed: Not accepted by client!?
[Tue Jul 03 12:29:38 2007] [error] Re-negotiation handshake failed: Not accepted by client!?
[Tue Jul 03 12:29:42 2007] [error] Re-negotiation handshake failed: Not accepted by client!?
[Tue Jul 03 12:29:58 2007] [error] Re-negotiation handshake failed: Not accepted by client!?