Roel Brutas
The Hibbert Group
Sasa,
I am setting up a mutual SSL authentication between our server and our clients application. The following are the entry on my vhost.. the SSLCertificateFile and SSLCACertificateFile are from Verisign.
SSLEngine on
SSLVerifyClient require
SSLVerifyDepth 10
LogLevel debug
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP:+eNULL
SSLCertificateFile /www/staging/apache2/conf/ssl.crt/biwebservices.qa.crt
SSLCertificateKeyFile /www/staging/apache2/conf/ssl.crt/biwebservices.qa.privkey
SSLCACertificateFile /www/staging/apache2/conf/ssl.crt/intermediate.crt
when the client tries connecting to me, they receiving "HANDSHAKE_FAILURE" error and my logs are showing the following error when i enabled the debug.
Code:
[Wed Aug 04 14:22:51 2010] [info] Seeding PRNG with 136 bytes of entropy
[Wed Aug 04 14:22:51 2010] [debug] ssl_engine_kernel.c(1875): OpenSSL: Handshake: start
[Wed Aug 04 14:22:51 2010] [debug] ssl_engine_kernel.c(1883): OpenSSL: Loop: before/accept initialization
[Wed Aug 04 14:22:51 2010] [debug] ssl_engine_io.c(1858): OpenSSL: read 11/11 bytes from BIO#41d4a0 [mem: 430bd8] (BIO dump follows)
[Wed Aug 04 14:22:51 2010] [debug] ssl_engine_io.c(1791): +-------------------------------------------------------------------------+
[Wed Aug 04 14:22:51 2010] [debug] ssl_engine_io.c(1830): | 0000: 16 03 00 00 41 01 00 00-3d 03 ....A...=. |
[Wed Aug 04 14:22:51 2010] [debug] ssl_engine_io.c(1834): | 0011 - <SPACES/NULS>
[Wed Aug 04 14:22:51 2010] [debug] ssl_engine_io.c(1836): +-------------------------------------------------------------------------+
[Wed Aug 04 14:22:51 2010] [debug] ssl_engine_io.c(1858): OpenSSL: read 59/59 bytes from BIO#41d4a0 [mem: 430be3] (BIO dump follows)
[Wed Aug 04 14:22:51 2010] [debug] ssl_engine_io.c(1791): +-------------------------------------------------------------------------+
[Wed Aug 04 14:22:51 2010] [debug] ssl_engine_io.c(1830): | 0000: 4c 59 af fc 74 38 f2 ed-7d ee 5d d9 9c eb 56 c6 LY..t8..}.]...V. |
[Wed Aug 04 14:22:51 2010] [debug] ssl_engine_io.c(1830): | 0010: 91 db fe b0 4d ca 89 c2-43 cd dd d7 f5 2a 4f 1a ....M...C....*O. |
[Wed Aug 04 14:22:51 2010] [debug] ssl_engine_io.c(1830): | 0020: 00 00 16 00 04 00 05 00-0a 00 09 00 64 00 62 00 ............d.b. |
[Wed Aug 04 14:22:51 2010] [debug] ssl_engine_io.c(1830): | 0030: 03 00 06 00 13 00 12 00-63 01 ........c. |
[Wed Aug 04 14:22:51 2010] [debug] ssl_engine_io.c(1834): | 0059 - <SPACES/NULS>
[Wed Aug 04 14:22:51 2010] [debug] ssl_engine_io.c(1836): +-------------------------------------------------------------------------+
[Wed Aug 04 14:22:51 2010] [debug] ssl_engine_kernel.c(1883): OpenSSL: Loop: SSLv3 read client hello A
[Wed Aug 04 14:22:51 2010] [debug] ssl_engine_kernel.c(1883): OpenSSL: Loop: SSLv3 write server hello A
[Wed Aug 04 14:22:51 2010] [debug] ssl_engine_kernel.c(1883): OpenSSL: Loop: SSLv3 write certificate A
[Wed Aug 04 14:22:51 2010] [debug] ssl_engine_kernel.c(1883): OpenSSL: Loop: SSLv3 write certificate request A
[Wed Aug 04 14:22:51 2010] [debug] ssl_engine_kernel.c(1883): OpenSSL: Loop: SSLv3 flush data
[Wed Aug 04 14:22:51 2010] [debug] ssl_engine_io.c(1858): OpenSSL: read 5/5 bytes from BIO#41d4a0 [mem: 430bd8] (BIO dump follows)
[Wed Aug 04 14:22:51 2010] [debug] ssl_engine_io.c(1791): +-------------------------------------------------------------------------+
[Wed Aug 04 14:22:51 2010] [debug] ssl_engine_io.c(1830): | 0000: 15 03 00 00 02 ..... |
[Wed Aug 04 14:22:51 2010] [debug] ssl_engine_io.c(1836): +-------------------------------------------------------------------------+
[Wed Aug 04 14:22:51 2010] [debug] ssl_engine_io.c(1858): OpenSSL: read 2/2 bytes from BIO#41d4a0 [mem: 430bdd] (BIO dump follows)
[Wed Aug 04 14:22:51 2010] [debug] ssl_engine_io.c(1791): +-------------------------------------------------------------------------+
[Wed Aug 04 14:22:51 2010] [debug] ssl_engine_io.c(1830): | 0000: 01 29 .) |
[Wed Aug 04 14:22:51 2010] [debug] ssl_engine_io.c(1836): +-------------------------------------------------------------------------+
[Wed Aug 04 14:22:51 2010] [debug] ssl_engine_kernel.c(1888): OpenSSL: Read: SSLv3 read client certificate A
[Wed Aug 04 14:22:51 2010] [debug] ssl_engine_io.c(1858): OpenSSL: read 5/5 bytes from BIO#41d4a0 [mem: 430bd8] (BIO dump follows)
[Wed Aug 04 14:22:51 2010] [debug] ssl_engine_io.c(1791): +-------------------------------------------------------------------------+
[Wed Aug 04 14:22:51 2010] [debug] ssl_engine_io.c(1830): | 0000: 16 03 00 01 04 ..... |
[Wed Aug 04 14:22:51 2010] [debug] ssl_engine_io.c(1836): +-------------------------------------------------------------------------+
[Wed Aug 04 14:22:51 2010] [debug] ssl_engine_io.c(1858): OpenSSL: read 260/260 bytes from BIO#41d4a0 [mem: 430bdd] (BIO dump follows)
[Wed Aug 04 14:22:51 2010] [debug] ssl_engine_io.c(1791): +-------------------------------------------------------------------------+
[Wed Aug 04 14:22:51 2010] [debug] ssl_engine_io.c(1830): | 0000: 10 00 01 00 8a 69 8b 55-3a 26 e6 3a f0 2c bd 8e .....i.U:&.:.,.. |
[Wed Aug 04 14:22:51 2010] [debug] ssl_engine_io.c(1830): | 0010: 87 79 d3 eb d6 02 32 6b-00 8b 03 ee 33 be 73 ff .y....2k....3.s. |
[Wed Aug 04 14:22:51 2010] [debug] ssl_engine_io.c(1830): | 0020: c7 cd ab 81 f0 33 0a c0-02 82 9c 3b 6c 3a 6a c6 .....3.....;l:j. |
[Wed Aug 04 14:22:51 2010] [debug] ssl_engine_io.c(1830): | 0030: a5 34 3f 69 0b c9 e3 5d-45 ad d5 e8 1c 48 ea 41 .4?i...]E....H.A |
[Wed Aug 04 14:22:51 2010] [debug] ssl_engine_io.c(1830): | 0040: a9 74 e8 ee b8 e3 f1 96-18 25 9c 91 2e 01 1b 0d .t.......%...... |
[Wed Aug 04 14:22:51 2010] [debug] ssl_engine_io.c(1830): | 0050: f9 3d ba 0c 5a ab 78 66-4a 0e ea 41 d5 71 dd c1 .=..Z.xfJ..A.q.. |
[Wed Aug 04 14:22:51 2010] [debug] ssl_engine_io.c(1830): | 0060: 84 ef 8d 8b d1 15 5f 7c-b4 a6 43 85 49 e4 75 ce ......_|..C.I.u. |
[Wed Aug 04 14:22:51 2010] [debug] ssl_engine_io.c(1830): | 0070: 94 91 83 6c 38 09 31 1b-2d 2d d4 65 83 02 1d a6 ...l8.1.--.e.... |
[Wed Aug 04 14:22:51 2010] [debug] ssl_engine_io.c(1830): | 0080: dd 3c dc e1 92 8a 18 25-d7 d0 fe 22 74 70 09 c8 .<.....%..."tp.. |
[Wed Aug 04 14:22:51 2010] [debug] ssl_engine_io.c(1830): | 0090: 87 48 c1 ba 3e de 9e c3-01 6d 7d b3 ba 11 8b 49 .H..>....m}....I |
[Wed Aug 04 14:22:51 2010] [debug] ssl_engine_io.c(1830): | 00a0: 30 8d dd 19 52 57 9b 1c-08 a8 16 e6 b5 3a 95 61 0...RW.......:.a |
[Wed Aug 04 14:22:51 2010] [debug] ssl_engine_io.c(1830): | 00b0: 6b 11 4b 1c 12 1f 07 55-10 dc f8 c0 55 4a 46 2c k.K....U....UJF, |
[Wed Aug 04 14:22:51 2010] [debug] ssl_engine_io.c(1830): | 00c0: c4 46 4b 04 c3 dc e0 7c-2a 9c 9f 5e de 6c 4c c4 .FK....|*..^.lL. |
[Wed Aug 04 14:22:51 2010] [debug] ssl_engine_io.c(1830): | 00d0: e1 13 e9 47 e9 86 cf 23-ed b2 f7 d3 1c f0 63 a6 ...G...#......c. |
[Wed Aug 04 14:22:51 2010] [debug] ssl_engine_io.c(1830): | 00e0: 20 28 15 49 e9 0b 43 36-e6 15 cc ad 5c 57 04 4b (.I..C6....\\W.K |
[Wed Aug 04 14:22:51 2010] [debug] ssl_engine_io.c(1830): | 00f0: 0d 9a f5 bd e5 7e da 04-6a 6a 32 15 36 cd 2f 1b .....~..jj2.6./. |
[Wed Aug 04 14:22:51 2010] [debug] ssl_engine_io.c(1830): | 0100: ee af 1b 71 ...q |
[Wed Aug 04 14:22:51 2010] [debug] ssl_engine_io.c(1836): +-------------------------------------------------------------------------+
[Wed Aug 04 14:22:51 2010] [debug] ssl_engine_kernel.c(1893): OpenSSL: Write: SSLv3 read client certificate B
[Wed Aug 04 14:22:51 2010] [debug] ssl_engine_kernel.c(1912): OpenSSL: Exit: error in SSLv3 read client certificate B
[Wed Aug 04 14:22:51 2010] [debug] ssl_engine_kernel.c(1912): OpenSSL: Exit: error in SSLv3 read client certificate B
[Wed Aug 04 14:22:51 2010] [info] [client 172.16.1.119] SSL library error 1 in handshake (server biwebservices.qa.hibbertgroup.com:443)
[Wed Aug 04 14:22:51 2010] [info] SSL Library Error: 336105671 error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate No CAs known to server for verification?
any help is greatly appreciated. CLient is using java ee apps to connect to us.
Btw, i've been to your apache class last february.
Edited 3 times. Last edit by Abhijit Bhate on Dec 20, 2010 at 1:11:01 AM (about one year ago).
Aleksandar Gargenta
CTO
Marakana, Inc.
Roel,
When doing client authentication via SSL you only need to specify
SSLVerifyClient,
SSLVerifyDepth, and
SSLCACertificateFile. Directives
SSLCertificateFile and
SSLCertificateKeyFile are only used for "standard" SSL.
Make sure that the certificate on the client side has been signed by the certificate configured under
SSLCACertificateFile. Also, it is generally recommended that you use
SSLVerifyDepth 1 - for maximum security/control.
If you have not seen this already, check out:
I hope this helps,
Sasa
Abhijit Bhate
MPhasis
Hello Roel / Aleksandar,
Even my application is facing this issue. I have settings almost same as mentioned by Roel above. Were you guys able to fix this?
Thanks,
Abhijit Bhate
Bonnie Kelly
I'm having the same issue. Funny thing is, the certificates worked yesterday.
Khelil Zeaze
A r c h i t e c t e
Did find a solution, i have the same problem, sometimes, in ssl logs i have theses error and clients are complaining because when it happen,they lost their ssl session and they have to start a new ssl session , client are using a special application client called webpass which mount the ssl tunnel with apache/modssl
